ISO 13491-2:2005

INTERNATIONAL ISO
STANDARD 13491-2
Second edition
2005-06-15
Banking — Secure cryptographic devices
(retail) —
Part 2:
Security compliance checklists for
devices used in financial transactions
Banque — Dispositifs cryptographiques de sécurité (services aux
particuliers) —
Partie 2: Listes de contrôle de conformité de sécurité pour les
dispositifs utilisés dans les transactions financières

Reference number
©
ISO 2005
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2005 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Use of security compliance checklists. 2
Annex A (normative) Physical, logical and device management characteristics common to all
secure cryptographic devices . 4
Annex B (normative) Devices with PIN entry functionality. 11
Annex C (normative) Devices with PIN management functionality . 15
Annex D (normative) Devices with message authentication functionality . 17
Annex E (normative) Devices with key generation functionality . 18
Annex F (normative) Devices with key transfer and loading functionality . 22
Annex G (normative) Devices with digital signature functionality . 26
Annex H (normative) Categorization of environments. 28
Bibliography . 31

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 13491-2 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2,
Security management and general banking operations.
This second edition cancels and replaces the first edition (ISO 13491-2:2000) which has been technically
revised.
ISO 13491 consists of the following parts, under the general title Banking — Secure cryptographic devices
(retail):
 Part 1: Concepts, requirements and evaluation methods
 Part 2: Security compliance checklists for devices used in financial transactions
iv © ISO 2005 – All rights reserved

Introduction
This part of ISO 13491 specifies both the physical and logical characteristics and the management of the
secure cryptographic devices (SCDs) used to protect messages, cryptographic keys and other sensitive
information used in a retail financial services environment.
The security of retail financial services is largely dependent upon the security of these cryptographic devices.
Security requirements are based upon the premise that computer files can be accessed and manipulated,
communication lines can be “tapped” and authorized data or control inputs in a system device can be replaced
with unauthorized inputs. While certain cryptographic devices (e.g. host security modules) reside in relatively
high-security processing centres, a large proportion of cryptographic devices used in retail financial services
(e.g., PIN entry devices etc.) now reside in non-secure environments. Therefore when PINs, MACs,
cryptographic keys and other sensitive data are processed in these devices, there is a risk that the devices
may be tampered with or otherwise compromised to disclose or modify such data.
It must be ensured that the risk of financial loss is reduced through the appropriate use of cryptographic
devices that have proper physical and logical security characteristics and are properly managed. To ensure
that SCDs have the proper physical and logical security, they require evaluation.
This part of ISO 13491 provides the security compliance checklists for evaluating SCDs used in financial
services systems in accordance with ISO 13491-1. Other evaluation frameworks exist and may be appropriate
for formal security evaluations e.g. parts 1 to 3 of ISO/IEC 15408 and ISO/IEC 19790, and are outside the
scope of this part of ISO 13491.
Appropriate device characteristics are necessary to ensure that the device has the proper operational
capabilities and provides adequate protection for the data it contains. Appropriate device management is
necessary to ensure that the device is legitimate, that it has not been modified in an unauthorized manner,
e.g. by “bugging”, and that any sensitive data placed within the device (e.g. cryptographic keys) have not been
subject to disclosure or change.
Absolute security is not practically achievable. Cryptographic security depends upon each life cycle phase of
the SCD and the complementary combination of appropriate device management procedures and secure
cryptographic characteristics. These management procedures implement preventive measures to reduce the
opportunity for a breach of cryptographic device security. These measures aim for a high probability of
detection of any illicit access to sensitive or confidential data in the event that device characteristics fail to
prevent or detect the security compromise.

INTERNATIONAL STANDARD ISO 13491-2:2005(E)

