Lifecycle Post Mfg WPv30 June2011

8/2/2019 Lifecycle Post Mfg WPv30 June2011

1/37

LifecycleofaSecure

PaymentDevice:

PostManufacturing

Stage

Revision3.0

June6,2011


2/37

LifecycleofaSecurePaymentDevice:PostManufacturingStage Page2June6,201Revision3.0

TableofContents

1 Overview ..............................................................................................................................................52 Abbreviations.......................................................................................................................................6 3 Glossary ................................................................................................................................................ 74 StageDefinition ...................................................................................................................................85 StagesandProcesses ..........................................................................................................................96 Assumptions....................................................................................................................................... 107 StageSecurityObjectives................................................................................................................... 118 ApplicableStandards..........................................................................................................................12

8.1 ApplicableStandardsSecurityRequirements...........................................................................13 8.1.1 PINTransactionsSecurityVersion2.1,January2009............................................................13

8.1.1.1 DeviceManagementRequirements ..............................................................................138.1.2 ISO134911 ............................................................................................................................. 148.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommontoAllSecureCryptographicDevices................................................................................................. 14

8.1.3.1 DeviceManagement...................................................................................................... 148.1.3.2 DeviceProtectionbetweenManufacturerandPreuse .............................................. 14

8.1.4 AnnexB.DeviceswithPINEntryFunctionality .....................................................................158.1.4.1 PINentryDeviceProtectionduringInitialKeyLoading................................................15

8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality ...........................................................158.1.5.1 LogicalSecurityCharacteristics......................................................................................15

8.1.6 AnnexF.DeviceswithKeyTransferandLoadingFunctionality.......................................... 168.1.6.1 LogicalSecurityCharacteristics..................................................................................... 168.1.6.2 DeviceManagement...................................................................................................... 16

8.1.7 AnnexGDeviceswithDigitalSignatureFunctionality......................................................... 188.1.7.1 DeviceManagement...................................................................................................... 18


3/37


8.1.8 AnnexHCategorizationofEnvironments............................................................................ 188.1.8.1 MinimallyControlledEnvironments.............................................................................. 188.1.8.2 ControlledEnvironments............................................................................................... 198.1.8.3 SecureEnvironments.....................................................................................................20

8.1.9 PINSecurity&TR39................................................................................................................21 8.1.9.1 PINSecurity ..................................................................................................................... 21

8.2 SecurityRequirementsAnalysis................................................................................................ 228.2.1 SecurityRequirementsStandardsMap................................................................................ 22

9 LifecycleProtectionMethods ........................................................................................................... 239.1 ISO134911Requirements.......................................................................................................... 239.2 ProtectionMethodsAnalysis .................................................................................................... 23

10 AuditandControlPrinciples..............................................................................................................24 10.1 PTS ..............................................................................................................................................2410.2 ISO134911 .................................................................................................................................. 2410.3 ISO134912.................................................................................................................................. 25

11 Stakeholders ......................................................................................................................................2612 SPVACertificationRequirements...................................................................................................... 27

12.1 SPVASecurityRequirements..................................................................................................... 2712.1.1 SPVA_Post_Manufacturing_Sec_Req_1............................................................................... 2712.1.2 SPVA_Post_Manufacturing_Sec_Req_2............................................................................... 2712.1.3 SPVA_Post_Manufacturing_Sec_Req_3...............................................................................28 12.1.4 SPVA_Post_Manufacturing_Sec_Req_4 ..............................................................................2812.1.5 SPVA_Post_Manufacturing_Sec_Req_5...............................................................................28 12.1.6 SPVA_General_Req................................................................................................................28

12.2 SPVAAuditControlObjectives..................................................................................................29 12.2.1 SPVA_Post_Manufacturing_Aud_Req_1 .............................................................................. 29

13 Rationale ............................................................................................................................................30


4/37


13.1 SPVASecurityRequirementsMap ............................................................................................3013.2 SPVASecurityRequirementsCoverage.....................................................................................31

13.2.1 SecurePostManufacturingProcesses ..................................................................................3113.2.2 InitialKeyLoading...................................................................................................................31 13.2.3 SecureDeliveryandStorage ..................................................................................................3113.2.4 IncidentManagement ............................................................................................................3113.2.5 SPVAAUDIT.............................................................................................................................31

13.3 SPVAKeyloadingScenarios...................................................................................................... 3214 References .........................................................................................................................................3415 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010) ....................................... 35

15.1 Introduction ............................................................................................................................... 3515.2 PCIPTSv3Requirements:ManufacturerandInitialKeyLoading........................................... 3515.3 SPVASecurityRequirementsMap ............................................................................................3615.4 SPVACertificationRequirements..............................................................................................36

15.4.1 SPVA_Post_Manufacturing_Sec_Req_2(Refined)..............................................................36 15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement) ............................................ 37


5/37


1 OverviewThemainpurposeofthisdocumentistodefinetheSPVAsecurityrequirementsapplicable

forthePostManufacturingStageofapaymentdevice.

SPVAhasperformedathoroughanalysisofthecurrentsecuritystandardsforPOSterminals

duringthePostManufacturingStage. Thepurposeoftheanalysiswastoestimateany

potentialmissinginformationinsecuritystandardsinordertoachievefullcoverageas

mandatedbytheSPVAboard. Thisdocumentrepresentstheconclusionsofthiseffort.

ThisdocumentonlyfocusesonthePostManufacturingStagewhichcoversthemomentthe

terminalhasbeenproducedtothemomenttheterminalisloadedwiththecustomerkeys.

TheSPVATWG2hadthefollowingmemberswhoworkedonthisdocument:

Chairman:RobertoFaans,Hypercom. Othermembersinclude:

OrganizationRepresented Representative

Hypercom Isabel BardsleyGarcia

Ingenico Yann Levenez

MustangMicroSystems,Inc Tami Harris

MustangMicroSystems,Inc. Tom Galloway

PAXSZ Alex DongDQ

Verifone Doug Manchester

Verifone Sadiq Mohammed


6/37


2 AbbreviationsDES AsymmetricmethodknownasDataEncryptionStandard

ISO InternationalStandardsOrganization

NIST NationalInstituteofStandardsandTechnology

PCI PaymentCardIndustry

PCISSC PCISecurityStandardsCouncil

PD PaymentDevice

PED POSPINEntryDevice

PTS PINTransactionSecurity

POS PointofSale

RSA AnasymmetricmethoddevelopedbyRivestShamirandAdelman

SP AdocumentfromNIST:SpecialPublication

SPVA SecurePOSVendorAlliance

TDEA AmethodusingDESthreetimesinsequence(i.e.encryptdecryptencrypt)usingtwo

orthreekeysconformingtotheTripleDataEncryptionAlgorithm.

