ISO 13491-2:2000

INTERNATIONAL ISO
STANDARD 13491-2
First edition
2000-11-01
Banking — Secure cryptographic devices
(retail) —
Part 2:
Security compliance checklists for devices
used in magnetic stripe card systems
Banque — Dispositifs cryptographiques de sécurité (services aux
particuliers) —
Partie 2: Listes de contrôle de conformité de sécurité pour les dispositifs
utilisés dans les systèmes de cartes à bande magnétique
Reference number
©
ISO 2000
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 � CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO 2000 – All rights reserved

Contents
Foreword.iv
Introduction.v
1 Scope .1
2 Normative references .1
3 Terms and definitions .2
4 Use of security compliance checklists.3
4.1 General.3
4.2 Informal evaluation.4
4.3 Semi-formal evaluation .4
4.4 Formal evaluation .4
5 Summary.4
Annex A (normative) Physical, logical and device management characteristics common to all secure
cryptographic devices.5
Annex B (normative) Devices with PIN entry functionality.12
Annex C (normative) Devices with PIN management functionality .15
Annex D (normative) Devices with message authentication functionality .17
Annex E (normative) Devices with key generation functionality .19
Annex F (normative) Devices with key transfer and loading functionality .22
Annex G (normative) Devices with digital signature functionality .26
Annex H (informative) Categorization of environments.28
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has
the right to be represented on that committee. International organizations, governmental and non-governmental, in
liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical
Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
Draft International Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this part of ISO 13491 may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
International Standard ISO 13491-2 was prepared by Technical Committee ISO/TC 68, Banking, securities and
other financial services, Subcommittee SC 6, Retail financial services.
ISO 13491 consists of the following parts, under the general title Banking — Secure cryptographic devices (retail):
� Part 1: Concepts, requirements and evaluation methods
� Part 2: Security compliance checklists for devices used in magnetic stripe card systems
Annexes A to G form a normative part of this part of ISO 13491. Annex H is for information only.
iv © ISO 2000 – All rights reserved

Introduction
This International Standard specifies both the physical and logical characteristics and the management of the
secure cryptographic devices (SCDs) used to protect messages, cryptographic keys and other sensitive information
used in a retail banking environment.
The security of retail electronic banking is largely dependent upon the security of these cryptographic devices.
Security requirements are based upon the premise that computer files can be accessed and manipulated,
communications lines can be “tapped” and authorized data or control inputs into system device can be replaced
with unauthorized inputs. While certain cryptographic devices (e.g. host security modules) reside in relatively high
security processing centres, a large proportion of cryptographic devices used in retail banking (e.g. PIN pads,
ATMs, etc.) now reside in non-secure environments. Therefore when PINs, MACs, cryptographic keys and other
sensitive data are processed in these devices, there is a risk that the devices may be tampered with or otherwise
compromised to disclose or modify such data.
It must be ensured that the risk of financial loss is reduced through the appropriate use of cryptographic devices
that have proper physical and logical security characteristics and are properly managed. To ensure that SCDs have
the proper physical and logical security, they require evaluation.
This part of ISO 13491 provides the security compliance checklists for evaluating SCDs used in magnetic stripe
systems in accordance with ISO 13491-1.
Appropriate device characteristics are necessary to ensure that the device has the proper operational capabilities
and provides adequate protection for the data it contains. Appropriate device management is necessary to ensure
that the device is legitimate, that it has not been modified in an unauthorized manner, e.g. by “bugging”,and that
any sensitive data placed within the device (e.g. cryptographic keys) has not been subject to disclosure or change.
Absolute security is not practically achievable. Cryptographic security depends upon each life cycle phase of the
SCD and the complementary combination of appropriate device management procedures and secure
cryptographic characteristics. These management procedures implement preventive measures to reduce the
opportunity for a breach of cryptographic device security. These measures aim for a high probability of detection of
any illicit access to sensitive or confidential data in the event that device characteristics fail to prevent or detect the
security compromise.
INTERNATIONAL STANDARD ISO 13491-2:2000(E)
Banking — Secure cryptographic devices (retail) —
Part 2:
Security compliance checklists for devices used in magnetic stripe
card systems
1 Scope
This part of ISO 13491 specifies checklists to be used to evaluate secure cryptographic devices (SCDs)
incorporating cryptographic processes, as specified in ISO 9564, ISO 9807 and ISO 11568, in a magnetic stripe
card environment. It does not specify checklists for SCDs used in an integrated circuit card (ICC) environment.