Banking — Secure cryptographic devices (retail) —
Part 2:
Security compliance checklists for devices used in financial
transactions
1 Scope
This part of ISO 13491 specifies checklists to be used to evaluate secure cryptographic devices (SCDs)
incorporating cryptographic processes, as specified in parts 1 and 2 of ISO 9564, ISO 16609 and parts 1 to 6
of ISO 11568, in the financial services environment. IC payment cards are subject to the requirements
identified in this part of ISO 13491 up until the time of issue, after which they are to be regarded as a
“personal” device and outside of the scope of this document.
This part of ISO 13491 does not address issues arising from the denial of service of an SCD.
In the checklists given in annexes A to H, the term “not feasible” is intended to convey the notion that although
a particular attack might be technically possible it would not be economically viable, since carrying out the
attack would cost more than any benefits obtained from a successful attack. In addition to attacks for purely
economic gain, malicious attacks directed toward loss of reputation need to be considered.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 9564-1:2002, Banking — Personal Identification Number (PIN) management and security — Part 1: Basic
principles and requirements for online PIN handling in ATM and POS systems
ISO 9564-2, Banking — Personal Identification Number management and security — Part 2: Approved
algorithms for PIN encipherment
ISO 11568 (all parts), Banking — Key management (retail)
ISO 13491-1, Banking — Secure cryptographic devices (retail) — Part 1: Concepts, requirements and
evaluation methods
ISO 16609, Banking — Requirements for message authentication using symmetric techniques
ISO 18031, Information technology — Random number generation
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 13491-1 and the following apply.
3.1
auditor
one who has the appropriate skills to check, assess, review and evaluate compliance with an informal
evaluation on behalf of the sponsor or audit review body
3.2
data integrity
property that data has not been altered or destroyed in an unauthorized manner
3.3
dual control
process of utilizing two or more entities (usually persons) operating in concert to protect sensitive functions or
information whereby no single entity is able to access or use the materials
NOTE A cryptographic key is an example of the type of material to be accessed or utilized.
3.4
exclusive or
bit-by-bit modulo two addition of binary vectors of equal length
3.5
security compliance checklist
list of auditable claims, organized by device type, as specified in this document
3.6
sensitive state
device condition that provides access to the secure operator interface such that it can only be entered when
the device is under dual or multiple control
4 Use of security compliance checklists
4.1 General
These checklists shall be used by the sponsor who wishes to assess the acceptability of cryptographic
equipment upon which the security of the system depends. It is the responsibility of any sponsor that adopts
some or all of these checklists to
a) approve evaluating agencies for use by suppliers to or participants in the system and
b) set up an audit review body to review the completed audit checklists.
Annexes A to H provide checklists defining the minimum evaluation to be performed to assess the
acceptability of cryptographic equipment. Additional tests may be performed to reflect the state-of-the-art at
the time of the evaluation.
The evaluation may be either “informal” or “semi-formal”, as specified in ISO 13491-1, depending upon the
nature of the evaluating agencies approved by the sponsor. Should the sponsor decide on a “formal”
evaluation, these audit checklists shall not be used as presented here, but shall rather be used as input to
assist in the preparation of the “formal claims” that such an evaluation requires.
NOTE These formal claims themselves are outside of the scope of this part of ISO 13491.
A cryptographic device achieves security both through its inherent characteristics and the characteristics of
the environment in which the device is located. When completing these audit checklists, the environment in
which the device is located must be considered; e.g. a device intended for use in a public location could
require greater inherent security than the equivalent device operating in a controlled environment. So that an
evaluating agency need not investigate the specific environment where an evaluated device may reside, this
part of ISO 13491 provides a suggested categorization of environments in Annex H. Thus an evaluating
agency may be asked to evaluate a given device for operation in a specific environment. Such a device can
be deployed in a given facility only if this facility itself has been audited to ensure that it provides the assured
environment. However, these audit checklists may be used with categorizations of the environment other than
those suggested in Annex H.
The three evaluation methods specified in ISO 13491-1 are described in 4.2, 4.3 and 4.4.
2 © ISO 2005 – All rights reserved

4.2 Informal evaluation
As part of an informal evaluation, an independent auditor shall complete the appropriate checklist(s) for the
device being evaluated.
4.3 Semi-formal evaluation
In the semi-formal method, the manufacturer or sponsor shall submit a device to an evaluation agency for
testing against the appropriate checklist(s).
4.4 Formal evaluation
In the formal method, the manufacturer or sponsor shall submit a device to an accredited evaluation authority
for testing against the formal claims where the appropriate checklist(s) were used as input.