TWG TechnicalWorkingGroup


7/37


3 GlossaryAsymmetricKeys Comprisedofapairofkeys,onePublic,theotherPrivate,thatareused

toaccomplishsecurecommunicationandauthentication. RSAalgorithmuses

asymmetrickeys.MoreinformationcanbefoundinX9.24part2.

CustomerKey AkeyunderCustomermanagementresponsibility,usuallyanacquirer.

InitialKeyThekeythatisusedtoassuretheintegrityandauthenticityofthePDduringthe

fullLifecycleofaSecurePaymentDevice.

InitialKeyloading ProcessforCustomerKeyloading.

PaymentDevicetrustestablishment Aprocesstoestablishthetrustrelationshipbetween

PDandPDmanufacturer.

SymmetricKeys Comprisedofasinglekeythatissharedbetweentwoormorepartiesand

keptsecret(i.e.private)usedtoaccomplishsecurecommunications.Symmetrickeys

canbeusedformessageauthentication(i.e.MAC). DESandTDEAaretwoofseveral

symmetrickeymethods.MoreinformationcanbefoundinX9.24part1.

VendorKeys AsymmetricKeypairsunderPDmanufacturermanagementresponsibility.


8/37


4 StageDefinitionThePostManufacturingStageconsistsofthetransportandstorageofthePDuptoand

includinginitialkeyloading(ISO134911:2007)

Thisistheonlystagecoveredinthisdocument. Otherstagesaredefinedinthefollowing

tablewiththedifferenttransitionphases. Someoftheseotherstageswillbestudiedin

futureSPVAdocumentsforSecureDeviceLifecycleManagement.


9/37


5 StagesandProcessesLifecycle

Phase

Transition

Event

Processes

PreManufacturing

Manufacturing Completion

PostManufacturing

InitialKeyLoading

SecureManufacturingProcesses

PreUse InstallationSecureDeploymentProcesses

Use Removal

SecureinField

Device

ManagementProcesses

Reinstallation

Repair,upgradeDeviceRepairProcesses

SecureDevelopment&Updated

IncidentManagementProcesses

SecureDeliveryandStorag

eProcesses

PostUse

Destruction

SecureDevice

DecommissioningProcesses

Audit

Main

SecureDeliveryandStorageProcesses

PaymentDeviceSecuritizationProcess(InitialKeyLoading)

Related

IncidentManagementProcess

AuditProcess


10/37


6 AssumptionsThemomentthePaymentDevice(PD)reachesthePostManufacturingStage,itmustbeable

toperform,atminimum,thefollowingfunctions:

Triggeranactionasaresponsetotamperdetection

Loadauthenticatedsoftware

Inotherwords,thePDisaworkingdevicewiththeabilitytorunauthenticatedsoftwareand

thesecuritymechanismsthatarerequiredtoprovidearesponsetotamperdetection.


11/37


7 StageSecurityObjectives

Confidentiality

Integrity

Availabilit

y

Accounta

bility

Authentic

ity

repudiation

SecurePostManufacturingProcesses

InitialKeyLoading

SecureDeliveryandStorage

IncidentManagementProcesses

Confidentiality:Sensitiveinformationisnotdisclosedtounauthorizedindividuals,

entities,orprocesses.[ISO180282:2006]

Integrity:Safeguardingtheaccuracyandcompletenessofassets.[ISO/IECISO13335

1:2004][ISO27001:2005][ISO133351:2004]

Accountability:Actionsofanentitymaybetraceduniquelytotheentity.[ISO7498

2:1989]

Authenticity:Authentic,trustworthy,orgenuine.

Nonrepudiation:Providesassuranceoftheintegrityandoriginofdatainsuchaway

thattheintegrityandorigincanbeverifiedbyathirdpartyashavingoriginatedfrom

aspecificentityinpossessionoftheprivatekeyoftheclaimedsignatory.[NIST

SP80057:2007]

Availability:Accessibleanduseableupondemandbyanauthorizedentity.[ISO/IEC

ISO133351:2004][ISO180282:2006][ISO27001:2005][ISO133351:2004]


12/37


8 ApplicableStandardsThemainstandardsthatareappliedtothisstageoftheprocessare

definedasfollows:

PaymentCardIndustry(PCI)POSPINEntryDeviceSecurity

Requirements(PTS1)Version2.1January2009:

Thisdocumentisonlyconcernedwiththedevicemanagementfor

pointofsalePEDsuptothepointofinitialkeyloading.Subsequentto

receiptofthedeviceattheinitialkeyloadingfacility,theacquiring

financialinstitutionanditsagents(e.g.,merchantsandprocessors)

areresponsibleforthedeviceandarecoveredbytheoperatingrules

oftheAssociationsandthePCIPINSecurityRequirements.ISO

13491

1:

2007

Banking

Secure

cryptographic

devices

(retail)

Concepts,requirementsandevaluationmethods:

ISO13491describesboththephysicalandlogicalcharacteristicsand

themanagementofthesecurecryptographicdevicesusedtoprotect

messages,cryptographickeysandothersensitiveinformationusedin

aretailfinancialservicesenvironment.

ThispartofISO13491hastwoprimarypurposes:

Tostatetherequirementsconcerningboththeoperationalcharacteristicsof

SCDsandthemanagementofsuchdevicesthroughoutallstagesoftheir

lifecycle,and

Tostandardizethemethodologyforverifyingcompliancewiththose

requirements.

ISO134912:2000Banking Securitycompliancechecklistsfor

devicesusedinmagneticstripecardsystems:

ThispartofISO13491specifiesthechecklistsusedtoevaluatesecure

cryptographicdevices(SCDs)incorporatingcryptographicprocesses,

asspecifiedinISO9564,ISO9807andISO11568,inamagneticstripe

cardenvironment.ItdoesnotspecifychecklistsforSCDsusedinanintegratedcircuitcard(ICC)environment.

1PTS(PINTransactionSecurity) formerPCI PED


13/37


PCIPINSecurityRequirementsVersion2.0January2008(Visa):

Thisdocumentcontainsacompletesetofrequirementsforthe

securemanagement,processingandtransmissionofPersonal

IdentificationNumber(PIN)dataduringonlineandofflinepayment

card

transaction

processing

at

ATMs,

and

attended

and

unattended

pointofsale(POS)terminals.

ANSIX9TR392009.TG3RetailFinancialServicesCompliance

GuidelinePart1: PINSecurityandKeyManagement:

ThePINSecurityComplianceGuidelineisintendedtobeusedto

implementauniformsecurityreview.Thisguidelinepresents

mandatoryControlObjectivesrelatingtogeneralproceduresand

controls.ThemandatoryControlObjectivesarebasedon

requirementssetforthinthefollowing:

X9.812003Part1:(PersonalIdentificationNumber(PIN)ManagementandSecurity)

X9.2412004(RetailFinancialServicesSymmetricKeyManagement,Part1:Using

SymmetricTechniques)

X9.24Part2:2006(RetailFinancialServicesSymmetricKeyManagement,Part2:

UsingAsymmetricTechniquesforDistributionofSymmetricKeys).

