TRAINING DETAILS

PCI PIN Security and Key Management, version 3.1

Standard Technical section  (2 Days)

Pre-Requisite: None
Day 1 Agenda

• Standard data encryption schemes in PIN debit transactions
  • Present and discuss various implementations of approved algorithms (TDES or AES)
  • Present and Discuss various Key management schemes used in PIN debit transactions
    • Master-Session Key
    • Fixed Key
    • Derived Unique Key Per Transaction (DUKPT)
  • Discuss use of encryption Keys in PIN debit transactions
  • Discuss lifecycle management of encryption Keys from generation to end of life
  • Required written procedures and logs
• Present and discuss the following topics
  • Cryptographic device (Hardware Security Module or HSMs) lifecycle management from arrival to end of life
  • POI (ATM or POS) device management
  • Key management team (Trainings, selection criteria, forms and other relevant tasks)
  • Physical controls, logical controls and procedural controls in Key and device management
  • Required written procedures and logs
• Class Exercise
• Questions-Answers

Day 2 Agenda

• Review of the significant topics covered on day 1
• Present and discuss PCI PIN audit requirements #1 through #16, addressing the following topics:
  • Device compliance & Inventory management
  • Key management & Procedural requirements
  • PIN block format, Key block format & Encryption details
  • Logs & other types of evidence of compliant Key activities (electronic, manual)
• Present and discuss PCI PIN audit requirements #17 through #33, addressing the following topics:
  • Specific Key Generation, Loading, Transport, Receipt and Destruction procedures
  • Proper selection, training and management of Key management team members
  • Chain of Custody over Key and PIN acquiring devices (HSMs/POIs)
  • Logs & other types of evidence of compliant Key and HSM activities (electronic, manual)
• Class Exercise
• Questions-Answers

PCI PIN Security: Normative Annex A Training (1 day)

Prerequisite recommendation: Core 2 day technical PCI PIN training or industry experience with PKI.

Agenda (morning session)

• Present Public-Private Key cryptography as used in ATMs/POS devices used in remote Key loading (aka RKL)
• Use of encryption Keys in POIs (ATMs or POS)
  • Use of RSA, ECC and Diffie-Hellman algorithms   (not overly technical)
  • Role of “Certificate Authorities” or “Signing Authorities” in providing “Authentication of Public Keys”
  • Role of Digital Signatures in providing for integrity and authentication of  messages
• Day 2 Agenda (afternoon session)
• Discuss the structure and operation of a Certification Authority (CA) or Signature Authority (SA)
• Discuss the process of Certificate/Signature issuance to POIs and to KDHs (Key Distribution Hosts)
• Management of CA/SA ‘s own cryptographic devices; i.e. HSMs
• Security controls required for a CA/SA’s highly secure room
• Logs of CA activities
• Detailed review of the following topics:
  • Review of a sample of requirements in Annex A1
  • Review of a sample of requirements in Annex A2
• Class Exercise
• Questions-Answers

PCI PIN Security: Normative Annex B Training (2 days)

Prerequisite: None.
Please note: The training is meant for third party agents and service providers who offer onsite Key injection into PEDs.  Such entities are known as Key Injection Facilities or KIFs (aka ESOs).

Day 1 Agenda

• Present the cryptographic schemes used in POIs acquiring cardholder’s PIN, covering:
  • DUKPT (the most common scheme)
  • Master-Session Key
  • Fixed Key
• Present cryptographic device compliance and management, covering the following:
  • Compliance of Key loading devices (KLDs)
  • Compliance of Pin Entry Devices (aka PEDs or PinPads)
  • Inventory management requirements for PEDs
  • Lifecycle management of all devices (KLDs and PEDs)
• Present the general structural requirements of a compliant Key injection facility covering the following:
  • Physical security controls; i.e. Alarms, Locks, Cameras, etc in the Key injection site
  • Physical structure of the “Key injection” site
  • Management of alarms, locks, cameras and other monitoring controls
• Present the requirements for the personnel involved in various key activities, covering the following:
  • Designation of team members and granting them access rights to handle cryptographic Keys
  • Revocation of access rights for team members involved with cryptographic key
  • Team/Personnel selection, training and management
• Class Exercise
• Questions-Answers

Day 2 Agenda

• Review of the significant topics covered on day 1
• Present and discuss PCI PIN audit requirements #1 through #16, addressing the following topics:
  • Device compliance & Inventory management
  • Key management & Procedural requirements
  • Logs & other types of evidence of compliant Key activities (electronic, manual)
• Present and discuss the PCI PIN audit requirements #17 through #33, addressing the following topics:
  • Specific Key Generation, Loading, Transport, Receipt and Destruction procedures
  • Proper selection, training and management of Key management team members
  • Chain of Custody over Key and PIN acquiring devices (KLDs/POIs)
  • Security controls required for the KIF (Key Injection Facility)
  • Logs & other types of evidence of compliant Key and KLD activities
• Class Exercise
• Questions-Answers