Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
Issuer PIN Security Guidelines - Visa
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
– The hardware and software cannot be modified or accessed without<br />
detection and / or disabling,<br />
– Information contained within the hardware or software cannot be<br />
fraudulently accessed or modified without detection and rejection of the<br />
attempt, and<br />
– Systems use is restricted in such a way that it cannot be misused or<br />
used to determine <strong>PIN</strong>s by exhaustive trial and error .<br />
• HSMs should be fully accounted for from time of manufacture until<br />
decommissioned .<br />
• HSMs should be inspected for modification or tampering prior to<br />
commissioning .<br />
• HSMs should be operated according to the specified issuer policy .<br />
• HSMs should be protected from misuse by implementation of:<br />
– Dual controls for all key management activity<br />
– Dual controls for all sensitive issuance activity e .g . <strong>PIN</strong> change against<br />
a fixed PAN or PAN change against a fixed <strong>PIN</strong>, that could be used to<br />
mount attacks on <strong>PIN</strong>s<br />
– Physical controls to prevent unauthorized device tampering or bugging .<br />
• HSMs used for <strong>PIN</strong> Issuance should be kept physically and logically separate<br />
from HSMs used for <strong>PIN</strong> transaction processing .<br />
• HSMs used to store cleartext <strong>PIN</strong>s or cleartext <strong>PIN</strong>-related keys for any<br />
length of time should be handled securely when taken out of service for any<br />
reason . All keys that have an impact on the HSM’s security envelope should<br />
be deleted from the HSM .<br />
• All HSM use should be fully accountable . The mechanism used to monitor<br />
HSM use should be incapable of modification without detection .<br />
• When decommissioned, either the internal memory should be mechanically<br />
or electronically erased or the device should be physically destroyed .<br />
• Production networks used to access HSMs should provide layers of<br />
authentication to prevent remote access to unauthorised HSM functionality,<br />
e .g . segmentation of networks containing HSMs and using layered protection<br />
techniques such as defense in depth .<br />
• The production environment network security policy should be consistent<br />
with the security policy of HSMs accessed over the network .<br />
3 6 <strong>Issuer</strong> <strong>PIN</strong> <strong>Security</strong> <strong>Guidelines</strong><br />
<strong>Visa</strong> Public © 2010 <strong>Visa</strong>. All Rights Reserved.