8.1 ApplicableStandardsSecurityRequirements8.1.1 PINTransactionsSecurityVersion2.1,January2009

8.1.1.1 DeviceManagementRequirementsDescriptionofRequirement

F1ThePEDisshippedfromthemanufacturersfacilitytotheinitialkeyloadingfacilityandstoredinrouteunderauditablecontrolsthatcanaccountforthelocationofeveryPEDateverypointintime.

F2Proceduresareinplacetotransferaccountabilityforthedevicefromthemanufacturertotheinitialkeyloadingfacility.

F3

Whileintransitfromthemanufacturersfacilitytotheinitialkeyloadingfacility,thedeviceis:

Shippedandstoredintamperevidentpackaging;and/or

Shippedandstoredcontainingasecretthatisimmediatelyandautomaticallyerasedifanyphysicalorfunctionalalterationtothedeviceisattempted,thatcanbeverifiedbytheinitialkeyloadingfacility,butthatcannotfeasiblybedeterminedbyunauthorizedpersonnel.


14/37


8.1.2 ISO134911

No. DescriptionofRequirement

Untilaninitialkeyhasbeenloaded,itisnecessarytodetectacompromisebutnottopreventit.

Ifacompromiseisdetected,itisonlynecessarytoensurethatkeysarenotinjectedintothedeviceanditisnotplacedinserviceuntilalleffectsofthecompromisehavebeeneliminatedfromit.

8.1.3 ISO134912:AnnexA.Physical,LogicalandDeviceManagementCharacteristicsCommonto

AllSecureCryptographicDevices

8.1.3.1 DeviceManagementNo. Securitycompliancestatement

A32

For

audit

and

control

purposes,

the

identity

of

the

device

(e.g.

its

serial

number)canbedetermined,eitherbyexternaltamperevidentmarkingorlabeling,orbyacommandthatcausesthedevicetoreturnitsidentityviatheinterfaceorviathedisplay.

A36 Ifadevicedoesnotyetcontainasecretcryptographickeyandthereisanattackonadevice,oradeviceisstolen,thenproceduresareinplacetopreventthesubstitutionoftheattackedorstolendeviceforalegitimatedevicethatdoesnotyetcontainasecretcryptographickey.

A37 Ifnosensitivestateexistsinthedevice,theloadingofplaintextkeyswillbeperformedunderdualcontrol.

8.1.3.2 DeviceProtectionbetweenManufacturerandPreuseNo. Securitycompliancestatement

A40 Thetransfermechanismsbywhichplaintextkeys,keycomponentsorpasswordsareenteredintothedeviceareprotectedand/orinspectedsoastopreventanytypeofmonitoringthatcouldresultintheunauthorizeddisclosureofanycomponentorpassword.

A41 Subsequenttomanufacturingandpriortoshipment,thedeviceisstoredinaprotectedareaorsealedwithintamperevidentpackagingtopreventundetectedunauthorizedaccesstoit.


15/37


No. Securitycompliancestatement

A42 Thedeviceisshippedintamperevidentpackaging,andinspectedtodetectunauthorizedaccesstoit;or

beforeadeviceisloadedwithcryptographickeys,itiscloselyinspectedbyqualifiedstafftoensurethatithasnotbeensubjectto

anyphysicalorfunctionalmodification;or

thedeviceisdeliveredwithsecretinformationthatiserasediftamperingisdetectedtoenabletheusertoascertainthatthedeviceisgenuineandnotcompromised.

NOTE:Oneexampleofsuchinformationistheprivatekeyofanasymmetrickeypair,withthepublickeyofthedevicesignedbyaprivatekeyknownonlytothesupplier.

A43 Thedeviceisloadedwithinitialkey(s)inacontrolledmanneronlywhenthereisreasonableassurancethatthedevicehasnotbeensubjecttounauthorizedphysicalorfunctionalmodification.

8.1.4 AnnexB.DeviceswithPINEntryFunctionality

8.1.4.1 PINentryDeviceProtectionduringInitialKeyLoadingNo. Securitycompliancestatement

B20 ArepairedPINentrydeviceisnotreloadedwiththeoriginalkey(exceptbychance).

B21 Automatedtechniquesareused,ormanualproceduresareinplaceandarefollowed,toensureeachPINentrydeviceisgivenatleastone

statistically

unique

key

unknown

to

any

person

and

never

previously

given(exceptbychance)toanyotherPINentry

8.1.5 AnnexE.DeviceswithKeyGenerationFunctionality

8.1.5.1 LogicalSecurityCharacteristicsNo. Securitycompliancestatement

E2 Thedeviceskeymanagementfunctionsaredesignedsothatnodisclosureofanykeyispossiblewithoutcollusionbetweentrustedindividuals.Specifically:

thedevice'shighestlevelkeysaremanuallyloadedasatleasttwocomponentsunderdualcontrol;

anyfunctionusedtoinputoroutputkeycomponentsdoesnotoperateuntilatleasttwodifferentpasswordshavebeenentered.


16/37



E3 Thedevicedecomposesanactualkeyintokeycomponentsinsuchawaythatnoactivebitofthekeycouldbedeterminedwithouttheknowledgeofallcomponents.

Forexample,thecomponentsareexclusiveor'edtogethertoformthe

key.

E4 KeygenerationmethodscomplywithISO11568.

E5 Eachcalltoobtainageneratedkeyyieldsadifferent,statisticallyuniquekey(exceptbychance).

8.1.6 AnnexF.DeviceswithKeyTransferandLoadingFunctionality

8.1.6.1 LogicalSecurityCharacteristicsNo. Securitycompliancestatement

F2 Encipheredprivatekeysareprotectedagainstkeysubstitutionandmodification.

F3 Thedevice'skeymanagementfunctionsaredesignedsothatnodisclosureofanykeyispossiblewithoutcollusionbetweentrustedindividuals.Specifically:

thedevice'shighestlevelkeysaremanuallyloadedasatleasttwocomponents;

anyfunctionusedtoinputoroutputkeycomponents,exceptforthedevice'scomponents.


F9 Thetransfermechanismsbywhichkeys,componentsorpasswordsaretransferredintooroutofthedeviceareprotectedand/orinspectedsoastopreventanytypeofmonitoringthatcouldresultintheunauthorizeddisclosureofanykeys,componentsorpasswords.

F14 Controlsareinplacetodetecttheunauthorizedremovalofthedevicefrom,anditsunauthorizedreplacementbackinto,itsauthorizedlocation.

F15

The

device

is

loaded

with

a

key

component

under

the

direct

supervisionofapersonwhoisallowedaccesstothiscomponent,andonlywhenthereisreasonableassurancethatthereisnobugorotherdisclosingmechanismonthepaththatthekeycomponenttraversesfromthekeygenerationdevicetothetransportdeviceitself.


