Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI PIN Entry Device Security Requirements PCI PIN Security Standards

Published byRoy Wilson Modified over 8 years ago

Similar presentations

Presentation on theme: "PCI PIN Entry Device Security Requirements PCI PIN Security Standards"— Presentation transcript:

1 PCI PIN Entry Device Security Requirements PCI PIN Security Standards

2 Topics Payment Card Industry Pin Entry Device (PCI PED) Security Requirements Overview Testing process Programme Requirements Mandates Common Issues Payment Card Industry PIN Security Standards Related Mandates

3 PCI PED Security Requirements Overview
Formally known as the Visa PED Standards Standards aligned with other payment schemes PCI Pin Entry Device Security Requirements published in Oct 2004 Requirements primarily related to Attended POS Devices (On-line, offline or both) Encrypting PIN Peds (POS, ATMs, Fuel dispensers, kiosk,etc) Eventually to contain full requirements for ATM and other unattended devices Version 2 published in April 2007. Version 2 to be effective on 1st April Till then version

4 PCI PED Security Requirements Overview
The Security Requirements are divided into two categories Device characteristics Physical Logical Device management During manufacturing Between manufacturing and initial key loading

5 PCI PED Testing Process
Vendor to complete the relevant documentation and contact PED test lab of choice PED lab agrees a testing date and timeframe PED lab to perform evaluation and generate an evaluation report PCI participant to review report and grant approval List of Visa approved devices; -Ped test lab might do a pre-evaluation of the document submitted and request for additional information -Testing date and timeframe will depend on what test needs to be performed. Typically it could take 4-6 weeks for a full evaluation. -Should any discrepancies found and the device is deemed to be non-compliant the PED Lab will issue a report to vendor. -PED lab generates an evaluation report once the testing is completed successfully. -Labs cannot provide approval. Only PCI Participants can grant approval based on evaluation report provided by PED Lab. -No partial approval is granted. The device must meet all requirements to be deemed compliant Each scheme grants its own approval Visa approved devices can be found in

6 PCI PED Mandates Effective Now 1 January All newly deployed attended POS PIN acceptance devices (including replacement devices) must have passed testing by a PCI recognized laboratory and be approved by Visa for new deployments. Effective Now 1 October All newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa. 1 October 2007 All newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by Visa for new deployments. Additionally, if the device is used for offline PIN acceptance, it must contain a laboratory validated and Visa-approved secure smart card reader. 1 July 2010 All attended POS PIN acceptance devices must pass testing by a PCI recognized laboratory and have been approved by Visa.

7 PCI PED Common Issues Device not PED compliant
Older model of device deployed prior to PCI PED requirement PCI PED compliance not taken into account when new services are tested and rolled out.

8 PCI PIN Security Standards Overview
Visa PIN Security Requirements were first published in Mid 1990s 2004 Visa aligned standard with other payment schemes and published Payment Card Industry Pin Security Standards

9 PCI PIN Security Standards Overview
Consist of seven Control Objectives Control Objective One PINs are processed using equipment and methodologies that ensure they are kept secure. Control Objective Two Cryptographic keys used for PIN encryption/decryption are created using processes that ensure that it is not possible to predict any key. Control Objective Three Keys are conveyed or transmitted in a secure manner. Control Objective Four Key loading to hosts and PIN entry devices is handled in a secure manner.

10 PCI PIN Security Standards Overview
Control Objective Five Keys are used in a manner that prevents or detects their unauthorized usage. Control Objective Six Keys are administered in a secure manner. Control Objective Seven Equipment used to process PINs and keys is managed in a secure manner.

11 PCI PIN Security Standards Programme Requirements
All acquiring Members and their agents processing PIN-based Visa transactions are required to undergo an on-site review every three years. On an annual basis all acquiring Members processing PIN-based Visa transactions will be required to complete a certificate to confirm their level of compliance. On-site review to be conducted by Visa Risk Limited Acquiring Members or their agents to generate and agree remediation plan with Visa CEMEA

12 PCI PIN Security Standards Common Issues
Cryptographic keys shared between production and test environment Pin not protected using a secure PIN Block format Deploying unapproved Pin Entry Devices Cryptographic keys not created in a secure manner Cryptographic key not unique Cryptographic keys stored in an unsecured manner or format Lack of documented procedures Poor device management Lack of audit trail or logs for key utilisation

13 Other related Mandates
Chip Reading PIN Entry Devices Effective Now All Chip-Reading devices (including Unattended Acceptance Terminals) placed in service that support “enciphered Offline PIN” must also support “plaintext Offline PIN.” Effective Now All newly deployed Chip-Reading devices must be capable of accepting a PIN (have either a PIN pad or a port capable of supporting a PIN pad). The PIN functionality must either be active or be capable of being activated through a software update.

14 Other related Mandates
Triple Data Encryption Standard (TDES) Global Mandates Effective Now All newly deployed ATMs (including replacement devices) must support TDES. Effective Now All newly deployed point of sale (POS) PIN acceptance devices (including replacement devices) must support TDES. 1 July 2010 Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer. However, each Visa Region's TDES dates will supersede the global TDES date whenever the Visa Region date precedes the global date. Note: "Must support" means the device has all the necessary hardware and software required for TDES installed and only requires the loading of a TDES key.

15 Other related Mandates
Visa (CEMEA) TDES Mandate Effective Now All PIN transactions must be TDES encrypted from point of acceptance to Visa. All PIN transactions between Visa and Issuer hosts must be TDES encrypted. A non-compliance grace period will be introduced until 1 July 2007, at which time all CEMEA Members must be fully compliant to the Regional TDES requirements. A non-compliance fee structure specific to TDES migration will be introduced and rigidly enforced by the end of the grace period (details of non-compliance fees will be announced at a later date).

16 Visa (CEMEA) TDES Mandate
TDES Questionnaire in CEMEA Fraud Information Service Portal

17 Thank you

Download ppt "PCI PIN Entry Device Security Requirements PCI PIN Security Standards"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
What happens here: Affects us here and here Have you ever come to work: Cams Alerts – Visa Alerts MasterCard Alerts Fraud Notices and it’s only 8:10.

What happens here: Affects us here and here Have you ever come to work: Cams Alerts – Visa Alerts MasterCard Alerts Fraud Notices and it’s only 8:10.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
This refresher course will:

This refresher course will:
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Memorial University of Newfoundland An Update on Chip September 26, 2007.

Memorial University of Newfoundland An Update on Chip September 26, 2007.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Visa Cemea Account Information Security (AIS) Programme

Visa Cemea Account Information Security (AIS) Programme
Beta Program for The Raiser’s Edge 7.86 PA DSS version Anne McDonell & Bucky Wall Corporate Readiness.

Beta Program for The Raiser’s Edge 7.86 PA DSS version Anne McDonell & Bucky Wall Corporate Readiness.

Similar presentations

Ads by Google