Download presentation
Published byRoy Wilson Modified over 9 years ago
1
PCI PIN Entry Device Security Requirements PCI PIN Security Standards
2
Topics Payment Card Industry Pin Entry Device (PCI PED) Security Requirements Overview Testing process Programme Requirements Mandates Common Issues Payment Card Industry PIN Security Standards Related Mandates
3
PCI PED Security Requirements Overview
Formally known as the Visa PED Standards Standards aligned with other payment schemes PCI Pin Entry Device Security Requirements published in Oct 2004 Requirements primarily related to Attended POS Devices (On-line, offline or both) Encrypting PIN Peds (POS, ATMs, Fuel dispensers, kiosk,etc) Eventually to contain full requirements for ATM and other unattended devices Version 2 published in April 2007. Version 2 to be effective on 1st April Till then version
4
PCI PED Security Requirements Overview
The Security Requirements are divided into two categories Device characteristics Physical Logical Device management During manufacturing Between manufacturing and initial key loading
5
PCI PED Testing Process
Vendor to complete the relevant documentation and contact PED test lab of choice PED lab agrees a testing date and timeframe PED lab to perform evaluation and generate an evaluation report PCI participant to review report and grant approval List of Visa approved devices; -Ped test lab might do a pre-evaluation of the document submitted and request for additional information -Testing date and timeframe will depend on what test needs to be performed. Typically it could take 4-6 weeks for a full evaluation. -Should any discrepancies found and the device is deemed to be non-compliant the PED Lab will issue a report to vendor. -PED lab generates an evaluation report once the testing is completed successfully. -Labs cannot provide approval. Only PCI Participants can grant approval based on evaluation report provided by PED Lab. -No partial approval is granted. The device must meet all requirements to be deemed compliant Each scheme grants its own approval Visa approved devices can be found in
6
PCI PED Mandates Effective Now 1 January All newly deployed attended POS PIN acceptance devices (including replacement devices) must have passed testing by a PCI recognized laboratory and be approved by Visa for new deployments. Effective Now 1 October All newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa. 1 October 2007 All newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by Visa for new deployments. Additionally, if the device is used for offline PIN acceptance, it must contain a laboratory validated and Visa-approved secure smart card reader. 1 July 2010 All attended POS PIN acceptance devices must pass testing by a PCI recognized laboratory and have been approved by Visa.
7
PCI PED Common Issues Device not PED compliant
Older model of device deployed prior to PCI PED requirement PCI PED compliance not taken into account when new services are tested and rolled out.
8
PCI PIN Security Standards Overview
Visa PIN Security Requirements were first published in Mid 1990s 2004 Visa aligned standard with other payment schemes and published Payment Card Industry Pin Security Standards
9
PCI PIN Security Standards Overview
Consist of seven Control Objectives Control Objective One PINs are processed using equipment and methodologies that ensure they are kept secure. Control Objective Two Cryptographic keys used for PIN encryption/decryption are created using processes that ensure that it is not possible to predict any key. Control Objective Three Keys are conveyed or transmitted in a secure manner. Control Objective Four Key loading to hosts and PIN entry devices is handled in a secure manner.
10
PCI PIN Security Standards Overview
Control Objective Five Keys are used in a manner that prevents or detects their unauthorized usage. Control Objective Six Keys are administered in a secure manner. Control Objective Seven Equipment used to process PINs and keys is managed in a secure manner.
11
PCI PIN Security Standards Programme Requirements
All acquiring Members and their agents processing PIN-based Visa transactions are required to undergo an on-site review every three years. On an annual basis all acquiring Members processing PIN-based Visa transactions will be required to complete a certificate to confirm their level of compliance. On-site review to be conducted by Visa Risk Limited Acquiring Members or their agents to generate and agree remediation plan with Visa CEMEA
12
PCI PIN Security Standards Common Issues
Cryptographic keys shared between production and test environment Pin not protected using a secure PIN Block format Deploying unapproved Pin Entry Devices Cryptographic keys not created in a secure manner Cryptographic key not unique Cryptographic keys stored in an unsecured manner or format Lack of documented procedures Poor device management Lack of audit trail or logs for key utilisation
13
Other related Mandates
Chip Reading PIN Entry Devices Effective Now All Chip-Reading devices (including Unattended Acceptance Terminals) placed in service that support “enciphered Offline PIN” must also support “plaintext Offline PIN.” Effective Now All newly deployed Chip-Reading devices must be capable of accepting a PIN (have either a PIN pad or a port capable of supporting a PIN pad). The PIN functionality must either be active or be capable of being activated through a software update.
14
Other related Mandates
Triple Data Encryption Standard (TDES) Global Mandates Effective Now All newly deployed ATMs (including replacement devices) must support TDES. Effective Now All newly deployed point of sale (POS) PIN acceptance devices (including replacement devices) must support TDES. 1 July 2010 Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer. However, each Visa Region's TDES dates will supersede the global TDES date whenever the Visa Region date precedes the global date. Note: "Must support" means the device has all the necessary hardware and software required for TDES installed and only requires the loading of a TDES key.
15
Other related Mandates
Visa (CEMEA) TDES Mandate Effective Now All PIN transactions must be TDES encrypted from point of acceptance to Visa. All PIN transactions between Visa and Issuer hosts must be TDES encrypted. A non-compliance grace period will be introduced until 1 July 2007, at which time all CEMEA Members must be fully compliant to the Regional TDES requirements. A non-compliance fee structure specific to TDES migration will be introduced and rigidly enforced by the end of the grace period (details of non-compliance fees will be announced at a later date).
16
Visa (CEMEA) TDES Mandate
TDES Questionnaire in CEMEA Fraud Information Service Portal
17
Thank you
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.