17/37



F16 Ifthedevicecontainsaplaintextkeycomponent,thedeviceiseitherunderthecontinuoussupervisionofapersonwhoisallowedaccesstothiscomponent(andwhoisawareofhis/herresponsibilitiestoensurethesecrecyofthiscomponent),orelseislockedorsealedinasecurity

containerthatcannotfeasiblybeopenedwithoutdetectionbyanyoneotherthanthosewhoareallowedaccesstothecomponent.

F17 Thedeviceisusedtoinjectacomponentintoacryptographicdeviceonlyunderthedirectsupervisionofapersonwhoisallowedaccesstothiscomponent,andonlywhenthereisreasonableassurancethatthereisnobugorotherdisclosingmechanismonthepaththatthekeycomponenttraversesfromthekeytransportdevicetothecryptographicdevice.

F18 Thetransferofakeytoanothersecurecryptographicdeviceuseseither:

asecurecommunicationspath,or asecurekeytransferdevice,or

asecurecryptographicpath,or

iscarriedoutinasecureenvironment.

F19 Nopersonwithknowledgeoforaccesstooneofthepasswordsorphysicalkeysrequiredtooutputakeyfromthedevicehasknowledgeoforaccesstoanyothersuchpasswordorphysicalkeyofthisdevice.

F20 Thedeviceisloadedwithaplaintextkeyonlyunderthedirectsupervisionofatleasttwoauthorizedpeople,bothofwhomensurethatthereisnobugorotherdisclosingmechanismonthepaththat

thekeytraversesfromthekeygenerationdevicetothekeytransportdeviceitself.

F21 Thedeviceisusedtoinjectaplaintextkeyintoacryptographicdeviceonlyunderthedirectsupervisionofatleasttwoauthorizedpeople,bothofwhomensurethatthereisnobugorotherdisclosingmechanismonthepaththatthekeytraversesfromthekeytransportdevicetothecryptographicdevice


18/37



F22 Functionalityneededtoimport,export,ortransfercryptographickeysfromexternalsourcesensuresthatthekeysareinoneormoreofthefollowingforms:

encipheredunderthepropervariantofasymmetrickey

enciphermentkey;

encipheredundertheasymmetricpublickeyoftherecipient;

encipheredwithanimportkeybeingspecificallyenabledforalimitedtimeandlimitednumberoffunctioncalls;

inputunderdualormultiplecontrolthroughthesecureoperatorinterface,incomponentssuchthatfullknowledgeofallbutonecomponentgivesnousableinformationonanybitofthecryptographickey;

publickeysareenteredunderdualcontrolorencipheredundertheappropriatekeyorsignedasrequiredtoensureauthenticity.

8.1.7 AnnexGDeviceswithDigitalSignatureFunctionality


G1 Ifnonrepudiationisclaimedthen:

theasymmetricprivateandpublickeypairisgeneratedwithinthedigitalsignaturedevice;and

theasymmetricprivatekeyisnotexportedoutsidetheoriginaldigitalsignaturedeviceforanyreason,includingbackupand

archivalpurposes.

G2 Forauditandcontrolpurposes,thebindingbetweenthepublickeyandtheidentityoftheowneroftheprivatekeyisreadilydeterminedbyuseof:

publickeycertificates,wherethepublickeycertificatewasobtainedfromanauthorizedcertificateauthority,or

publickeycertificatesandappropriatecertificatemanagementprocedures,or

otherequivalentmechanismstoirrefutablydeterminetheidentityoftheownerofthecorrespondingprivatekey.

8.1.8 AnnexHCategorizationofEnvironments

8.1.8.1 MinimallyControlledEnvironmentsNo. Securitycompliancestatement

H1 Authorizedaccessisrestrictedbyphysicallocksorsupervisedaccesspointstoauthorizedstaff,andpersonsaccompaniedbyauthorized


19/37


No. Securitycompliancestatementstaff.

H2 Theenvironmentprovidesfacilitiesforsecurefasteningofdeviceswithlockablefasteningmechanisms,ifsuchdevicesaretobeinstalled.

H3

Aminimally

controlled

environment

shall

remain

intact

until

all

keys

and

othersecretdatastoredindeviceswithintheenvironmentaredestroyedoruntilallsuchdevicesareremovedfromtheenvironment.

8.1.8.2 ControlledEnvironmentsNo. Securitycompliancestatement

H4 Authorizedaccessisrestrictedbyphysicallocksandcontinuallysupervisedaccesspointstoauthorizedstaff,andpersonsaccompaniedbyauthorizedstaff.

H5 Anyaccessbyotherthanauthorizedstaffislogged,andthelog

securelykeptandperiodicallyaudited.

H6 Thedevicesareeither:

infullviewatalltimesofatleasttwostaffmemberswhohavebeeninstructedtocheckthedevicesforsignsofattacksorpresenceofanyotherpersonsatthedevices;or

inviewofavideocamera(throughaclosedvideosystem)beingmonitoredatleastonceeveryX/2min,orwhenevermovementclosetothedevicesisautomaticallydetected;bypersonswhohavebeenspecificallytaskedwithcheckingthedevicesforsignsofattacks.

NOTE:ThetimeX/2minishalfthetimeXminwhichisthetimeestimatedtosuccessfullypenetratetheequipmentinorderto:

makeanyadditions,substitutions,ormodifications(e.g.theinstallationofabug)tothehardwareorsoftwareofthedevice;or

determineormodifyanysensitiveinformation(e.g.PINs,accesscodes,andcryptographickeys),andthensubsequentlyreinstallthedevice,withoutrequiringspecializedskillsandequipmentnotgenerallyavailable,andwithoutdamagingthedevicesoseverelythatthedamagewouldhaveahighprobabilityofdetection.

H7 Therearenoentryorexitpointsforpeopleorequipmentexceptfor

continuallysupervised

access

points,

e.g.

watched

by

guards

who

have

beeninstructednottopermitanyimportorexportofequipmentwithoutwrittenauthorizationidentifyingtheequipment,signedbyanauthorizedpersonotherthanthepersonmovingtheequipment.

H8 Itisnotfeasibletogainunauthorizedaccesstothecontrolledenvironment,orimportorexportequipment,fromunderthefloororfromabovetheceiling.


20/37


8.1.8.3 SecureEnvironmentsNo. Securitycompliancestatement

H9 Authorizedaccessisrestrictedbyphysicallocksandcontinuallysupervisedaccesspointstopairsofauthorizedstaffandpersonsaccompaniedbypairsofauthorizedstaff.Accesspointsthatarenot

supervisedarelockedandalarmed,sothatanyentryorexitcausesinterventionbyguards.