This part of ISO 13491 does not address issues arising from the denial of service of a SCD.
In the checklists given in annexes A to H, the term “not feasible” is intended to convey the notion that although a
particular attack might be technically possible it would not be economically prudent, since carrying out the attack
would cost more than any benefits obtained from a successful attack. In addition to attacks for purely economic
gain, malicious attacks directed toward loss of reputation need to be considered.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of
this part of ISO 13491. For dated references, subsequent amendments to, or revisions of, any of these publications
do not apply. However, parties to agreements based on this part of ISO 13491 are encouraged to investigate the
possibility of applying the most recent editions of the normative documents indicated below. For undated
references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain
registers of currently valid International Standards.
ISO 7498-2, Information processing systems — Open Systems Interconnection — Basic Reference Model —
Part 2: Security Architecture.
ISO 8908, Banking and related financial services — Vocabulary and data elements.
ISO 9564-1, Banking — Personal Identification Number management and security — Part 1: PIN protection
principles and techniques.
ISO 9564-2, Banking — Personal Identification Number management and security — Part 2: Approved algorithm(s)
for PIN encipherment.
ISO 9807, Banking and related financial services — Requirements for message authentication (retail).
ISO 11568 (all parts), Banking — Key management (retail).
ISO 13491-1, Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and evaluation
methods.
3 Terms and definitions
For the purposes of this part of ISO 13491, the terms and definitions given in ISO 13491-1 and ISO 8908 and the
following apply.
3.1
accredited evaluation authority
body accredited in accordance with a set of rules (e.g. EN 45000 or ISO Guide 25) and accepted by the
accreditation authority for the purpose of evaluation
3.2
attack
attempt by an adversary on the device to obtain or modify sensitive information or a service he/she is not
authorized to obtain or modify
3.3
audit report
output of the audit review body based on the results from an auditor
3.4
audit review body
group with responsibility for reviewing and making judgements on the results from the auditor
3.5
auditor
one who has the appropriate skills to check, assess, review and evaluate compliance with an informal evaluation
on behalf of the sponsor or audit review body
3.6
device security
security of the SCD related to its characteristics only, without reference to a specific operational environment
3.7
evaluation agency
organization trusted by the design, manufacturing and sponsoring authorities which evaluates the SCD (using
specialist skills and tools) in accordance with ISO 13491-2
3.8
evaluation report
output of the evaluation review body based on the results from an evaluation agency or auditor
3.9
evaluation review body
group with responsibility for reviewing, and making judgements on, the results of the evaluation agency
3.10
formal claims
statements about the characteristics and functions of a secure cryptographic device
3.11
logical security
ability of a device to withstand attacks through its functional interface
3.12
operational environment
environment in which the SCD is operated, i.e. the application system of which it is part, the location where it is
placed, the persons operating and using it, the entities communicating with it
2 © ISO 2000 – All rights reserved

3.13
physical security
ability of a device to withstand attacks against its physical construction
3.14
secure cryptographic device
SCD
physically and logically protected hardware device that provides a set of secure cryptographic services
3.15
secure operator interface
interface which allows the protective mechanisms of the device to be disabled by using a data entry mechanism
and which can only be accessed when the device is in a sensitive state
3.16
security compliance checklist
list of auditable claims, organized by device type, as specified in ISO 13491-2
3.17
sensitive data
sensitive information
data which must be protected against unauthorized disclosure, alteration or destruction, especially plaintext PINs
and cryptographic keys, and which includes design characteristics, status information, etc.
3.18
sensitive state
device condition that provides access to the secure operator interface such that it can only be entered when the
device is under dual or multiple control
3.19
software
programs and/or data that will be used within the SCD or downloaded for use by the SCD
3.20
sponsor
sponsoring authority
individual, company or organization that requires the SCD to undergo evaluation
3.21
tamper-evident characteristic
characteristic that provides evidence that an attack has been attempted
3.22
tamper-resistant characteristic
characteristic that provides passive physical protection against an attack
3.23
tamper-responsive characteristic
characteristic that provides an active response to the detection of an attack preventing its success
4 Use of security compliance checklists
4.1 General
These checklists shall be used by the evaluation sponsor that wishes to assess the acceptability of cryptographic
equipment upon which the security of the system depends. It is the responsibility of any sponsor that adopts some
or all of these checklists to:
a) approve evaluating agencies for use by suppliers to or participants in the system; and
b) set up an audit review body to review the completed audit checklists.
