Were you to have been asked that question some years ago, the answer most likely would have bee “I’m not sure”....
NEW SECURITY REQUIREMENTS FOR ATM AND POS INTRODUCED BY PCI-PIN V3: TR-31 and TR-34
Lusis Payments is committed to providing our clients with helpful information to remain ahead of the curve on topics such as new compliance requirements or guidelines in the payments industry. The following is a brief summary of the new security requirements that were introduced by PCI-PIN V3 that merges requirements from the PCI Security Standards Council (PCI SCC) and the Accredited Standards Committee X9 Inc (ASC X9) to create one unified PIN Security Standard for payments stakeholders. There are two evolutions that have emerged from the standards that will introduce a massive change in ATM and POS remote key management. They are ASC X9 TR-31 and TR-34.
TR-31 is a Technical Report. Technical Reports are different from standards, which are mandatory sets of rules that must be adhered to. Technical Reports are not mandatory but do provide guidance to those who are implementing the standards. TR-31 is a method that is consistent with the requirements of the ANS X9.24-1 standard for the secure exchange of keys and other sensitive data between two devices that share a symmetric key exchange. No other specific methods have been defined by the standards committee, therefore the TR-31 method has become the adopted standard through which financial organizations will exchange keys. The TR-31 key block has a set of defined key rules.
These rules are securely linked to the key so that they can be transported together between any two systems that both accept the TR-31 format. For this reason, acceptance is becoming widely adopted among financial organizations. While TR-31 is not a mandatory format for key storage, all HSM vendors must provide a Key block storage format. This is already true for all HSM vendors, but it will also apply to legacy systems which are still using old payment applications, where Variant mode key storage is still generally used.
The requirement that encrypted symmetric keys must be managed in structures called key blocks has been revised and broken into three separate phases with different implementation dates, as outlined in the March 2017 PCI SSC bulletin on revisions to the implementation date for PCI PIN Security Requirement 18-3.
The above is an extract from a paper written by Philippe Préval – President and CEO of Lusis Payments and you can Click HERE to Read the full article.