H10 Anynonauthorizedperson(s)requiringaccesstothesecureenvironmentwillbesupervisedatalltimesbyatleasttwoauthorizedpersonswhilstinthesecureenvironment.

H11 Allaccessestothesecureenvironmentarelogged,andthelogsecurelykeptandperiodicallyaudited.

H12 Allpossibleaccesspointstothesecureenvironmentareeither:

infullviewatalltimesofatleasttwoauthorizedstaffmemberswhohavebeeninstructedtocheckthedevicesforsignsofattacks;or

inviewofavideocamera(throughaclosedvideosystem)coupledwithcircuitrythatautomaticallyraisesanalarmwhenevermovementclosetothedevicesisdetectedortamperdetectioncircuitryisactivated.Evenwhennoalarmisraised,thecameraismonitoredatleastonceevery10min.Theimagesarewatchedbypersonswhohavebeenspecificallytaskedwithcheckingthesecureenvironmentforsignsofattacks.

H13 Therearenoentryorexitpointsforpeopleorequipmentexceptforcontinuallysupervisedaccesspoints,watchedbyguardswhohave

beeninstructednottopermitanyimportorexportofequipmentwithoutwrittenauthorizationidentifyingtheequipment,signedbyanauthorizedpersonotherthanthepersonmovingtheequipment.

H14 Ifthesecureenvironmentisimplementedasasecuredroom,thenthedevice(s)inthesecureenvironmentareinviewofavideocamera(throughaclosedvideosystem)coupledwithcircuitrythatautomaticallyraisesanalarmwhenevermovementclosetothedevicesisdetectedortamperdetectioncircuitryisactivated.Evenwhennoalarmisraised,thecameraismonitoredatleastonceevery10min.Theimagesarewatchedbypersonswhohavebeenspecificallytaskedwithcheckingthesecureenvironmentforsignsofattacks.

H15 Thesecureenvironmentprovidesatmostlimitedopportunityforconcealmentofactivityandforthestorageoftoolsandotherequipment

H16 Asecureenvironmentremainssuchuntilallkeysandothersecretdatastoredindeviceswithintheenvironmentaredestroyedoruntilallsuchdevicesareremovedfromtheenvironment


21/37



H17 Thesecureenvironmentcontainseither:

boththedeviceanditshost,andtherearecontrolsontheenvironmentwhichpreventthedevicefrombeingconnectedtoanyunauthorizeddevice,andonthehosttoensurethatexhaustive

attacks(onPINs),usinglegitimatefunctioncalls,arenotfeasible;or

thedevicealone,whichcontainssecuritymechanismsthatprotectagainstexhaustiveattacks.

8.1.9 PINSecurity&TR39

ThecommitteehasmappedPINSecurityandTR39requirementsconcludethatboth

standardsareconsistent. RefertoAppendix1SPVARequirementsUpdatedAfterPCIPTSv3.

(April2010)beginningonpage35foracopyofthismap.Tofacilitatethereadingofthis

document,

PIN

Security

Objectives

definition

will

be

used.

8.1.9.1 PINSecurityNo. Securitycompliancestatement

1 PINsusedintransactionsgovernedbytheserequirementsareprocessedusingequipmentandmethodologiesthatensuretheyarekeptsecure.

3 Keysareconveyedortransmittedinasecuremanner.

4 KeyloadingtohostsandPINentrydevicesishandledinasecuremanner.

5 Keysareusedinamannerthatpreventsordetectstheirunauthorizedusage.

6 Keysareadministeredinasecuremanner

7 EquipmentusedtoprocessPINsandkeysismanagedinasecuremanner


22/37


8.2 SecurityRequirementsAnalysis8.2.1 SecurityRequirementsStandardsMap

PTS

ISO

13491:1

ISO

13491:2

PIN

Security

F1

A41

F2 A32

A36

F3 A42

7.3.2 A43 7

A37 4

A40/F9 4

B20/E5 5

B21 5

E2/F3/F19 6/7

E4 1

F2 5/4/7

F15 7

F16 3/4

F17 4

F18 3

F20 3/4

F21 3/4

F22 3

G1 2

G2 4

H1H22 7


23/37


9 LifecycleProtectionMethods9.1 ISO134911Requirements

Duringthisphase,auditingandcontrolproceduresshallbeimplementedwhichhave

ahighprobabilityofpreventingordetectingtheunauthorizedalterationofthe

deviceorthereplacementofthedevicewithacounterfeitsubstitute.

Whichevermethodofkeygenerationisused,keyloadingshallbeperformedinsuch

awaythatthesecretorprivatekeycannotbedeterminedwithoutcollusion.

Immediatelypriortoinitialkeyloading,thereshallbeassurancethatthedevicehas

notbeensubjecttounauthorizedmodificationorsubstitution.Thismaybe

accomplishedby:

Testingand/orinspectionofthedevice;

Auditingandcontrolofthedevicepostmanufacture,orsubsequenttothemost

recenttestingand/orinspectionofthedevice;

Confirmationoftheexistencewithinthedeviceofsecretdatabythe

manufacturerforthesolepurposeofconfirmingthelegitimacyofthedevice.

Devicemanagementshallprovidedetectionoftheftorunauthorizedremovalofthe

device.

9.2

Protection

Methods

Analysis

UnlikeISO134911,PTSdoesnotmakeanydistinctionsbetweenrequirementsandprotection

methodsthatmaybeusedtoprotectthedeviceduringitslifecyclephases.


24/37


10 AuditandControlPrinciples10.1 PTS

PEDSecurityRequirements(managedbyPCISSC)areprimarilyconcernedwithdevice

characteristicsimpactingthesecurityofthePINEntryDeviceusedbythecardholderduringa

financialtransaction.Therequirementsalsoincludedevicemanagementuptothepointof

initialkeyloading,buttheevaluationprocessonlyaddressesdevicecharacteristics.

ThevendorisrequiredtobecompliantwiththePTSmanagementrequirements,butthePTS

doesnotdefineanyDerivedTestRequirement(DTR)forPDmanagementrequirements.

10.2 ISO134911ISO134911proposessomerecommendationstoallowsecuritystakeholderstocoverthePOS

securityauditandcontrolinPostManufacturingstage.

Auditingandcontrolproceduresshallbeimplementedwhichhaveahighprobabilityof

preventingordetectingtheunauthorizedalterationofthedeviceorthereplacementofthe

devicewithacounterfeitsubstitute.

Anddefinesthreeevaluationmethods: informal,semiformalandformal.

Ariskassessmentshallbeundertakenasanaidinchoosingwhichmethodologyis

appropriate.

InformalandsemiformalmethodscanusethechecklistsincludedintheISO134912.