Annex A
(normative)
Physical, logical and device management characteristics common to all
secure cryptographic devices
A.1 General
This annex is intended for use with all evaluations and shall be completed prior to any device-specific security
compliance checklists.
The following statements in this security compliance checklist are required to be specified by the auditor as
“true (T)”, “false (F)” or “not applicable (N/A)”. A “false” indication does not necessarily indicate unacceptable
practice, but shall be explained in writing. Those statements that are indicated as “N/A” shall also be explained
in writing.
A.2 Device characteristics
A.2.1 Physical security characteristics
A.2.1.1 General
All devices shall meet the criteria given in A.2.1.2 for general security characteristics and in A.2.1.3 for
tamper-evident characteristics. Many devices shall additionally meet either the criteria given in A.2.1.4 for
tamper-resistant characteristics or the criteria given in A.2.1.5 for tamper-responsive characteristics. However
some devices need meet only the criteria for general security characteristics and tamper-evident
characteristics. Such devices meet the following requirements:
a) the device retains no secret key that has ever been used to encipher any secret data, nor does it retain
any information from which such a key could feasibly be determined, even with knowledge of any data
that have ever been available in plaintext form;
b) the device is managed in such a way that there is a high probability of noting and reporting on a timely
basis either the extended absence of the device from its authorized location, or any obvious damage to
the device;
c) means exist at all facilities capable of direct cryptographic communication with the device to not process
any enciphered data received from the device after it has been reported absent or damaged.
A.2.1.2 General security characteristics
An evaluation agency has evaluated the device bearing in mind susceptibility to physical and logical attack
techniques known at the time of the evaluation, such as (but not limited to) the following:
 chemical attacks (solvents);
 scanning attacks (scanning electron microscope);
 mechanical attacks (drilling, cutting, probing, etc.);
 thermal attacks (high and low temperature extremes);
 radiation attacks (X-rays);
4 © ISO 2005 – All rights reserved

 information leakage through covert (side) channels (power supply, timing, etc.);
 failure attacks;
and has concluded that:
No. Security Compliance Statement True False N/A
A1 It is not feasible to determine a PIN, a key, or other secret
information by monitoring (e.g. the electro-magnetic emissions
from the device, with or without the cooperation of the device
operator), when the device is operating in its intended
environment.
A2 Any ventilation and other openings in the module are positioned
and protected so that it is not feasible to use such an opening to
probe any component of the module such that plaintext PINs,
access codes or cryptographic keys might be disclosed; or to
disable any of the protection mechanisms of the device.
A3 All sensitive data and cryptographic keys, including residues, are
stored in the security module.
A4 All transfer mechanisms within the device are implemented in such
a way that it is not feasible to monitor the device to obtain
unauthorized disclosure of any such information.
A5 Any access entry point into the device's internal circuitry is locked
in the closed position when the device is operative, by means of
one or more pick-resistant locks or similar security mechanisms.
A5A
The design of the device is such that it is not practical to construct
a duplicate device from commercially available components;
e.g. the casing used to house the device's electronic components
is not commonly available.
A.2.1.3 Tamper-evident characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A6 The device is designed and constructed so that it is not feasible to
penetrate the device in order to:
 make any additions, substitutions, or modifications (e.g. the
installation of a bug) to the hardware or software of the device
or
 determine or modify any sensitive information (e.g. PINs,
access codes and cryptographic keys)
and then subsequently re-install the device, without requiring
specialized skills and equipment not generally available, and:
a) without damaging the device so severely that the damage
would have a high probability of detection, or
b) requiring that the device be absent from its intended location
for a sufficiently long time that its absence, or reappearance,
would have a high probability of being detected.