Annexes A to H give checklists defining the minimum evaluation to be performed to assess the acceptability of
cryptographic equipment. Additional tests may be performed to reflect the state-of-the-art at the time of the
evaluation.
The evaluation may be either “informal” or “semi-formal”, as specified in ISO 13491-1, depending upon the nature
of the evaluating agencies approved by the sponsor. Should the sponsor decide on a “formal” evaluation, these
audit checklists shall not be used as presented here, but shall rather be used as input to assist in the preparation of
the “formal claims” that such an evaluation requires.
NOTE These formal claims themselves are outside of the scope of this part of ISO 13491.
A cryptographic device achieves security both through its inherent characteristics and the characteristics of the
environment in which the device is located. When completing these audit check lists, the environment in which the
device is located must be considered. For example, a device intended for use in a public location could require
greater inherent security than the equivalent device operating in a controlled environment. So that an evaluating
agency need not investigate the specific environment where an evaluated device may reside, this International
Standard provides a suggested categorization of environments in annex H. Thus an evaluating agency may be
asked to evaluate a given device for operation in a specific environment. Then such a device can be deployed in a
given facility only if this facility itself has been audited to ensure that it provides the assured environment. However
these audit check lists may be used with categorizations of the environment other than those suggested in
annex H.
The three evaluation methods specified in ISO 13491-1 are described in 4.2, 4.3 and 4.4.
4.2 Informal evaluation
As part of an informal evaluation, an independent auditor shall complete the appropriate checklist(s) for the device
being evaluated.
4.3 Semi-formal evaluation
In the semi-formal method, the manufacturer or sponsor shall submit a device to an evaluation agency for testing
against the appropriate checklist(s).
4.4 Formal evaluation
In the formal method, the manufacturer or sponsor shall submit a device to an accredited evaluation authority for
testing against the formal claims where the appropriate checklist(s) were used as input
5 Summary
The security compliance checklist is used in the evaluation method to determine compliance with the requirements
of standards listed in the references of this International Standard where the estimated risk is seen as low. It is
recommended for use whenever the security compliance statements are facts that can be verified without the need
for specialized knowledge or skills. In general, compliance with functional requirements can be performed by
means of security compliance checklists.
In the context of this part of ISO 13491, international acceptance means the level of assurance required for a
device, as agreed by the participants in an international organization.
4 © ISO 2000 – All rights reserved

Annex A
(normative)
Physical, logical and device management characteristics common to all
secure cryptographic devices
A.1 General
This annex is intended for use with all evaluations and shall be completed prior to any device specific security
compliance checklists.
The following statements in this security compliance checklist are required to be specified by the auditor as “true
(T)”, “false (F)” or “not applicable (N/A)”.A “false” indication does not necessarily indicate unacceptable practice,
but shall be explained in writing. Those statements which are indicated as “N/A” shall also be explained in writing.
A.2 Device characteristics
A.2.1 Physical security characteristics
A.2.1.1 General
All devices shall meet the criteria given in A.2.1.2 for general security characteristics and in A.2.1.3 for tamper-
evident characteristics. Many devices shall additionally meet either the criteria given in A.2.1.4 for tamper-resistant
characteristics or the criteria given in A.2.1.5 for tamper-responsive characteristics. However some devices need
meet only the criteria for general security characteristics and tamper-evident characteristics. Such devices meet the
following requirements:
a) the device retains no key that has ever been used to encipher any secret data, nor does it retain any
information from which such a key could feasibly be determined, even with knowledge of any data that has
ever been available in plaintext form;
b) the device is managed in such a way that there is a high probability of noting and reporting on a timely basis
either the extended absence of the device from its authorized location, or any obvious damage to the device;
c) means exist at all facilities capable of direct cryptographic communication with the device to not process any
enciphered data received from the device after it has been reported absent or damaged.