No. Procedure

PostManufacturingStage

1 Oneormorepartiesresponsibleforthedevice. Mandatory

2 Carefulscreeningof,orcontrolover,personnelwithaccesstoadevicedesignedforuseinacontrolledenvironment

Mandatory

3 Carefulscreeningof,orcontrolover,personnelwithaccesstoadevicedesignedforuseinaminimallycontrolledenvironment

Mandatory

5

Control

mechanisms

or

sealing

of

the

device

in

counterfeit

resistant,

tamperevidentpackagingtopreventundetectedaccesstothedevice Mandatory

6 Preparationanduseofauditchecklists Mandatory

7 Verificationthatauditchecklistsarefilledoutaccurately,onatimelybasis,andbyqualifiedpersonnel

Recommended

8 KeymanagementproceduresimplementedasspecifiedintheappropriateInternationalStandard

Mandatory


25/37


No. Procedure

PostManufacturingStage

9 Accuratetrackingofeachdevice,bymeansofcomputerizedormanuallywrittenrecords

Mandatory

11 Controlofthedistributionofdevicedocumentation Recommended

13 Documentedreportingprocedurestocausetimelydetectionofadevicethathasbeenremovedwithoutauthorizationfromstorageorfromitsoperationallocation,orthathasdisappearedwhileintransit

Mandatory

19 Controloverthemaintenanceprocessinorderthattheconfidentialityofthedevicedesigncharacteristicsismaintained

Mandatory/Recommended

Secureenvironments: Asecureenvironmentprovidesanoutershellofprotectionaroundan

insecuredevice

and

must

be

significantly

more

secure

than

a

controlled

environment.

It

can

bearoomdesignedandbuiltforthisspecificpurposeoritcouldbeasafeorasecure

cabinet.Whateverformthesecureenvironmenttakes,onlypersonswithauthorizedaccess

tothedeviceshallhaveaccesstothesecureenvironment.Asecureenvironmentisoften

locatedwithinacontrolledenvironment.

Controlledenvironments:Acontrolledenvironmentissimilartonormalcomputerrooms

wherethereareaccesscontrols,allowingaccessonlytoauthorizedpersonnel.Acontrolled

environment,however,hasmorestringentaccesscontrolsandbothitsinteriorandthe

entrancesareundersurveillance.

Minimallycontrolled

environments:Theserequirementsaimtodetectanattack,ortheft,

withinagivenmaximumperiodoftime.

Uncontrolledenvironments:Therearenosecurityrequirementsforuncontrolled

environments.

10.3 ISO134912AnnexAtoHofthisstandardprovidesachecklistdefiningtheminimumevaluationforuse

withallevaluationstoassesstheacceptabilityofcryptographicequipment.


26/37


11 StakeholdersVendors: PDvendorsmaybeimpactedbyensuringthattherequiredmechanismstoprovidesecurity

duringthisphaseasdefinedinthisdocumentareimplemented.

Manufacturers EMS. (ElectronicManufacturingServices.):Thesecompaniesmaybeimpacted

bysupportinganddeployingthesecuritymechanismsasdefinedbyPDVendorsinordertocomply

withthesecurityrequirementsdefinedinthisdocument.

LogisticCompanies:Thesecompaniesmaybeimpactedbysupportinganddeployingthesecurity

mechanismstoguaranteetheintegrityandaccountabilityofthePDduringthestorageandtransport

stepsofthisstage.

KeyInjectionServiceProviders:Thesecompaniesactinginbehalfofacquirersmaybeimpactedby

supportinganddeployingthesecuritymechanismstocomplywiththesecurityrequirementsdefined

inthisdocumentforthekeyloadingprocess.

Acquirers:ThesecompaniesastheKeySchemeAuthoritymaybeimpactedbysupervisingtheKey

InjectionServiceProvidersobservanceofthesecurityrequirementsdefinedinthisdocumentforthe

keyloadingprocess.

Auditors: ThesecompaniesmaybeimpactedinordertoestablishtestplansaccordingtoSPVA

recommendationsandtoauditanyPDmanagementactivityperformedbyanactorwhoisinterested

injoiningSPVAalliance.


27/37


12 SPVACertificationRequirements12.1 SPVASecurityRequirements12.1.1 SPVA_Post_Manufacturing_Sec_Req_1

SPVARequirementsDefinition:Asecuritymanagementsystemshallbedefinedand

implementedforsecurestorageandtransportactivities.

SPVARecommendedImplementation:Thesecuritymanagementsystemshalldefinethe

plansandprocedurestoenforcethatthestorageandtransportactivitiesareimplementedin

compliancewiththeISO28000:2007Specificationforsecuritymanagementsystemsforthe

supplychain.

12.1.2 SPVA_Post_Manufacturing_Sec_Req_2

SPVARequirements

Definition:

Documentedproceduresexistandarefollowedtoensure

thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading

facilityarecompleted.

Therearefourobjectivesundertheaccountabilityrequirement:

Identification:TheprocessusedtorecognizeanindividualPD.

Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.

Nonrepudiation: Theprocessofensuringthatapartyinadisputecannotorrefute

thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.)

Lostdetectionandprevention.

Traceability:Auditinformationshallbeselectivelykeptandprotectedsothatactions

affectingsecuritycanbetracedtoeachPD.

SPVARecommendedImplementation:Accountablerecordsshallbemaintainedthatindicate

thelocationandstatusofeachdevice.Theaccountablepartyshallbeidentifiedbythese

records.Whendevicesaretransferredtoanotherorganization,anotherpartybecomes

accountableforthedevices.Therefore,therecordsatboththeoriginatingandreceiving

organizationshallidentifythedevicesandindicatethedateofthetransfer,theorganization

to/fromwhichthetransferwasmade.

Thereshallbesomemeansofconfirmingthataccountabilityhasbeenacceptedbythe

receivingorganizationandthenameofthepartythatispresentlyaccountableforthe

transferreddevicesshallbeincludedintherecordsofthetransferringorganization.


28/37



SPVARequirementsDefinition: AsecuremechanismthatprovidesPDauthenticationshall

beestablishedduringpostmanufacturingprocesses.

SPVARecommendedImplementation:ThePDauthenticationmechanismshallbebasedon

anasymmetrickeypairbasedonaPublicKeyInfrastructure. ThePDmanufacturershall

providetheappropriatedinformationandsecuritymechanismtovalidatetheauthenticity

andintegrityofthePD.


SPVARequirementsDefinition: Documentedproceduresexistandarefollowedto

implementandoperateaKeyManagementInfrastructuretosupporttheenforcementofkey

managementpracticesforgenerationand/oracquisition,distribution,protection,anduse

(destruction)ofkeyingmaterialnecessarytoensurethePDauthenticity,integrityand

(operability)undertheKeySchemeAuthority.

SPVARecommendedImplementation:TheKeyManagementInfrastructureshalldefinethe

plansandprocedurestoenforcethattheKeyManagementactivities,speciallytheKey

Loadingprocess,areimplementedincompliancewiththeANSIX9TR392009andPIN

SecurityRequirementsVersion2.0.


