Safety Certification for Password Capture Devices

Security and fraud prevention committee

Year 2016

Version 7.0
INDICE
1. Introduction.............................................................................................................................. 4
1.1. Motivation................................................................................................................ 4
1.2. Market Benefits .......................................................................................... 4
1.3. PCI SSC ..................................................................................................................... 4
1.4. PCI PTS (Payment Card Industry PIN Transaction Security) ................................. 5
1.4.1 Overview ................................................................................................. 5

2. ABECS Objective .................................................................................................................... 6

3. Scope ...................................................................................................................................... 6

4. Approval process .................................................................................................... 6

4.1. Definition .................................................................................................................. 6
4.2. Flow of approval of equipment ..................................................................... 7
4.3. Laboratory certification flow ........................................................................... 8
4.4. Quality control and confidentiality .................................................................. 9
4.4.1 Term of confidentiality and quality of services ................................ 9
4.4.2 Audits ............................................................................ 9
4.4.3 Frequency of reviews .......................................................................... 9

5. Prerequisite for Certification / Recertification ...................................................................... 9

6. Requirements ................................................................................................................... 11
6.1. Equipment ............................................................................................................ 11
6.1.1 ABECS Requirements 01 ........................................................................................ 11
6.1.2 ABECS Requirements 02 ........................................................................................ 12
6.1.3 ABECS Requirements 03 ........................................................................................ 13
6.1.4 ABECS Requirements 04 ........................................................................................ 13
6.1.5 ABECS Requirements 05 ........................................................................................ 15
6.1.6 ABECS Requirements 06 ........................................................................................ 16
6.1.7 ABECS Requirements 07 ........................................................................................ 17

7. Reports generated by the laboratories ................................................................................... 17

8. Approved Laboratories .......................................................................................................... 18
9. External references (PCI-PTS) ................................................................................................. 19
10. Confidentiality and responsibility with ABECS – Draft ......................................................... 20
Version history
Revisão Date Description
Manual_ABECS_v4 13/07/2009 Initial Version
Item: 1.4.1 Overview – Content update.
Item: 4. Homologation process – flowcharts
updating.
Item: 4.1. Definition - Content Update.
Item: Process used by the accreditors –
Exclude this item.
Item: 4.5. Review frequency – Including this
item.
Item: 5. Mandatory for certification –
Including this item.
Item: 6. Recertification – Including this item.
Manual_ABECS_v5 13/07/2010 Item: 7.1.1 Requirements ABECS 01 –
Including item b).
Item: 5.1.2 Requirements ABECS 02 -
Content Update.
Item: 7.1.3 Requirements ABECS 03 –
Including item b).
Including item 7.1.7 Requirements ABECS07
Item: 9. External References (PCI-PTS) –
Including table of references.
Item: 10. Homologated devices by ABECS
committee. – Updated title and table.
Item: 3. Scope – Including PCI-PTS
3.x.
Item: 4.4.2 Auditions - Content Update.
Item: 7.1.2 Requirements ABECS02 -
Content Update.
Manual_ABECS_v6 13/07/2012 Item: 9. Homologated Laboratories -
Content Update.
Item: 11. Homologated devices by ABECS
committee. – including new certified
devices.
Item 6 excluded
(Recertification) was added on Item 5.
Itens re numbered.
From 7.1.1; To 6.1.1 Requirements
ABECS 01 (Improvements)
From 7.1.3; To 6.1.3 Requirements
Manual_ABECS_v7 03/02/2015 ABECS 03 (including item)
From 7.1.4; To 6.1.4 Requirements
ABECS 04 (Including item)
From 7.1.7; To 6.1.7 Requirements
ABECS 07 (Improvements/Including) 11.1
removed homologated devices list.
1. Introduction
1.1 Motivation

The growing number of payments cards emitted by bank and consequently, the growing number
of electronic transactions realized as payments of goods and services in commercial
establishment make cloning cards rentable because data obtained can be used on Brazil or
abroad.
There are several ways to copy details from payments card to be used on card cloning. One of
them consist in insert a device on POS or PINPAD. In evaluations made by accreditors, there is a
clear technological advance on this technique in Brazil comparing with other countries who
accept credit and debit cards.