A.2.1.2 General security characteristics
An evaluation agency has evaluated the device bearing in mind susceptibility to physical and logical attack
techniques known at the time of the evaluation, such as (but not limited to) the following:
� chemical attacks (solvents);
� scanning attacks (scanning electron microscope);
� mechanical attacks (drilling, cutting, probing, etc.);
� thermal attacks (high and low temperature extremes);
� radiation attacks (X-rays);
� information leakage through covert channels (power supply, timing, etc.);
� failure attacks;
and has concluded that:
No. Security compliance statement True False N/A
A1 It is not feasible to determine a PIN, a key, or other secret information by monitoring
(e.g. the electro-magnetic emissions from the device, with or without the cooperation
of the device operator), when the device is operating in its intended environment.
A2 Any ventilation and other openings into the module are positioned and protected so
that it is not feasible to use such an opening to probe any component of the module
such that plaintext PINs, access codes, or cryptographic keys might be disclosed; or
to disable any of the protection mechanisms of the device.
A3 All sensitive data and cryptographic keys, including residues, are stored in the security
module.
A4 All transfer mechanisms within the device are implemented in such a way that it is not
feasible to monitor the device to obtain unauthorized disclosure of any such
information.
A5 Any access entry to the device's internal circuitry is locked in the closed position when
the device is operative, by means of one or more pick-resistant locks.
A.2.1.3 Tamper-evident characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A6 The device is designed and constructed so that it is not feasible to penetrate the
device in order to:
� make any additions, substitutions, or modifications (e.g. the installation of a bug)
to the hardware or software of the device; or
� determine or modify any sensitive information (e.g. PINs, access codes, and
cryptographic keys)
and then subsequently re-install the device, without requiring specialized skills and
equipment not generally available, and:
1) without damaging the device so severely that the damage would have a high
probability of detection, or
2) requiring the device be absent from its intended location for a sufficiently long time
that its absence, or reappearance, would have a high probability of being
detected.
A.2.1.4 Tamper-resistant characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A7
The device is protected against penetration by employing physical protection to such
a degree that penetration is not feasible.
A8 Even after having gained unlimited, undisturbed access to the device, discovery of
secret information in the target device is not feasible.
6 © ISO 2000 – All rights reserved

A.2.1.5 Tamper-responsive characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A9 The device is protected against penetration by including features that detect any
feasible attempts to tamper with the device and cause immediate erasure of all
cryptographic keys and sensitive data when such an attempt is detected.
A10
Removal of the case or the opening, whether authorized or unauthorized, of any
access entry to the device’s internal components causes the automatic and immediate
erasure of the cryptographic keys stored within the device.
A11 There is a defined method for ensuring that secret data or any cryptographic key that
has been used to encrypt secret data, is erased from the unit when permanently
removing the unit from operation. There is also a defined method for ensuring, when
permanently removing the unit from operation, that any cryptographic key contained in
the unit that might be usable in the future is either erased from the unit or is
invalidated at all facilities with which the unit is capable of performing cryptographically
protected communications.
A12 Any tamper detection/key erasure mechanism functions even in the absence of
applied power.
A13 If the device has no mechanism for secure detection of movement, then defeating the
tamper detection mechanisms, or discovery of secret information in the target device
is not feasible, even when removed from its operating environment. Compromise of
the device shall require equipment and skill sets that are not readily available.
NOTE As a possible example, discovery of such information requires a significant time,
such as one month of preparation — perhaps including analysis of other devices — and at least
one week of effort to compromise the device after having gained unlimited, undisturbed access
to the target device.
A14 If the device has a mechanism for secure detection of movement, then defeating the
tamper-detection mechanisms, or discovery of secret information in the target device
is not feasible. Compromise of the device shall require skill sets that are not readily
available; and equipment that is not readily available at the device site nor can be
feasibly transported to the device site.
NOTE As a possible example, discovery of such information requires a significant time, such
as one month of preparation — perhaps including analysis of other devices — and at least
twelve hours of unlimited, undisturbed access to the target device.
A.2.2 Logical security characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A15 The device includes self-test capabilities, capable of manual or automatic initiation, to
ensure that its basic functions are operating properly.
A16 The device only performs its designed functions.
A17 The device is designed in such a way that it cannot be put into operational service
until the device initialization process has been completed.
This will include all necessary keys and other relevant material needed to be loaded
into it.
A18 It is not feasible to determine a key or other secret information by the use of diagnostic
or special test modes.
