Written by: Sean D. Goodwin, GSE
Background Information
The purpose of PIN Transaction Security Hardware Security Module (PTS HSM) Security Requirements Technical Frequently Asked Questions is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with the financial payments industry.
This process allows for payment terminals to be certified as a secure payment device. PCI DSS is designed to protect the cardholder data as it is stored, processed, or transmitted across networks. The PTS focuses on the security of the payment device itself, largely due to the increase in criminals targeting these devices. This standard addresses both the physical security controls and logical network security concerns of the devices.
PTS HSM Security Requirements Version 3 Technical Frequently Asked Questions
Version 3 of the PTS HSM Security Requirements Technical Frequently Asked Questions document was published in November of 2018. Overall, there are not many changes from version 2, though there is one clarification of an answer worth highlighting:
Question 38
Q: Several requirements stipulate that if the device is restricted to deployment in Controlled Environments as defined in ISO 13491, then specific restrictions apply in the attack techniques that can be used. If the restrictions preclude any viable attacks for a specific requirement, how must that be presented in the evaluation report?
A: The report must present attack scenarios as stipulated in the derived test requirements. These must be presented without the restrictions of the Controlled Environment with notation highlighting the steps that are not allowed per the controlled environment restrictions. The report would indicate the attack is feasible if the device is not deployed in a Controlled Environment or a more robust Secure Environment.
The device will be noted under both โAdditional Informationโ and within the vendor security policy posted on the PCI website that the device is restricted to use within a Controlled or a Secure Environment as defined in ISO 13491, and that usage outside of a Controlled or a Secure Environment invalidates the approval. HSMs that are PCI Approved for Controlled or Secure Environments shall not be used in Uncontrolled or Minimally controlled Environments.
This update will apply to only a subset of organizations, as this only impacts ISO 13491 environments. The main point of this FAQ is to clarify how testing non-performance is to be documented. If you are on the merchant side of the equation, you should review the Attestation reports to ensure testing was completed appropriately.