SPVARequirementsDefinition: Theorganizationshallestablish,implementandmaintain

appropriateplansandprocedurestoidentifyandrespondtosecurityincidents.

SPVARecommendedImplementation:Theplansandproceduresshalldefinethestepsthat

personnelshallusetoensurethatsecurityincidentsareidentified,contained,investigated,

andremedied.Theplansandproceduresalsoshallprovideaprocessfordocumentation,

appropriatereportinginternallyandexternally,andcommunicationsothatorganizational

learningoccurs.Finally,theplansandproceduresshallestablishresponsibilityand

accountabilityforallstepsintheprocessofaddressingsecurityincidents.

Theorganizationshallperiodicallyreviewtheeffectivenessofitsemergencypreparedness,

responseandsecurityrecoveryplansandprocedures,inparticularaftertheoccurrenceof

incidentsoremergencysituationscausedbysecuritybreachesandthreats.Theorganization

shallperiodicallytesttheseplansandprocedureswhereverpracticable.

12.1.6 SPVA_General_Req

SPVARequirementsDefinition:Whereanorganizationchoosestooutsourceanyprocess

thataffectsconformitywiththeserequirements,theorganizationshallensurethatsuch


29/37


processesarecontrolled.Thenecessarycontrolsandresponsibilitiesofsuchoutsourced

processesshallbeidentified.

SPVARecommendedImplementation: Therisksassociatedwithoutsourcingshallbe

managedthroughtheimpositionofsuitablecontrols,comprisingacombinationoflegal,

physical,logical,proceduralandmanagerialcontrols.

TheorganizationshallperiodicallyaudittheoutsourcerscompliancewiththeSPVASecurity

Requirements,orshallemployamutuallyagreedindependentthirdpartyauditorforthis

purpose.

12.2 SPVAAuditControlObjectives12.2.1 SPVA_Post_Manufacturing_Aud_Req_1

SPVARequirementsDefinition:Theorganizationshallestablish,implementandmaintaina

securityauditprogramandshallinsurethatauditsofthesecuritysystemarecarriedoutat

plannedintervals.

SPVARecommendedImplementation:Theauditprogram,includinganyschedule,shallbe

basedontheresultsofthreatandriskassessmentsoftheorganizationsactivities,andthe

resultsofpreviousaudits.Theauditproceduresshallcoverthescope,frequency,

methodologiesandcompetencies,aswellastheresponsibilitiesandrequirementsfor

conductingauditsandreportingresults.Wherepossible,auditsshallbeconductedby

personnelindependent2ofthosehavingdirectresponsibilityfortheactivitybeingexamined.

TheauditprogramshallincludethefollowingAuditcriteria:

TheAuditcriteriaforPDstorageandtransportactivitiesshallbeatleastin

compliancewiththeISO28000:2007Specificationforsecuritymanagementsystems

forthesupplychain.

TheAuditcriteriafortheKeyManagementprocessesshallbeatleastincompliance

withX9TR392009andPINSecurityRequirementsVersion2.0

2NOTE: The phrase personnel independent does not necessarily mean personnel external to the organization.


30/37


13 Rationale13.1 SPVASecurityRequirementsMap

SPVA PTS ISO13491:1 ISO

13491:2 PIN

Security

F1Post_Manufacturing_Sec_Req_1

A41

F2 A32Post_Manufacturing_Sec_Req_2

A36

Post_Manufacturing_Sec_Req_3 F3 A42

Post_Manufacturing_Sec_Req_4 7.3.2 A43 7A37

4

A40/F9 4

B20/E5 5

B21 5

E2/F3/F19 6/7

E4 1

F2 5/4/7

F15 7

F16 3/4

F17 4

F18 3

F20 3/4

F21 3/4

F22 3

G1 2

G2 4

Post_Manufacturing_Sec_Req_5

H1H22 7


31/37


13.2 SPVASecurityRequirementsCoverage13.2.1 SecurePostManufacturingProcesses

Integrity:CoveredbySPVA_Post_Manufacturing_Req_2.

Accountability:CoveredbySPVA_Post_Manufacturing_Req_2.

13.2.2 InitialKeyLoading

Confidentiality:CoveredbySPVA_Post_Manufacturing_Req_4.

Integrity:CoveredbySPVA_Post_Manufacturing_Req_2,

SPVA_Post_Manufacturing_Req_3andSPVA_Post_Manufacturing_Req_4.

Accountability:CoveredbySPVA_Post_Manufacturing_Req_4and

SPVA_Post_Manufacturing_Req_4..

Authenticity:CoveredbySPVA_Post_Manufacturing_Req_3.

Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_4.

13.2.3 SecureDeliveryandStorage


Nonrepudiation:CoveredbySPVA_Post_Manufacturing_Req_1.

13.2.4 IncidentManagement

Confidentiality: CoveredbySPVA_Post_Manufacturing_Req_5.

Integrity:CoveredbySPVA_Post_Manufacturing_Req_5.

Accountability:CoveredbySPVA_Post_Manufacturing_Req_5.


13.2.5 SPVAAUDIT

Preventingordetecting:SPVA_Post_Manufacturing_Aud_Req_1


32/37


13.3 SPVAKeyloadingScenariosTherearetwoscenariosforkeyloading. InbothscenariostheInitialKeyisloadedatthe

pointofmanufacturingincompliancewithrequirement

SPVA_Post_Manufacturing_Sec_Req_4.

ThetwoscenariosdifferinthelocationtheCustomerkeysareloaded. InthesecondscenariotheCustomerkeysareloadedundertheCustomersresponsibility.

InbothscenariostheCustomerkeysmustbeloadedincompliancewith

SPVA_Post_Manufacturing_Sec_Req_4.

Forthesecondscenario,itisappropriatetodiscussthekeymanagementprocessasbeing

bothnecessaryandsufficient.TheInitialkeyisnecessarytoinsuretheintegrityand

authenticityofthePDduringitscompletelifecycle.

ThePDmanufacturermustprovidetheappropriatedinformationandsecuritymechanismto

validatetheauthenticityandintegrityofthePD.

SufficiencyisprovidedbyallowingtheInitialKeyFacilitytoverifythePDauthenticityand

integritybasedontheVendorKeysbeforestartingtheCustomerKeyloadingprocess.


33/37


1. Initial Key and second-tier key loaded at point of manufacturer

2. Initial Key loaded at point of manufacturer and second-tier key loaded at point of customer.


34/37


14 References PCIPEDSecurityRequirementsVersion2.1.January2009

ISO134911:2007BankingSecurecryptographicdevices(retail)Concepts,requirementsandevaluationmethods

ISO134912:2000BankingSecuritycompliancechecklistsfordevicesusedin

magneticstripecardsystems.

ISO115681:2005 BankingKeymanagement(retail).Principles.

ISO115684:2007 Banking Keymanagement(retail) Part4:Asymmetric

cryptosystems Keymanagementandlifecycle.