A19 The cryptographic algorithms, modes of operations, and lengths of cryptographic keys
used by the device comply with ISO 11568.
A20
The device key management complies with ISO 11568, using each key for only one
cryptographic purpose (although a variant of a key may be used for a different
purpose).
A21 The functionality implemented within the device is such that there is no feasible way in
which plaintext secret information, e.g. PINs or cryptographic keys, or secret
information enciphered under other than the legitimate key, can be obtained from the
device, except in an authorized manner.
A22
If the device is composed of several components, it is not possible to move a
cryptographic key within the device from a component of higher security to a
component providing lower security.
A23 The loading of keys shall be performed when:
— the device is in a sensitive state; or
— the action of loading a key puts the device into a state that activates all the tamper
protection mechanisms within the device.
A24
The following operator functions that may influence the security of a device are only
permitted when the device is in a sensitive device state, i.e. under dual or multiple
control:
� disabling or enabling of device functions;
� change of passwords or data that enable the device to enter the sensitive state.
A25 The secure operator interface is so designed that entry of more than one password (or
some equivalent mechanism for dual or multiple control) is required in order to enter
this sensitive state.
A26 The secure operator interface is so designed that it is highly unlikely that the device
can inadvertently be left in the sensitive state.
A27 If sensitive state is established with limits on the number of function calls (where
appropriate), and a time limit after the first of these limits is reached, the device
returns to normal state.
A28 Where passwords or other plaintext data are used to control transition to a sensitive
state, then these are protected in the same manner as other secret or sensitive
information.
A29 If cryptographic keys are lost for any reason, e.g. long-term absence of applied power,
the device will revert to a logical state of not being initialized (and therefore not
operational).
A30
The only function calls and sensitive operator functions that exist in the device are
functions approved by the sponsor, or the system in which the device is to operate.
A31 Keys are never translated from encipherment under one variant to encipherment
under another variant of the same key.
8 © ISO 2000 – All rights reserved

A.3 Device management
A.3.1 General consideration
For each life cycle stage, the entity responsible for completing the audit checklist for that stage has provided
assurance, acceptable to the audit review body, that:
No. Security compliance statement True False N/A
A32 For audit and control purposes, the identity of the device (e.g. its serial number) can
be determined, either by external tamper-evident marking or labelling, or by a
command that causes the device to return its identity via the interface or via the
display.
A33 When the device is in a life cycle stage such that it contains cryptographic keys, the
identity of these keys can be easily determined from the identity of the device (so that
the key(s) can be invalidated if the device is reported lost or stolen).
A34 Any physical keys used to unlock or operate the device are carefully controlled, and
available only to authorized persons.
A35 If a device contains a secret cryptographic key and there is an attack on a device, or a
device is stolen, then procedures are in place to notify the party responsible for the
security of the device immediately after detection.
A36
If a device does not yet contain a secret cryptographic key and there is an attack on a
device, or a device is stolen, then procedures are in place to prevent the substitution
of the attacked or stolen device for a legitimate device that does not yet contain a
secret cryptographic key.
A37 If no sensitive state exists in the device, the loading of plaintext keys shall be
performed under dual control.
A.3.2 Device protection by manufacturer
The device manufacturer or an independent auditor has provided assurance, acceptable to the audit review body,
that:
No. Security compliance statement True False N/A
A38 The hardware and software design of the device has been carefully evaluated to
ensure that the functional capabilities provided with the device are all legitimate,
documented functions, and that no unauthorized function (e.g. a “Trojan Horse”)
resides in the device software.
A39 The device, including software, is produced and stored in a controlled environment
under the control of qualified personnel to prevent unauthorized modifications to the
physical or functional characteristics of the device.
A.3.3 Device protection between manufacturer and pre-use
The device manufacturer and those responsible for the transport, repair, and storage of the device prior to initial
key loading or to the repeat of initial key loading, or else an independent auditor, have provided assurance,
acceptable to the audit review body, that:
No. Security compliance statement True False N/A
A40 The transfer mechanisms by which plaintext keys, key components or passwords are
entered into the device are protected and/or inspected so as to prevent any type of
monitoring that could result in the unauthorized disclosure of any component or
password.
A41 Subsequent to manufacturing and prior to shipment, the device is stored in a
protected area or sealed within tamper-evident packaging to prevent undetected
unauthorized access to it.