A.2.1.4 Tamper-resistant characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A7 The device is protected against penetration by employing physical
protection to such a degree that penetration is not feasible.
A8 Even after having gained unlimited, undisturbed access to the
device, discovery of secret information in the target device is not
feasible.
A.2.1.5 Tamper-responsive characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A9 The device is protected against penetration by including features
that detect any feasible attempts to tamper with the device and
cause immediate erasure of all cryptographic keys and sensitive
data when such an attempt is detected.
A10 Removal of the case or the opening, whether authorized or
unauthorized, of any access entry to the device’s internal
components causes the automatic and immediate erasure of the
cryptographic keys stored within the device.
A11 There is a defined method for ensuring that secret data, or any
cryptographic key that has been used to encrypt secret data, is
erased from the unit when permanently removing the unit from
service (decommissioning). There is also a defined method for
ensuring, when permanently decommissioned, that any
cryptographic key contained in the unit that might be usable in the
future is either erased from the unit or is invalidated at all facilities
with which the unit is capable of performing cryptographically
protected communications.
A12 Any tamper detection/key erasure mechanisms function even in the
absence of applied power.
A13 If the device has no mechanism for detection of removal from its
operational environment, then defeating the tamper detection
mechanisms, or discovery of secret information in the target device
is not feasible, even when removed from its operational
environment. Compromise of the device requires equipment and
skill sets that are not readily available.
NOTE As a possible example, discovery of such information requires
a significant time, such as one month of preparation, including analysis of
other devices, and at least one week of effort to compromise the device
after having gained unlimited, undisturbed access to the target device.
A14 If the device has a mechanism for detection of removal from its
operational environment, then defeating the tamper-detection
mechanisms, or discovery of secret information in the target device
is not feasible. Compromise of the device shall require skill sets that
are not readily available; and equipment that is not readily available
at the device site nor can be feasibly transported to the device site.
NOTE As a possible example, discovery of such information requires
a significant time, such as one month of preparation, including analysis of
other devices, and at least twelve hours of unlimited, undisturbed access to
the target device.
6 © ISO 2005 – All rights reserved

A.2.2 Logical security characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
A15
The device includes self-test capabilities, capable of manual or
automatic initiation, to ensure that its basic functions are operating
properly.
A16
The device only performs its designed functions.
A17 The device is designed in such a way that it cannot be put into
operational service until the device initialization process has been
completed. This will include all necessary keys and other relevant
material needed to be loaded into it.
A18
It is not feasible to determine a key or other secret information by
the use of diagnostic or special test modes.
A19
The cryptographic algorithms, modes of operation, and lengths of
cryptographic keys used by the device comply with parts 1 to 6 of
ISO 11568.
A20
The device key management complies with parts 1 to 6 of
ISO 11568, using each key for only one cryptographic purpose
(although a variant of a key may be used for a different purpose).
A21 The functionality implemented within the device is such that there is
no feasible way in which plaintext secret information, (e.g. PINs or
cryptographic keys) or secret information enciphered under other
than the legitimate key, can be obtained from the device, except in
an authorized manner (e.g. PIN mailers).
A22 If the device is composed of several components, it is not possible
to move a cryptographic key within the device from a component of
higher security to a component providing lower security.
A23 The loading of keys is performed when:
 the device is in a sensitive state or
 the action of loading a key puts the device into a mode that
activates all the tamper protection mechanisms within the
device.
A24
The following operator functions that may influence the security of a
device are only permitted when the device is in a sensitive state, i.e.
under dual or multiple control:
 disabling or enabling of device functions;
 change of passwords or data that enable the device to enter
the sensitive state.
A25 The secure operator interface is so designed that entry of more than
one password (or some equivalent mechanism for dual or multiple
control) is required in order to enter this sensitive state.
A26
The secure operator interface is so designed that it is highly unlikely
that the device can inadvertently be left in the sensitive state.
A27 If sensitive state is established with multiple limits (e.g. on the
number of function calls and a time limit) the device returns to
normal state, when the first of these limits is reached.
A28
Where passwords or other plaintext data are used to control
transition to a sensitive state, then these are protected in the same
manner as other secret or sensitive information.
A29 If cryptographic keys are lost for any reason, e.g. long-term absence
of applied power, the device will enter a non-operational state.
A30
The only function calls and sensitive operator functions that exist in
the device are functions approved by the sponsor, or the system in
which the device is to operate.
A31 Keys are never translated from encipherment under one variant to
encipherment under another variant of the same key.
A.3 Device management
A.3.1 General consideration
For each life cycle stage, the entity responsible for completing the audit checklist for that stage has provided
assurance, acceptable to the audit review body, that:
No. Security compliance statement True False N/A
A32 For audit and control purposes, the identity of the device (e.g. its
serial number) can be determined, either by external tamper-evident
marking or labelling, or by a command that causes the device to
return its identity via the interface or via the display.
A33
When the device is in a life cycle stage such that it contains
cryptographic keys, the identity of these keys can be easily
determined from the identity of the device [so that the key(s) can be
invalidated if the device is reported lost or stolen].
A34 Any physical keys used to unlock or operate the device are carefully
controlled, and available only to authorized persons.
A35 If a device contains a secret cryptographic key and there is an
attack on a device, or a device is stolen, then procedures are in
place to notify the party responsible for the security of the device
immediately after detection.
A36 If a device does not yet contain a secret cryptographic key and
there is an attack on a device, or a device is stolen, then procedures
are in place to prevent the substitution of the attacked or stolen
device for a legitimate device that does not yet contain a secret
cryptographic key.
A37 If no sensitive state exists in the device, the loading of plaintext keys
is performed under dual control.

