Document Comparison
PTS_Program_Guide_v1-6_Oct_2016.pdf
→
PTS_Program_Guide_v1-7_May_2017.pdf
96% similar
52 → 53
Pages
17610 → 17931
Words
16
Content Changes
Content Changes
16 content changes. 53 administrative changes (dates, page numbers) hidden.
Added
p. 2
May 2017 1.7 Added requirement for security policy modification for administrative changes. Added text to call out where ISO PIN Block Format 4 is used for PIN encryption, specifically AES, and the method in which used, i.e., DUKPT, Fixed or Master/Session Key. Updated Appendix B for POI v5
Added
p. 42
Key Management (PED, EPP, UPT) “Key management” denotes whether the laboratory has successfully evaluated the payment security device to support the use of Triple DES (TDES) or AES for PIN encryption for online PIN. TDES requires use of at least a double-length key.
This is for POI devices supporting the entry of online PINs, and in general, this will be N/A for devices in the Non-PED or SCR approval classes, and by definition, will be N/A for offline PIN only devices.
This is for POI devices supporting the entry of online PINs, and in general, this will be N/A for devices in the Non-PED or SCR approval classes, and by definition, will be N/A for offline PIN only devices.
Added
p. 44
Devices supporting ISO PIN Block Format 4 (AES) will be noted here. For additional information on whether the MK/SK, DUKPT or Fixed Key methodologies are supported for AES PIN Blocks, see the Key Management section.
Added
p. 49
A5, A8 A3, A5 A3, A5 A3, A11 A2, A10 B.4 Engaging a PTS Lab to Perform a Delta Assessment Vendors may select a different PTS Lab to perform a delta assessment than the PTS Lab used to perform the initial evaluation or prior delta evaluation. However, the subsequent PTS Lab (“Delta Lab”) is free to determine the level of reliance they wish to place upon the prior PTS Lab’s work and will be responsible for any claims of compliance which are generated through the delta review; and this may result in additional work than would otherwise be necessary. For Version 3 or higher reports, the Delta Lab shall have access to the prior PTS Lab’s report(s), including any delta or OEM component reports subsequent to the original evaluation. If those reports are not available, the Delta Lab shall decline the engagement or else must complete a full evaluation of …
Modified
p. 1
Payment Card Industry (PCI) PIN Transaction Security (PTS) Device Testing and Approval Program Guide Version 1.6
Payment Card Industry (PCI) PIN Transaction Security (PTS) Device Testing and Approval Program Guide Version 1.7
Modified
p. 26
Vendors who wish to change a model name of an approved device must also use the PTS Administrative Change Request form. However, if any devices have been sold under the prior model name, both names will be listed. Furthermore, images for the device used on the www.pcisecuritystandards.org website must include both the prior and new models.
Vendors who wish to change a model name of an approved device must also use the PTS Administrative Change Request form. However, if any devices have been sold under the prior model name, both names will be listed. Additionally, a new security policy must be created, and either must reference both the new and old names, or else will be listed in parallel to the existing policy. Furthermore, images for the device used on the www.pcisecuritystandards.org website must include both …
Modified
p. 42
All newly approved offline PIN verification POIs must support both plaintext and enciphered PIN verification.
Modified
p. 43 → 42
Where AES is used, that will be noted in conjunction with the MK/SK or Fixed methodologies.
Where AES is used, that will be explicitly noted in conjunction with the MK/SK, DUKPT or Fixed Key methodologies.
Modified
p. 44
Additional Information This field may be used to place any additional pertinent information. For example, when a vendor has changed the status of a device to end-of-life as delineated in Section 4.3
•Fees. and thus the device is no longer available for purchase except for maintenance purposes subject to payment brand rules. This will also be used for v2 HSMs to delineate whether they are approved for restricted or unrestricted usage as delineated in the HSM Security Requirements:
•
Additional Information This field may be used to place any additional pertinent information. For example, when a vendor has changed the status of a device to end-of-life as delineated in Section 4.3
• Fees and thus the device is no longer available for purchase except for maintenance purposes subject to payment brand rules. This will also be used for v2 HSMs to delineate whether they are approved for restricted or unrestricted usage as delineated in the HSM Security Requirements:
• Fees and thus the device is no longer available for purchase except for maintenance purposes subject to payment brand rules. This will also be used for v2 HSMs to delineate whether they are approved for restricted or unrestricted usage as delineated in the HSM Security Requirements:
Modified
p. 45
B.2 What is a Delta Evaluation? All initial evaluations under a major version (e.g., 1.x, 2.x, 3.x. 4.x, etc.) of the security requirements for a given product shall constitute a new evaluation and shall receive a new approval number.
