PIN Security Requirements:
30-3 Processes must exist to ensure that key-injection operations are performed and reconciled on an inventory of pre-authorized devices. Processes must include the following:
- Each production run must be associated with a predefined inventory of identified POI devices to be injected or initialized with keys.
- Unauthorized personnel must not be able to modify this inventory without detection.
- All POI devices to be initialized with keys on a production run must be identified and accounted for against the inventory.
- Unauthorized POI devices submitted for injection or initialized must be rejected by the injection platform and investigated.
- Once processed by the KIF, whether successfully initialized with keys or not, all submitted POI devices must be identified and accounted for against the inventory.
Note: The KIF platform must ensure that only authorized devices can ever be injected or initialized with authorized keys. Processes must prevent (1) substitution of an authorized device with an unauthorized device, and (2) insertion of an unauthorized device into a production run.
Testing Procedures:
30.3.a Obtain and examine documentation of inventory control and monitoring procedures. Determine that the procedures cover:
- Each production run is associated with a predefined inventory of identified POI devices to be injected or initialized with keys.
- Unauthorized personnel are not able to modify this inventory without detection.
- All POI devices to be initialized with keys on a production run are identified and accounted for against the inventory.
- Unauthorized POI devices submitted for injection or initialized are rejected by the injection platform and investigated.
- Once processed by the KIF, whether successfully initialized with keys or not, all submitted POI devices are identified and accounted for against the inventory.
30.3.b Interview applicable personnel to determine that procedures are known and followed.