A42 The device is shipped in tamper-evident packaging, and inspected to detect
unauthorized access to it; or
— before a device is loaded with cryptographic keys, it is closely inspected by
qualified staff to ensure that it has not been subject to any physical or functional
modification; or
— the device shall be delivered with secret information that is erased if tampering is
detected to enable the user to ascertain that the device is genuine and not
compromised.
NOTE One example of such information is the private key of an asymmetric key pair, with
the public key of the device signed by a private key known only to the supplier.
A43 The device is loaded with initial key(s) in a controlled manner only when there is
reasonable assurance that the device has not been subject to unauthorized physical
or functional modification.
A.3.4 Device protection during pre-use and prior to installation
Those responsible for device storage and transport subsequent to initial key loading, or else an independent
auditor, have provided assurance, acceptable to the audit-review body, that:
No. Security compliance statement True False N/A
A44 Any uninstalled device is controlled so as to prevent or detect unauthorized access to
it, and records are kept and audited so as to detect and report thefts or losses.
10 © ISO 2000 – All rights reserved

A.3.5 Device protection subsequent to installation
The acquirer or an independent auditor have provided assurance, acceptable to the audit review body, that controls
and procedures are in place to ensure that:
No. Security compliance statement True False N/A
A45
If for any reason a device ceases to hold valid keys:
� the device is removed from service as soon as possible, and
� transactions from the device are rejected, and
� the device is not loaded with new keys, by a repeat of the initial-key-loading
process, until it has been carefully inspected and tested by at least two
knowledgeable and qualified individuals who have determined that the device
has not been subject to any physical or functional modification.
A46 If a device is lost or stolen and then recovered, or if unauthorized modification of the
device is suspected for any reason, all cryptographic keys contained in the unit are
erased, and new keys are not loaded (by a repeat of the key-initialization process)
until the unit has been inspected and tested as indicated in A.2.3 above.
A47 Manual and/or automated auditing and control procedures have been implemented to
detect the unauthorized reinstallation of a previously used device, or of a device
containing the key(s) of a previously used device. Such instances are investigated,
and if potentially fraudulent activity is suspected, the device is removed from service
as soon as possible.
When each transaction identifies the key(s) used in the transaction, host software can
be used to automatically detect:
1) the removal of a device from service, and
2) the subsequent installation of a device containing the key(s) of a device previously
removed from service.
A48 When the device is being serviced or installed, procedures are in place to ensure that
the device cannot be compromised by the staff performing these functions.
A49
When the secure operator interface is to be used, the data entry device and cables
connected to the device are carefully inspected to ensure that no unauthorized
hardware has been inserted.
A.3.6 Device protection after removal from service
Those responsible for device removal, or else an independent auditor, have provided assurance, acceptable to the
audit review body, that:
No. Security compliance statement True False N/A
A50 If the device is to be reinstalled, then it is controlled so as to prevent unauthorized
access to it, and is audited so as to detect and report its theft or loss.
A51
If the device is being permanently removed from service, then any key contained
within the device that has been used for any cryptographic purpose is erased from the
device.
A52 If the device case is intended to provide tamper-evident characteristics and the device
is being permanently removed from service, then the case is destroyed. The storage
of the case is controlled and audited until its destruction.
Annex B
(normative)
Devices with PIN entry functionality
B.1 General
The procedure for evaluating PIN entry devices is as follows:
� complete the checklists given in annex A;
� complete the checklists given in this annex.
The following statements in this security compliance checklist are required to be specified by the auditor as “true
(T)”, “false (F)” or “not applicable (N/A)”.A “false” indication does not necessarily indicate unacceptable practice,
but shall be explained in writing. Those statements which are indicated as “N/A” shall also be explained in writing.
B.2 Device characteristics
B.2.1 Physical security characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
B1
The path from the keypad to the cryptographic processing unit is physically protected,
such that there is no feasible method of ascertaining the data passed between the two
without triggering the erasure of the device’s cryptographic keys; or, the requirements
of B17 are met.
B2 If the PIN entry device can be used to enter data that will not be enciphered, then the
path from the cryptographic processing unit to the display is physically protected; or,
the requirements of B18 are met.
B3
If the PIN entry device is to be used in a multi-acquirer environment, then the path
from the card reader to the cryptographic processing unit is physically protected, such
that there is no feasible method of altering the data passed between the two without
triggering the erasure of the cryptographic keys; or, the requirements of B19 are met.