B.2 What is a Delta Evaluation? All initial evaluations under a major version (e.g., 1.x, 2.x, 3.x. 4.x, 5.x etc.) of the security requirements for a given product shall constitute a new evaluation and shall receive a new approval number.
Modified
p. 45
Delta evaluations are not permitted to take a product previously approved under an earlier major version number of the PTS POI Standard
•e.g.,3.x
•to an approval under another major version number
•e.g.,4.x.
•e.g.,
•to an approval under another major version number
•e.g.,
Delta evaluations are not permitted to take a product previously approved under an earlier major version number of the PTS POI Standard
•e.g., 4.x
•to an approval under another major version number
•e.g., 5.x.
•e.g., 4.x
•to an approval under another major version number
•e.g., 5.x.
Modified
p. 46
Firmware Change Types Impacted Requirements PTS Standard Version v1.x v2.x v3.x v4.x Any firmware change N/A N/A N/A B20 Firmware changes with no apparent impact on PCI Requirements B3 B3 B3, F1, G1, H1, I1 B3, F1 Amendments in secure tamper-recovery methodology B1 B1 B1 B1 Error handling (i.e., buffer overflows) A5, B2 A3, B2 A3, B2 A3, B2 Amendments to external communications protocols B2 B2 B2, F1, G1 H1, I1 B2, F1 Change to software/firmware update mechanisms B3, B4 …
Firmware Change Types Impacted Requirements PTS Standard Version v1.x v2.x v3.x v4.x V5.x Any firmware change N/A N/A N/A B20 B20 Firmware changes with no apparent impact on PCI Requirements B3 B3 G1, H1, I1 B3, F1 B3, F1 Amendments in secure tamper-recovery methodology B1 B1 B1 B1 B1 Error handling (i.e., buffer overflows) A5, B2 A3, B2 A3, B2 A3, B2 A2, B2 Amendments to external communications protocols B2 B2 B2, F1 B2, F1 Change to software/firmware update mechanisms …
Removed
p. 48
A5, A8 A3, A5 A3, A5 A3, A11 2 This item is not to be included in the count of changes when determining whether the number of changes in a single delta submission is within the acceptable range of four (4).
Modified
p. 48
Hardware Change Types Impacted Requirements PTS Standard Version v1.x v2.x v3.x v4.x Any hardware change2 A1, A2, A3, C1 A1, A7 A1, A7 A1, A6, B2, Changes in casing plastics (e.g., cover-opening dimensions, areas that permit internal access, changes to PED look and feel, etc.) or output- only displays. Amended devices must remain consistent to the device’s original form factor.
Hardware Change Types Impacted Requirements PTS Standard Version v1.x v2.x v3.x v4.x V5.x Any hardware change2 A1, A2, A3, C1 A1, A7 A1, A7 Changes in casing plastics (e.g., cover- opening dimensions, areas that permit internal access, changes to PED look and feel, etc.) or output-only displays. Amended devices must remain consistent to the device’s original form factor.
Modified
p. 48
A4, A7, A9-A11, A2, A6, A8-A11, A2, A6, A8-A11, B16, D1- A5, A7-A9, A11 Modification to tamper/removal switches (e.g., changes to materials, performance, location, circuitry, tamper response, etc.) or tamper- resistance/evidence features A5, D1 A2, A3, A11, D1 A2, A3, A10, D1 Modifications to the secure controller(s) A5, A6, A7, A9, B1-B10, C2-C8, D4 A3, A4, A6, A8, B1-B15, A3, A4, A6, A3, A4, A5, Changes to user interfaces that could be used for PIN entry (e.g., touch screens, keypad …
A4, A7, A9-A11, A2, A6, A8-A11, A2, A6, A8-A11, B16, D1- A5, A7-A9, A11 B16, D1- A4, A6-A8, A10 B16, D1- Modification to tamper/removal switches (e.g., changes to materials, performance, location, circuitry, tamper response, etc.) or tamper-resistance/evidence features A5, D1 A2, A3, A11, D1 A2, A3, A10, D1 Modifications to the secure controller(s) A5, A6, A7, A9, B1-B10, A3, A4, A6, A8, B1-B15, A3, A4, A6, A8, A11, B1-B19, A3, A4, A5, A7, A10, B2-B19, A2, A3, A4, A6, A9, …
Modified
p. 49 → 50
The reference approval report and any subsequent delta submissions upon which the current delta submission is based; and Any supporting documentation used to substantiate the findings represented in the delta submission;
The reference approval report and any subsequent delta submissions upon which the current delta submission is based; and Any supporting documentation used to substantiate the findings represented in the delta submission; A table that depicts the following information about every change embodied in the update to the approved PTS device from the previously approved configuration: