TRAINING DETAILS
PCI PIN Security and Key Management, version 3.1
Standard Technical section (2 Days)
Pre-Requisite: None
Day 1 Agenda
- Standard data encryption schemes in PIN debit transactions
- Present and discuss various implementations of approved algorithms (TDES or AES)
- Present and Discuss various Key management schemes used in PIN debit transactions
- Master-Session Key
- Fixed Key
- Derived Unique Key Per Transaction (DUKPT)
- Discuss use of encryption Keys in PIN debit transactions
- Discuss lifecycle management of encryption Keys from generation to end of life
- Required written procedures and logs
- Present and discuss the following topics
- Cryptographic device (Hardware Security Module or HSMs) lifecycle management from arrival to end of life
- POI (ATM or POS) device management
- Key management team (Trainings, selection criteria, forms and other relevant tasks)
- Physical controls, logical controls and procedural controls in Key and device management
- Required written procedures and logs
- Class Exercise
- Questions-Answers
Day 2 Agenda
- Review of the significant topics covered on day 1
- Present and discuss PCI PIN audit requirements #1 through #16, addressing the following topics:
- Device compliance & Inventory management
- Key management & Procedural requirements
- PIN block format, Key block format & Encryption details
- Logs & other types of evidence of compliant Key activities (electronic, manual)
- Present and discuss PCI PIN audit requirements #17 through #33, addressing the following topics:
- Specific Key Generation, Loading, Transport, Receipt and Destruction procedures
- Proper selection, training and management of Key management team members
- Chain of Custody over Key and PIN acquiring devices (HSMs/POIs)
- Logs & other types of evidence of compliant Key and HSM activities (electronic, manual)
- Class Exercise
- Questions-Answers
PCI PIN Security: Normative Annex A Training (1 day)
Prerequisite recommendation: Core 2 day technical PCI PIN training or industry experience with PKI.
Agenda (morning session)
- Present Public-Private Key cryptography as used in ATMs/POS devices used in remote Key loading (aka RKL)
- Use of encryption Keys in POIs (ATMs or POS)
- Use of RSA, ECC and Diffie-Hellman algorithms (not overly technical)
- Role of “Certificate Authorities” or “Signing Authorities” in providing “Authentication of Public Keys”
- Role of Digital Signatures in providing for integrity and authentication of messages
- Day 2 Agenda (afternoon session)
- Discuss the structure and operation of a Certification Authority (CA) or Signature Authority (SA)
- Discuss the process of Certificate/Signature issuance to POIs and to KDHs (Key Distribution Hosts)
- Management of CA/SA ‘s own cryptographic devices; i.e. HSMs
- Security controls required for a CA/SA’s highly secure room
- Logs of CA activities
- Detailed review of the following topics:
- Review of a sample of requirements in Annex A1
- Review of a sample of requirements in Annex A2
- Class Exercise
- Questions-Answers
PCI PIN Security: Normative Annex B Training (2 days)
Prerequisite: None.
Please note: The training is meant for third party agents and service providers who offer onsite Key injection into PEDs. Such entities are known as Key Injection Facilities or KIFs (aka ESOs).
Day 1 Agenda
- Present the cryptographic schemes used in POIs acquiring cardholder’s PIN, covering:
- DUKPT (the most common scheme)
- Master-Session Key
- Fixed Key
- Present cryptographic device compliance and management, covering the following:
- Compliance of Key loading devices (KLDs)
- Compliance of Pin Entry Devices (aka PEDs or PinPads)
- Inventory management requirements for PEDs
- Lifecycle management of all devices (KLDs and PEDs)
- Present the general structural requirements of a compliant Key injection facility covering the following:
- Physical security controls; i.e. Alarms, Locks, Cameras, etc in the Key injection site
- Physical structure of the “Key injection” site
- Management of alarms, locks, cameras and other monitoring controls
- Present the requirements for the personnel involved in various key activities, covering the following:
- Designation of team members and granting them access rights to handle cryptographic Keys
- Revocation of access rights for team members involved with cryptographic key
- Team/Personnel selection, training and management
- Class Exercise
- Questions-Answers
Day 2 Agenda
- Review of the significant topics covered on day 1
- Present and discuss PCI PIN audit requirements #1 through #16, addressing the following topics:
- Device compliance & Inventory management
- Key management & Procedural requirements
- Logs & other types of evidence of compliant Key activities (electronic, manual)
- Present and discuss the PCI PIN audit requirements #17 through #33, addressing the following topics:
- Specific Key Generation, Loading, Transport, Receipt and Destruction procedures
- Proper selection, training and management of Key management team members
- Chain of Custody over Key and PIN acquiring devices (KLDs/POIs)
- Security controls required for the KIF (Key Injection Facility)
- Logs & other types of evidence of compliant Key and KLD activities
- Class Exercise
- Questions-Answers
REGISTRATION
These courses are offered by eSmart Solutions and registration or inquiries about the courses may be done by directly emailing Azie@eSmartSolutions.org.
ON-SITE Trainings
On-site training sessions are offered throughout the year for entities who prefer private trainings for their team. If interested in that option, please contact us and we will provide you with the information you need to schedule an onsite training.
FEES
Fee for the 2 Day “PCI PIN Security & Key Management” standard technical training is $1400.
Fee for the 2 Day “PCI PIN Security & Key Management, Normative Annex B” is $1400.
Fee for the 1 Day “PCI PIN Security & Key Management, Normative Annex A” is $1000. Please note if you are only interested in the “remote Key loading” (Annex A1) training which provides an overview of how remote Key loading works that is a half a day training at $500.
Fee for signing up for both the Standard Technical Training and Annex B Training will be $2500.
PAYMENT for each course can be made with either a company or personal check made to “eSmart Solutions Inc.” or with a credit card. The payment is due no later than 4 weeks prior to the start date of the training session.
CANCELLATION and REFUND Policy cancellation up to 3 weeks in advance of the scheduled course will result in full refund or credit to attend another training. Cancellation less than 3 weeks and no later than one week before the training will result in half of the training fee to be deducted or full credit given to attend another training. Any cancellation with less than 1 week’s notice will result in the entire fee to be forfeited and we will offer full credit to attend another training.