A.3.2 Device protection by manufacturer
The device manufacturer or an independent auditor has provided assurance, acceptable to the audit review
body, that:
No. Security compliance statement True False N/A
A38 The hardware and software design of the device has been carefully
evaluated to ensure that the functional capabilities provided with the
device are all legitimate, documented functions, and that no
unauthorized function (e.g. a “Trojan Horse”) resides in the device.
A39 The device, including software, is produced and stored in a
controlled environment under the control of qualified personnel to
prevent unauthorized modifications to the physical or functional
characteristics of the device.

8 © ISO 2005 – All rights reserved

A.3.3 Device protection between manufacturer and pre-use
The device manufacturer and those responsible for the transport, repair and storage of the device prior to
initial key loading or to the repeat of initial key loading, or else an independent auditor, have provided
assurance, acceptable to the audit review body, that:
No. Security compliance statement True False N/A
A40 The transfer mechanisms by which plaintext keys, key components
or passwords are entered into the device are protected and/or
inspected so as to prevent any type of monitoring that could result in
the unauthorized disclosure of any key, component or password.
A41 Subsequent to manufacturing and prior to shipment, the device is
stored in a protected area or sealed within tamper-evident
packaging to prevent undetected unauthorized access to it.
A42 The device is shipped in tamper-evident packaging, and inspected
to detect unauthorized access to it; or
 before a device is loaded with cryptographic keys, it is closely
inspected by qualified staff to ensure that it has not been
subject to any physical or functional modification; or
 the device is delivered with secret information that is erased if
tampering is detected, to enable the user to ascertain that the
device is genuine and not compromised.
NOTE One example of such information is the private key of an
asymmetric key pair, with the public key of the device signed by a private
key known only to the supplier.
A43 The device is loaded with initial key(s) in a controlled manner only
when there is reasonable assurance that the device has not been
subject to unauthorized physical or functional modification.

A.3.4 Device protection during pre-use and prior to installation
Those responsible for device storage and transport subsequent to initial key loading, or else an independent
auditor, have provided assurance, acceptable to the audit-review body, that:
No. Security compliance statement True False N/A
A44 Any uninstalled device is controlled so as to prevent or detect
unauthorized access to it, and records are kept and audited so as to
detect and report theft or loss.

A.3.5 Device protection subsequent to installation
The acquirer or an independent auditor have provided assurance, acceptable to the audit review body, that
controls and procedures are in place to ensure that:
No. Security compliance statement True False N/A
A45
If for any reason a device ceases to hold valid keys:
 the device is removed from service as soon as possible and
 transactions from the device are rejected and
 the device is not loaded with new keys until it has been
carefully inspected and tested by at least two knowledgeable
and qualified individuals who have determined that the device
has not been subject to any physical or functional modification.
A46 If a device is lost or stolen and then recovered, or if unauthorized
modification of the device is suspected for any reason, all
cryptographic keys contained in the unit are erased, and new keys
are not loaded until the unit has been inspected and tested as
indicated in A.3.3.
A47 Manual and/or automated auditing and control procedures have
been implemented to detect the unauthorized reinstallation of a
previously used device, or of a device containing the key(s) of a
previously used device. Such instances are investigated, and if
potentially fraudulent activity is suspected, the device is removed
from service as soon as possible. When each transaction identifies
the key(s) used in the transaction, host software can be used to
automatically detect:
1) the removal of a device from service and
2) the subsequent installation of a device containing the
key(s) of a device previously removed from service.
A48
When the device is being serviced or installed, procedures are in
place to ensure that the device cannot be compromised by the staff
performing these functions.
A49 When the secure operator interface is to be used, the data entry
device and cables connected to the device are carefully inspected
to ensure that no unauthorized hardware has been inserted.

