New PCI Requirements

What do these mean for the ATM and the EPP?

Agenda

• What is PCI?
  
• What are the new PCI specs that are relevant to the ATM?
  
• What are the new requirements for the PCI EPP?
  
• So what is the impact of these new requirements ?
  
• There are several changes…But what is the main change ?
  
• Timelines for PCI EPP compliance
  
• Summary – call to action

What is PCI?

• PCI stands for the Payment Card Industry
  
• The primary players are VISA and MasterCard and JCB
  
• VISA was the first card association to produce a testing program for PIN entry devices, called VISA PED
  
• The VISA PED approval program has now been superseded by a joint testing program - under the PCI banner
  

What are the new PCI specs that are relevant to the ATM?

There are three applicable PCI specifications in the ATM world

• 1. PCI EPP
  Status: Released and dates set.
  Mandated approval program for all EPPs. It is the obligation of the ATM/EPP supplier to get this approval.
  
  
• 2. Update to existing PCI PIN security requirements, relating to Remote Key Distribution
  Status: Released but no dates set
  
  No mandate for compliance. It is the choice and the responsibility of the Financial Institute how to implement Master Key distribution as long as the EPP complies to the PCI requirements
  
  
• 3. PCI ATM
  Status: Not released and release not expected soon. ?ATM supplier will become responsible for gaining this approval

What are the new requirements for the PCI EPP?

• PCI EPP builds on the security requirements of the VISA PED program, ‘raising the bar’ on security
  
• PCI EPP has additional requirements for Hardware and Firmware
  
  
  • 1. Physical Security
    (Hardware) Fully Tamper Responsive design is now the minimum requirement
    
    
  • 2. Logical Security
    (Firmware) The EPP must enforce the security rules, not just offer support for secure functions

There are several changes…But what is the main change?

• The new firmware must only support Secure Key Entry
  
  What does this mean?
  
  All manually entered encryption keys MUST be typed on the EPP keypad, with a minimum of two key components
  
  
• Direct Key Loading (using the FDKs or rear panel) is not possible anymore
  
  
• Other changes include Encryption Key Management, Remote Key Download, Rear settlement.
  

So what is the impact of these new requirements?

• PCI compliant firmware in the EPP is NOT backwards compatible.
  
  
• Therefore, ATM platforms, Applications and Host software must be upgraded to support PCI.
  
  

Timelines for PCI EPP compliance

• All ATMs installed today with a valid VISA PED certified EPP are not affected
  
  
  • The existing base can stay within the current state and current key management methods.
    
  • For maintenance reasons VISA PED EPPs can be replaced by VISA PED EPPs until the end of life of the ATM.
    
    
• From January 1, 2008 all new ATMs will need a PCI certified EPP
  
  
• To achieve one consistent, compliant software environment, existing environments will most likely be upgraded
  
  

Summary – call to action

• Ensure that new PCI EPP can work with ATM applications in time for January 2008
  
  

Kick start software certification NOW