PIN Entry Device Standards

4.5.3 Triple DES Migration Schedule

All merchant POI terminals and ATMs are required to use Triple DES, minimum double key length (hereafter referred to as “Triple DES”), in accordance with the implementation schedule set out below:

• All newly installed merchant POI terminals and ATMs, including replacements, must be Triple DES capable.

• All member and processor host systems must support Triple DES.

• Effective 1 April 2005, all ATMs must be Triple DES compliant.

• Effective 1 April 2005, it is strongly recommended that all merchant POI terminals be Triple DES compliant and chip-capable.

MasterCard recognizes that members may elect to use other public key encryption methods between their merchant POI terminals or ATMs and their host(s). In such instances, MasterCard must approve the alternate method chosen in advance of its implementation and use. Approval will be

dependent, in part, on whether MasterCard deems that other method to be as secure as or more secure than Triple DES. Approval is required before

implementation can begin. All transactions routed to the MasterCard system must be Triple DES compliant.

4.6 PIN Entry Device Standards

All cryptographic functions must be performed in a device that meets the requirements for a tamper-resistant security module (TRSM) in which all clear text keys and PINs are physically protected against disclosure and

modification.

The following minimum security Standards regarding such PIN entry devices (PEDs) are consistent across all brands, services, and programs.

1. The PED must be designed and installed so that a third party is prevented from observing the PIN as it is being entered.

2. The PED must not display the PIN in plain text or disclose the PIN by audible feedback. Acoustic or visible signals to indicate data entry are recommended, provided they are neutral in tone and character and in no way reveal which letter or number has been pressed.

3. The PED must have a “clear” function to enable the cardholder to retract incorrect letter or number selections and an “enter” function to indicate completion of PIN entry.

4.6 PIN Entry Device Standards

4. The PED must be designed to protect the cardholder against deception about:

− the normal sequence of transaction steps;

− the fact that no PIN is required for signature-based POI transactions;

− the information displayed or printed;

− additional data requested;

− the authorization response; and

− the completion or cancellation of a transaction.

All PEDs must have unique keys. No two PEDs shall use the same

encipherment keys for any PIN or key encryption purpose except by chance or random selection. Knowledge of the keys used in any given PED must not allow disclosure of the keys used in any other PED.

PED manufacturers must self-certify that their respective devices meet the minimum requirements identified in the PED Self-Assessment Questionnaire. This questionnaire sets the currently acceptable minimum implementations of physical security requirements as stated in ISO 9564.

If a member or MasterCard questions a PED with respect to physical security attributes (those that deter a physical attack on the device) or logical security attributes (functional capabilities that preclude, among other things, the output of a clear text PIN or a cryptographic key), MasterCard has the right to effect an independent evaluation performed at the manufacturer’s expense.

MasterCard will conduct periodic security reviews with selected acquirers and merchants. These reviews will ensure compliance with MasterCard security requirements and generally accepted best practices.

Warning The physical security of the PED depends on its penetration characteristics. Virtually any physical barrier may be defeated with sufficient effort.

For secure transmission of the PIN from the PED to the issuer host system, the PED must encrypt the PIN using the approved algorithm(s) for PIN

encipherment listed in ISO 9564-2 and the appropriate PIN block format as provided in ISO 9564-1.

If the PIN pad and the secure component of the PED are not integrated into a single tamper-evident device, then for secure transmission of the PIN from the PIN pad to the secure component, the PIN pad must encrypt the PIN using the

4.6 PIN Entry Device Standards

4.6.1 Tamper-Responsive Device Standards

To qualify as a tamper-responsive device, also known as a physically secure device, a PED must meet the following criteria:

1. Penetration of the device will cause immediate erasure of all PINs, cryptographic keys, and all useful residue of PINs and keys contained within it.

2. Key management techniques used in the PED includes one of the following:

a. fixed transaction keys, b. master keys/transaction keys,

c. a non-reversible transformed unique key per transaction, or d. a derived unique key per transaction.

The transmission medium (cable, wire) between the keyboard and the

encipherment circuitry is highly protected physically and prohibits installation of tapping devices.

Each terminal supports a unique key.

4.6.2 Tamper-Evident Device Standards

To qualify as a tamper-evident device, also known as a minimum acceptable PIN entry device, a PED must meet the following criteria:

1. Any unauthorized attempt to penetrate it would be obvious.

2. The device is plastic or steel-encased, or otherwise impossible to penetrate without the proper equipment or expertise, or relocation to a specialized facility.

3. The PIN is enciphered within the device using an approved algorithm and PIN block format.

4. The device uses a unique key per transaction scheme (a key

transformation or key derivation technique must be used to accomplish this).