A.3.6 Device protection after removal from service
Those responsible for device removal, or else an independent auditor, have provided assurance, acceptable
to the audit review body, that:
No. Security compliance statement True False N/A
A50 If the device is to be reinstalled, then it is controlled so as to prevent
unauthorized access to it, and is audited so as to detect and report
its theft or loss.
A51
If the device is being permanently removed from service, then any
key contained within the device which has been used for any
cryptographic purpose is erased from the device.
A52 If the device case is intended to provide tamper-evident
characteristics and the device is being permanently removed from
service, then the case is destroyed. The storage of the case is
controlled and audited until its destruction.
10 © ISO 2005 – All rights reserved

Annex B
(normative)
Devices with PIN entry functionality
B.1 General
The procedure for evaluating PIN entry devices is as follows:
 complete the checklists given in Annex A;
 complete the checklists given in this annex.
The following statements in this security compliance checklist are required to be specified by the auditor as
“true (T)”, “false (F)” or “not applicable (N/A)”. A “false” indication does not necessarily indicate unacceptable
practice, but shall be explained in writing. Those statements that are indicated as “N/A” shall also be explained
in writing.
B.2 Device characteristics
B.2.1 Physical security characteristics
The evaluating agency has concluded that:
No. Security compliance statement True False N/A
B1 The path from the keypad to the cryptographic processing unit is
physically protected, such that there is no feasible method of
ascertaining the data passed between the two without:
 triggering the erasure of the device’s cryptographic keys
(reference A.2.1.5) or
 causing sufficient damage to preclude its continued use
(reference A.2.1.3);
or meeting the requirements of B21.
B2 If the PIN entry device can be used to enter data that will not be
enciphered, then the path to the display is physically protected;
or the requirements of B16 are met.
B3 The path from the magnetic stripe card reader to the cryptographic
processing unit is physically protected, such that there is no feasible
method of accessing and/or altering the data passed between the
two without triggering the erasure of the secret or private
cryptographic keys;
or the requirements of B22 are met.
B4 If PIN entry is accompanied by an audible tone, the tone for each
entered PIN digit is indistinguishable from the tone for any other
entered PIN digit.
B5 If the PIN entry device has a display, this display does not disclose
any entered PIN digit but may display a string of non-significant
symbols, such as asterisks, to denote the number of PIN digits
entered.
No. Security compliance statement True False N/A
B6 The PIN entry device is equipped with a privacy shield, or is
designed so that the cardholder can shield it with his/her body to
protect against observation of the PIN during PIN entry.
B7 Any residues of PINs, or cryptographic keys used during a
transaction are either stored in a tamper-resistant or
tamper-responsive module, or are overwritten immediately after the
completion of the transaction.
NOTE Plaintext PINs are always overwritten immediately after being
enciphered.
B8 The slot of the IC reader into which the IC card is inserted does not
have sufficient space to hold a PIN-disclosing “bug” when a card is
inserted, nor can it feasibly be enlarged to provide space for a
PIN-disclosing “bug.” It is not possible for both an IC card and any
other foreign object to reside within the card insertion slot. The
opening for the insertion of the IC card is in full view of the
cardholder so that any untoward obstructions or suspicious objects
at the opening are detectable.
NOTE A PIN entry device need not comply with this requirement if the
PINs are only transferred to the IC card with logical (cryptographic)
protection.
B9 The IC reader is constructed so that wires running out of the slot of
the IC reader to a recorder or a transmitter (an external bug) can be
observed by the cardholder.
NOTE A PIN entry device need not comply with this requirement if the
PINs are only transferred to the IC card with logical (cryptographic)
protection.
B10 The PIN pad and the IC reader are either integrated in a single
tamper-evident (as defined in ISO 13491-1) device or exist as two
separate tamper-evident devices.
NOTE A non-integrated IC reader need not comply with this
requirement if the PINs are only transferred to the IC card with logical
(cryptographic) protection.
12 © ISO 2005 – All rights reserved