B4 If PIN entry is accompanied by an audible tone, the tone for each entered PIN digit is
indistinguishable from the tone for any other entered PIN digit.
B5 If the PIN entry device has a display, this display does not disclose any entered PIN
digit but may display a string of non-significant symbols, such as asterisks, to denote
the number of PIN digits entered.
B6 The PIN entry device is equipped with a privacy shield, or is designed so that the
cardholder can shield it with his/her body to protect against observation of the PIN
during PIN entry.
B7 Any residues of PINs, or cryptographic keys used during a transaction are either
stored in a tamper-resistant or tamper-responsive module, or are overwritten
immediately after the completion of the transaction.
NOTE Plaintext PINs are always overwritten immediately after being enciphered.
12 © ISO 2000 – All rights reserved

B.2.2 Logical security characteristics
The PIN entry device manufacturer or an independent evaluating agency has provided assurance, acceptable to
the audit review body, that:
No. Security compliance statement True False N/A
B8 The PIN is enciphered within the PIN entry device using a PIN block format and an
encipherment algorithm specified in ISO 9564.
NOTE A PIN verification device needs to comply with this requirement only where PINs are
to be transferred from the device.
B9 If the PIN entry device offers functionality for downloading of software, then any such
software downloaded is rejected by the device (the device’s cryptographic keys may
also be automatically erased) unless the device has successfully authenticated the
download.
B10 If the PIN entry device is designed to cater for more than one acquirer, then any
downloaded changes to the table controlling the choice of the acquirer key set are
accepted by the device only if it has successfully authenticated the download.
B11
The device has characteristics that prevent or significantly deter exhaustive PIN
determination (e.g. use a unique-key-per-transaction technique to prevent the attack
or limit the number of permitted PIN entries per minute to deter the attack).
B12 Where the keypad is used for PIN entry as well as other data, the display is under the
control of the device such that an “enter PIN” message cannot be displayed when
data will be output in the clear.
B13 The PIN entry device only accepts PINs that are between four and 12 digits in length.
B14 The mapping of numeric values of the entered PIN to the internal coding is in
accordance with ISO 9564-1.
B15 The PIN entry device uses different keys for different acquirers, and there is no
feasible way in which any acquirer's personnel can ascertain or modify another
acquirer's key.
B16 The PIN entry device uses different keys for different acquirers, and the means to
select the key to be used for a given transaction are controlled (e.g. by an internal
table look-up) so that there is no feasible way to deliberately or accidentally select the
key of another acquirer.
B17 The path from the keypad to the cryptographic processing unit is logically protected
(e.g. enciphered and/or authenticated), or the requirements of B1 are met.
B18 If the PIN entry device can be used to enter data that will not be enciphered, then the
path from the cryptographic processing unit to the display is logically protected, or the
requirements of B2 are met.
B19 If the PIN entry device is to be used in a multi-acquirer environment, then the path
from the card reader to the cryptographic processing unit is logically protected, or the
requirements of B3 are met.
B.3 Device management
B.3.1 PIN entry device protection during initial key loading
Those responsible for initial key loading, or an independent auditor, have provided assurance, acceptable to the
sponsor, that:
No. Security compliance statement True False N/A
B20 A repaired PIN entry device is not reloaded with the original key (except by chance).
B21
Automated techniques are used, or manual procedures are in place and are followed
to ensure each PIN entry device is given at least one statistically unique key unknown
to any person and never previously given (except by chance) to any other PIN entry
device.
B.3.2 PIN entry device protection after installation
The acquirer or an independent auditor has provided assurance, acceptable to the audit review body, that controls
and procedures are in place to ensure that:
No. Security compliance statement True False N/A
B22 The PIN entry device is placed where PIN entry cannot be viewed by surveillance
cameras nor readily observed by bystanders.
B23
Location of the device is such that its absence or unauthorized access (attack) would
be detected within 24 h.
14 © ISO 2000 – All rights reserved

Annex C
(normative)
Devices with PIN management functionality
C.1 General
PIN management functions include:
� PIN issuance;
� PIN verification;
� PIN translation.
The procedure for evaluating devices containing PIN management functionality is as follows:
� complete the checklists given in annex A;
� complete the checklists given in
...