PCI PIN Security v3.1

PIN Security Requirements:
6-1.1 Any clear-text output of the key-generation process must be managed under dual control. Only the assigned custodian can have direct access to the clear text of any key component/share. Each custodian’s access to clear-text output is limited to the individual component(s)/share(s) assigned to that custodian, and not the entire key.
6-1.1.a Examine documented procedures to verify the following: 

6-1.1.b Observe key-generation process demonstration and interview responsible personnel to verify: 

PIN Security Requirements:
6-1.2 There must be no point in the key-generation process where a single individual has the ability to determine, obtain, or ascertain any part of a clear-text key or all the components for a key.
Note: Key shares derived using a recognized secret-sharing algorithm or full-length key components are not considered key parts and do not provide any information regarding the actual cryptographic key.
Testing Procedures:
6-1.2.a Examine documented procedures for all key-generation methods and observe demonstrations of the key-generation process from end to end to verify there is no point in the process where a single person has the ability to determine, obtain, or ascertain any part of a clear-text key or all the components for a key.
6-1.2.b Examine key-generation logs to verify that: 

PIN Security Requirements:
6-1.3 Devices used for generation of clear-text key components that are output in the clear must either be powered off when not in use or require re-authentication whenever key generation is invoked.
Logically partitioned devices used concurrently for other processes— e.g., providing services simultaneously to host systems, such as for transaction processing—must have key-generation capabilities disabled when not in use and other activities are continuing.
Testing Procedures:
6-1.3 Examine documented procedures for all key-generation methods. Verify procedures require that: 

PIN Security Requirements:
6-1.4 Key-generation equipment used for generation of clear-text key components must not show any signs of tampering (for example, unknown cables) and must be inspected prior to the initialization of key-generation activities. Ensure there isn’t any mechanism that might disclose a clear-text key or key component (e.g., a tapping device) between the key-generation device and the device or medium receiving the key or key component.
Note: This does not apply to logically partitioned devices located in data centers that are concurrently used for other purposes, such as transaction processing.
Testing Procedures:
6-1.4.a Examine documented procedures for all key-generation methods to verify they include inspections of the key-generation equipment for evidence of tampering, prior to use⎯including verification that there is a validation step to ensure no unauthorized mechanism exists that might disclose a clear-text key or key component (e.g., a tapping device).
6-1.4.b Observe key-generation set-up processes for all key types to verify that key-generation equipment is inspected prior to use, to ensure equipment does not show any signs of tampering⎯including verification that there is a validation step to ensure no unauthorized mechanism exists that might disclose a clear-text key or key component (e.g., a tapping device). 

PIN Security Requirements:
6-3.1 The room must have walls made of solid materials. The walls do not have to extend from true floor to true ceiling but do need to extend from floor to ceiling.
Testing Procedures:
6-3.1 Inspect the secure room designated for printing clear-text key components to verify that the walls are made of solid materials and extend from floor to ceiling. 

PIN Security Requirements:
6-3.2 Any windows into the secure room must be: 

6-3.2.a Observe all windows in the secure room to verify they are: 

6-3.2.b Examine configuration of window sensors to verify that the alarm mechanism is active. 

PIN Security Requirements:
6-3.3 An electronic access control system (for example, badge and/or biometrics) must be in place that: 

Testing Procedures:
6-3.3.a Observe authorized personnel entering the secure room to verify that a badge-control system is in place that enforces the following requirements: 

6-3.3.b Examine alarm mechanisms and interview alarm-response personnel to verify that the badge-control system supports generation of an alarm when one person remains alone in the secure room for more than 30 seconds. 

PIN Security Requirements:
6-3.4 CCTV cameras must record all activity, including recording events during dark periods through the use of infrared CCTV cameras or automatic activation of floodlights in case of any detected activity. This recording may be motion-activated, in which case the recording must continue for at least a minute after the last pixel of activity subsides.
Testing Procedures:
6-3.4 Inspect CCTV configuration and examine a sample of recordings to verify that CCTV monitoring is in place on a 24/7 basis, including the ability to record events during dark periods, and verify that, if motion-activated, recording continues for at least a minute after the last pixel of activity subsides. 

PIN Security Requirements:
6-3.5 Monitoring must be supported on a continuous (24/7) basis such that alarms can be resolved by authorized personnel.
Testing Procedures:
6-3.5 Inspect configuration of monitoring systems and interview monitoring personnel to verify that monitoring is supported on a continuous (24/7) basis and alarms can be resolved by authorized personnel. 

PIN Security Requirements:
6-3.6 The CCTV server and digital storage must be secured in a separate secure location that is not accessible to personnel who have access to the secure room.
Testing Procedures:
6-3.6.a Inspect location of the CCTV server and digital storage to verify they are located in a secure location that is separate from the secure room.
6-3.6.b Inspect access-control configurations for the CCTV server/storage secure location and the key-injection secure room to identify all personnel who have access to each area. Compare access lists to verify that personnel with access to the secure room do not have access to the CCTV server/storage secure location. 

PIN Security Requirements:
6-3.7 The CCTV cameras must be positioned to monitor: 

Testing Procedures:
6-3.7 Inspect CCTV positioning and examine a sample of recordings to verify that CCTV cameras are positioned to monitor: 

PIN Security Requirements:
6-3.8 CCTV cameras must be positioned so they do not monitor any combination locks, PIN pads, or keyboards used to enter passwords/authentication codes or other authentication credentials.
Testing Procedures:
6-3.8 Inspect CCTV positioning and examine a sample of recordings to verify that CCTV cameras do not monitor any combination locks, PIN pads, or keyboards used to enter passwords/authentication codes or other authentication credentials. 

PIN Security Requirements:
6-3.9 Images recorded from the CCTV system must be securely archived for a period of no less than 45 days. If digital-recording mechanisms are used, they must have sufficient storage capacity and redundancy to prevent the loss of information necessary to reconstruct events for the most recent 45-day period.
Testing Procedures:
6-3.9.a If digital-recording mechanisms are used, examine system configurations to verify that the systems have sufficient redundancy to prevent the loss of information necessary to reconstruct events for the most recent 45-day period.
6-3.9.b Examine storage of captured recordings to verify that at least the most recent 45 days of images are securely archived. 

PIN Security Requirements:
6-4 Any residue that may contain clear-text keys or components must be destroyed or securely deleted—depending on media—immediately after generation of that key, to prevent disclosure of a key or the disclosure of a key component to an unauthorized individual.
Examples of where such key residue may exist include (but are not limited to): 

6-4.a Examine documented procedures to identify all locations where key residue may exist. Verify procedures ensure the following: 

Examine logs of past destructions and deletions to verify that procedures are followed. 

6-4.b Observe the destruction process of each identified type of key residue and verify the following: 

PIN Security Requirements:
6-5 Asymmetric-key pairs must either be: 

6-5.a Examine documented procedures for asymmetric-key generation to confirm that procedures are defined to ensure that asymmetric-key pairs are either: 

6-5.b Observe key-generation processes to verify that asymmetric-key pairs are either: 

PIN Security Requirements:
6-6 Policy and procedures must exist to ensure that clear-text private or secret keys or their components/shares are not transmitted across insecure channels. Preclusions include but are not limited to: 

6-6.a Examine documented policy and procedures to verify that they include language that prohibits transmitting clear-text private or secret keys or their components/shares across insecure channels, including but not limited to: 

6-6.b From observation of key-management processes verify that clear-text private or secret keys or their components are not transmitted across insecure channels, including but not limited to: