Payment Card Industry (pci) pin transaction Security (pts) Hardware Security Module (hsm) Modular Security Requirements

Download 0.55 Mb.
Size0.55 Mb.
  1   2   3   4   5   6   7   8   9   10   11

Payment Card Industry (PCI)
PIN Transaction Security (PTS)
Hardware Security Module (HSM)

Modular Security Requirements
Version 3.0

June 2016

© PCI Security Standards Council LLC 2012-2016

This document and its contents may not be used, copied, disclosed, or distributed for any purpose except in accordance with the terms and conditions of the Non-Disclosure Agreement executed between the PCI Security Standards Council LLC and your company. Please review the Non-Disclosure Agreement before reading this document.

Document Changes





April 2009



Initial Release

February 2012



RFC version - Modifications for consistency with PCI POI requirements.

May 2012



Public release

February 2016



RFC version

June 2016



Requirements for key-loading devices and HSM remote administration platform requirements added. Device Management Information submitted by vendors is now validated. See PCI PTS HSM - Summary of Requirements Changes from Version 2.0 to 3.0.

Note to Assessors

When protecting this document for use as a form, leave Section 12 (final page of this document) unprotected to allow for insertion of a device-specification sheet. Under “Tools / Protect Document,” select “Forms” then “Sections,” and un-check Section 12 as illustrated below.

Table of Contents

Document Changes 3

Note to Assessors 5

About This Document 7

Purpose 7

Scope of the Document 7

Main Differences from Previous Version 8

Foreword 9

Evaluation Domains 9

Device Management 9

Related Publications 11

Required Device Information 13

Optional Use of Variables in the Device Identifier 13

Evaluation Module 1: Core Requirements 14

A – Physical Security Requirements 15

B – Logical Security Requirements 16

C – Policy and Procedures 19

Evaluation Module 2: Key-Loading Devices 20

D – Key-Loading Devices 21

Evaluation Module 3: Remote Administration 22

E – Logical Security 23

F – Devices with Message Authentication Functionality 24

G – Devices with Key-Generation Functionality 25

H – Devices with Digital Signature Functionality 26

Evaluation Module 4: Device Management Security Requirements 27

I – Device Security Requirements During Manufacturing 28

J – Device Security Requirements Between Manufacturer and Point of Initial Deployment 30

Compliance Declaration – General Information – Form A 32

Compliance Declaration Statement – Form B 33

Compliance Declaration Exception – Form C 34

Appendix A: Requirements Applicability Matrix 35

Appendix B: Applicability of Requirements 36

Glossary 39

Device-Specification Sheet 52

About This Document


HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry.

This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval.

HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are:

  • PIN processing

  • 3-D Secure

  • Card verification

  • Card production and personalization


  • ATM interchange

  • Cash-card reloading

  • Data integrity

  • Chip-card transaction processing

  • Key generation

  • Key injection

There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder-authentication applications and processes for the financial payments industry.

Download 0.55 Mb.

Share with your friends:
  1   2   3   4   5   6   7   8   9   10   11

The database is protected by copyright © 2020
send message

    Main page