ISO115685:2005 BankingKeymanagement(retail) Keylifecycleforpublickeycryptosystems.

ISOIEC117701:1996InformationtechnologySecuritytechniques Key

management Part1:Framework

ISOIEC117703:1996InformationtechnologySecuritytechniques Key

management Part3:Mechanismsusingasymmetrictechniques.

ISO157821:2003_Banking CertificateManagement(PublicKeyCertificates)

ISO28000:2007Specificationforsecuritymanagementsystemsforthesupplychain.

ANSX9.42 1998,PublicKeyCryptographyforTheFinancialServiceIndustry.

ANSX9.791:2001.Part1:PKIPracticesandPolicyFramework.

PaymentCardIndustry:PINSecurityRequirementsVersion2.0January2008.VISA

PINSecurityProgram:AuditorsGuideVersion2 January2008.VISA

CryptographicKeyInjectionFacility:AuditorsGuideVersion1.0January2008.VISA

PaymentCardIndustryPINSecurityRequirementsMarch2008.MasterCard.

PCIPINSecurityRequirementsVersion2.0January2008.VISA

ANSIX9TR392009.TG3RetailFinancialServicesComplianceGuidelinePart1:PIN

SecurityandKeyManagement.

CobIT4.1(ControlObjectivesforInformationandrelatedTechnology).ISACA


35/37


15 Appendix1SPVARequirementsUpdatedAfterPCIPTSv3.(April2010)

15.1 IntroductionThePaymentCardIndustryPINTransactionSecurity(PTS)standardfollowsadefined36

monthlifecycle.TheexpirationofPCIPTSv2.1requirementsdateisdefinedbythePCISSC,

April2011.

ThePCIPTSVersion3.0introducessignificantchangesinhowPCIwillbeevaluatingPIN

acceptanceonPOIterminals.ThePCIPTSVersion3.0documentisanevolutionofthe

previousversionsandsupportsanumberofnewfeaturesintheevaluationofPOIdevices.

ThePCIPTSVersion3.0document,likeversion2.1(January2009),isonlyconcernedwiththe

device

management

for

PIN

acceptance

POI

devices

up

to

the

point

of

initial

key

loading.

Subsequenttoreceiptofthedeviceattheinitialkeyloadingfacility,theacquiringfinancial

institutionanditsagents(e.g.,merchantsandprocessors)areresponsibleforthedeviceand

arecoveredbytheoperatingrulesoftheparticipatingPCIpaymentbrandsandthePCIPINSecurityRequirements.

15.2 PCIPTSv3Requirements:ManufacturerandInitialKeyLoadingNo. Securitycompliancestatement

M1 Thedeviceisshippedfromthemanufacturersfacilitytotheinitialkeyloadingfacility,andstoredenrouteunderauditablecontrolsthatcanaccountforthelocationofeveryPEDateverypointintime.

M2 Proceduresareinplacetotransferaccountabilityforthedevicefromthemanufacturertotheinitialkeyloadingfacility.

M3 Whileintransitfromthemanufacturersfacilitytotheinitialkeyloadingfacility,thedeviceis:

Shippedandstoredintamperevidentpackaging;and/or

Shippedandstoredcontainingasecretthatisimmediatelyandautomaticallyerasedifanyphysicalorfunctionalalterationtothedeviceisattempted,thatcanbeverifiedbytheinitialkeyloadingfacility,butthatcannotfeasiblybedeterminedbyunauthorizedpersonnel.

M4 ThedevelopmentsecuritydocumentationmustprovidethemeanstotheinitialkeyloadingfacilitytoassuretheauthenticityoftheTOEsecurityrelevantcomponents.

M5 Ifthemanufacturerisinchargeofinitialkeyloading,thenthemanufacturermustverifytheauthenticityofthePOIsecurityrelatedcomponents.

M6 Ifthemanufacturerisnotinchargeofinitialkeyloading,themanufacturermustprovidethemeanstotheinitialkeyloadingfacilitytoassuretheverificationoftheauthenticityofthePOIsecurityrelatedcomponents.


36/37



M7 Eachdeviceshallhaveauniquevisibleidentifieraffixedtoit.

M8 ThevendormustmaintainamanualthatprovidesinstructionsfortheoperationalmanagementofthePOI.ThisincludesinstructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandofthemannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.:

Dataonproductionandpersonalization

Physical/chronologicalwhereabouts

Repairandmaintenance

Removalfromoperation

Lossortheft

15.3 SPVASecurityRequirementsMapPCI/PTSV.3 PCI/PTSV.2 SPVA

M1 F1 Post_Manufacturing_Sec_Req_1



M4 Post_Manufacturing_Sec_Req_3

M5 Post_Manufacturing_Sec_Req_4Scenario1

M6 Post_Manufacturing_Sec_Req_4Scenario2

M7 Post_Manufacturing_Sec_Req_2Redefinitionrequired

M8 NewRequirement

15.4 SPVACertificationRequirements15.4.1 SPVA_Post_Manufacturing_Sec_Req_2(Redefined)

SPVARequirementsDefinition:Documentedproceduresexistandarefollowedtoensure

thattransferofaccountabilityforthedevicefromthemanufacturertotheinitialkeyloading

facilityiscompleted.

Therearefourobjectivesundertheaccountabilityrequirement:

Identification:TheprocessusedtorecognizeanindividualPD. Eachdeviceshallhave

auniquevisibleidentifieraffixedtoit.

Authentication:TheprocessusedtovalidatetheclaimedidentityofthePD.


37/37

Nonrepudiation: Theprocessofensuringthatapartyinadisputecannotorrefute

thevalidityoftheassumptionofaPDresponsibility.(Ownershipchange.)

Lostdetectionandprevention.

Traceability:

Audit

information

must

be

selectively

kept

and

protected

so

that

actions

affectingsecuritycanbetracedtoeacheveryPD.

15.4.2 SPVA_Post_Manufacturing_Sec_Req_5(NewRequirement)

SPVARequirementsDefinition(SameasPCIPTSv3):Thevendormustmaintainamanual

thatprovidesinstructionsfortheoperationalmanagementofthePOI.Thisincludes

instructionsforrecordingtheentirelifecycleofthePOIsecurityrelatedcomponentsandthe

mannerinwhichthosecomponentsareintegratedintoasinglePOI,e.g.:

Dataonproductionandpersonalization

Physical/chronologicalwhereabouts

Repairandmaintenance

Removalfromoperation

Lossortheft

SPVARecommendedImplementation: EachPDvendorshalldefineaprocesstoenforcethis

requirement.Anauditandmonitoringplanshouldbedefinedtoobtainevidencethatthe

processisfollowedasexpected.

Lifecycle Post Mfg WPv30 June2011

Documents

Transcript of Lifecycle Post Mfg WPv30 June2011