1.2. Benefits for the Market.

PCI SSC will allow PED’s vendors develop, in a faster, easier, and rentable way, the process of
security evaluation. Reducing new product developing complexity in unique evaluate process
and provide a marketplace for institutions and accreditors.
In the past, PED’s vendors had to pass through several different tests to achieve all global and
local payment security requirements. This became expensive and make confusion on evaluation
criteria. For this reason, was defined that ABECS will be responsible for validation of all security
tests and minimum requirements following PCI SSC.
We have gathered norms and rules to be evaluated by suppliers so that everyone will benefit
from reduced costs and time and complexity of means of payment operations.

1.3. PCI SSC

On September, 2006, main credit and debit card operators (Amex,

Discover Financial Services, JCB, MasterCard Worldwide e Visa International) created a council
called PCI Council which is also composed of several companies, it was designed to create and
recommend best data security practices, to be followed by commercial establishments and
processors that accept cards as a form of payment, the main reason is to protect the privacy of
cardholders.

Among the various actions generated by the PCI SSC, the most relevant was the alignment
between the operators it incorporates:

• Technical Rationale: Requirements for safe storage, processing and transmission of

carrier data.
• Test Methodologies: Common audit procedures, vulnerability tests and self-assessment
questionnaire.

The PCI SSC applies to any and all companies that collect, process, store or transmit credit card
information and are therefore required to adapt to the standard. In general, this adaptation
includes merchants, intermediaries who process credit card data and are connected to the card
association network, as well as service providers that host websites, process ATM transactions
or collect and process credit card data in name of members of the Visa and Mastercard networks
- payment gateways, also applies to manufacturers, who specify and implement a device for
numerical management of personal identification (PIN) input terminals, PCI-PTS.
1.4. PCI PTS (Payment Card Industry PIN Transaction Security)

1.4.1 General vision

In the past, PED Security Requirements were overseen by JCB, MasterCard and VISA. Now,
through PCI SSC, the five world's leading payment brands (American Express, Discover, JCB,
MasterCard and Visa) will manage the security requirements of the PTS program, allowing for
the standardization of security device requirements, testing methodology and approval
processes for PIN Transaction Security (PTS).

It is a strategic priority for PCI SSC to continue to rationalize security regulations and ensure
device development. Making security measures more consistent with cost-effective
implementation in the market.

PCI-PTS Security Requirements are concerned with devices and technical characteristics that
impact PIN security.

The PIN (Personal Identification Number) is used by the cardholder during a financial
transaction.

The physical characteristics of the devices must consider security sensors to identify and deal
with physical attacks to the equipment, such as: Opening the terminal, installing fraudulent
devices, etc.

The logical are security features that include functional capabilities that prevent access to
terminal data, such as application copying, access to cryptographic keys and processed data.

The management of the PED is rigorous, so that it is produced and controlled in a way that is
incapable of transporting a skimmer (device to steal passwords), or of compromising the
encryption process. If the device is not properly controlled, unauthorized modifications to its
physical and logical safety characteristics may occur.
2.0 ABECS Objective
Definition of minimum security requirements for electronic transaction capture devices in Brazil,
evaluation criteria and processes for carrying out these evaluations.

ABECS has gathered norms and rules for the evaluation of suppliers so that everyone will benefit
from the reduction of cost and time and complexity of the operations of means of payment.

3.0 Scope
POS and PINPAD approved by PCI PTS in 3.x or higher versions

4. Homologation process
4.1 Definition
These processes include the Requirements for the equipment, test criteria for this equipment,
laboratory approval criteria and quality control of the tests performed.
4.2 Devices homologation flow chart
The equipment approval flow has as main objective to centralize the technical and logical
validations of the PED's manufacturers in a single body.
4.3 Laboratory certification flow chart
4.4
4.4.1
4.4.2
4.4.3
5.
5.1
5.2
5.3
6. Requirements

6.1 Devices

6.1.1 ABECS 01 Requirements

Type: Physical

Description:
There must be a physical protection that prevents the neutralization of the security of the
terminal, through access to the security sensors through holes existing or created in the housing.
This implementation must be done in such a way that it is not possible to neutralize the security
of the terminal regardless of the number of sensors that have been protected, that is, even when
neutralizing some sensors, the security of the terminal cannot be neutralized.
Pressure safety sensors must be protected by another safety system/mechanism.