B.2.2 Logical security characteristics
The PIN entry device manufacturer or an independent evaluating agency has provided assurance, acceptable
to the audit review body, that:
No. Security compliance statement True False N/A
B11
PIN protection during transmission within the terminal
(at least one must apply):
• If the PED and the IC reader are not integrated and the
cardholder verification method required by the IC card is an
enciphered PIN, then the PIN block is enciphered between the
PED and the IC reader using either an authenticated
encipherment key of the IC card, or in accordance with
ISO 9564-1, the PIN block is submitted to the IC card
enciphered using an authenticated encipherment key of the
IC card OR
• If the PED and the IC reader are not integrated and the
cardholder verification method is determined to be a plaintext
PIN, then the PIN block is enciphered from the PED to the
IC reader (the IC reader will then decipher the PIN for
transmission in plaintext to the IC card) in accordance with
ISO 9564-1 OR
• If the PED and the IC reader are integrated and the cardholder
verification method is determined to be an enciphered PIN,
then the PIN block is enciphered using an authenticated
encipherment key of the IC card OR
• If the PED and the IC reader are integrated and the cardholder
verification method is determined to be a plaintext PIN, then
encipherment is not required if the PIN block is transmitted
wholly through a protected environment (as defined in 6.3.3 of
ISO 9564-1:2002). If the plain text PIN is transmitted to the
IC reader through an unprotected environment, then the PIN
block is enciphered in accordance with ISO 9564-1.
B12 PIN encipherment only occurs using a PIN block format and an
encipherment algorithm specified in ISO 9564-1.
B13 If the PIN entry device offers functionality for downloading of
software, then any such software downloaded is rejected by the
device (the device’s cryptographic keys may also be automatically
erased) unless the device has successfully cryptographically
authenticated the downloaded code.
B14 If the PIN entry device is designed to cater for more than one
acquirer, then any downloaded changes to the table controlling the
choice of the acquirer key set are accepted by the device only if it
has successfully cryptographically authenticated the downloaded
data.
B15 The PED has characteristics that prevent or significantly deter
exhaustive PIN determination (e.g. use a unique-key-per-
transaction technique to prevent the attack or limit the number of
permitted PIN entries per minute to deter the attack or by use of a
PIN block format containing random data).
B16 Where the keypad is used for PIN entry as well as other data, the
display is under the control of the device such that an “enter PIN” or
an equivalent message cannot be displayed when data will be
output in the clear or the requirements of B2 are met.
B17 The PIN entry device only accepts PINs that are between four and
12 digits in length.
No. Security compliance statement True False N/A
B18 The mapping of numeric values of the entered PIN to the internal
coding is in accordance with ISO 9564-1.
B19
The PIN entry device uses different key slots for different acquirers,
and there is no feasible way in which any acquirer's personnel can
ascertain or modify another acquirer's key.
B20 The PIN entry device uses different keys for different acquirers, and
the means to select the key to be used for a given transaction are
controlled (e.g. by an internal table look-up) so that there is no
feasible way to deliberately or accidentally select the key of another
acquirer.
B21 The path from the keypad to the cryptographic processing unit is
logically protected (e.g. enciphered) or the requirements of B1 are
met.
B22 The path from the magnetic stripe card reader to the cryptographic
processing unit is logically protected, or the requirements of B3 are
met.
B.3 Device management
B.3.1 PIN entry device protection during initial key loading
Those responsible for initial key loading, or an independent auditor, have provided assurance, acceptable to
the sponsor, that:
No. Security compliance statement True False N/A
B23 A repaired PIN entry device is not reloaded with the original key
(except by chance).
B24 Automated techniques are used, or manual procedures are in place
and are followed to ensure each PIN entry device is given at least
one statistically unique key unknown to any person and never
previously given (except by chance) to any other PIN entry device.

B.3.2 PIN entry device protection after installation
The acquirer or an independent auditor has provided assurance, acceptable to the audit review body that
controls and procedures are in place to ensure that:
No. Security compliance statement True False N/A
B25 The PIN entry device is placed where PIN entry cannot be viewed
by surveillance cameras nor readily observed by bystanders.
B26 Location and/or the device management practices of the PIN entry
device are such that its absence or an unauthorized access (attack)
would be detected within 24 hours.

14 © ISO 2005 – All rights reserved

Annex C
(normative)
Devices with PIN management functionality
C.1 General
PIN management functions include:
 PIN issuance;
 PIN verification;
 PIN translation.
NOTE 1 PIN entry is addressed in Annex B.
NOTE 2 The requirements of this annex do not apply to POS and ATM devices that perform PIN translation for
transmission of PINs to an IC card.
The procedure for evaluating devices containing PIN management fun
...