Recommendation ABECS¹: Protection mesh (also known as a protection blanket, widely used
in the protection circuit of equipment keyboards).
All mesh must have at least two layers.

Evaluation criteria:
In this item, the laboratories will consider the equipment suitable when:
1. It is not possible to break this barrier within the period established in item 5.3 for
recertification or recertification, using conventional equipment (screwdriver, pliers, multimeter,
oscilloscope, etc.) and without prior knowledge of the circuits or use of more advanced
equipment. sophisticated devices such as X-rays.
2. Using a maximum of 5 devices per model.
3. Evaluate safety systems and additional means of protection for safety pressure circuits.
4. Evaluate the amount of mesh layers applied to safety circuits when mesh is used.
6.1.2 ABECS 02 Requirements

Type: Physical

Description:
PinPad must provide a protection mechanism in the connection with its communication cable,
so that any attempt at replacement is visible to the shopkeeper and that makes it difficult to
replace this device quickly or unduly.

PinPad that allows the removal of its connector/cable must have a fastening mechanism, from
the connector/cable to the PinPad.
Evaluation criteria:
1. In this item, the laboratories will consider the equipment suitable if for its replacement it is
necessary to use special tools (example screwdriver) or seal breakage (whose action requires
effort and time for execution).
6.1.3 ABECS 03 Requirements

Type: Physical and logical

Description:
The manufacturer must maintain the uniqueness of the serial numbers of the devices
manufactured by him in order to guarantee a unique identity for each capture device.

There is no impediment for a manufacturer to insert an existing number into a new plate due to
the need to replace a defective plate.

Evaluation criteria:
1. Laboratories must request the serial number generation logic from the manufacturer and add
this information to their report and to the Executive Report.
2. The internal serial number recorded in the terminal's memory must be identical to the number
recorded on the external label.
3. When turned on, the terminal must present the internal serial number of the equipment
registered in the firmware (when it has a display). Or in the boot process by pressing the
<yellow> clean key, the serial number should be displayed for 5 seconds, after which the boot
process should proceed normally.
6.1.4 ABECS 04 Requirements

Type: Logical

Description:
In the event of a breach attempt, the capture device must activate the breach response
mechanism comprising:
- Remove encryption keys;
- Remove configuration data;
- Remove all installed software with the exception of the Operating System;
- Terminal must be “inoperative” and it is not possible for the application to work without the
intervention of an authorized laboratory.
- ABECS² Recommendation: When in TAMPER, the terminal must show the serial number of
the equipment registered in the firmware in addition to the TAMPER message.

Evaluation criteria:
1. Labs must verify that the terminal has lost the encryption keys and also the applications and
they must not work only with a pin-to-pin application load.
6.1.5 ABECS 05 Requirements

Type: Logical

Description:

All software loaded on the capture device must be digitally signed by the device manufacturer
with the possibility of also being digitally signed by the software manufacturer and the
acquirer.

Evaluation criteria:

Laboratories should assess:

1. If there is a way to place an unsigned application in a terminal with a digital signature.

2. If there is a way to place an application signed with a certificate different from the one
injected by the manufacturer.

Manufacturers must deliver the necessary means for testing.

6.1.6 ABECS 06 Requirements

Type: Logical

Description:

On production capture devices it should not be possible to:

- Disabling security features;
- Printing or viewing the complete track of cards on the display;
- Visualization of the encryption key;
- Manual entry of encryption keys;

Evaluation criteria:
Laboratories must verify that the conditions above exist for carrying out the above actions. They
must have the cooperation of the manufacturer.
6.1.7 ABECS 07 Requirements

Type: physical

Description:
It should not be possible to access the terminal's magnetic card reader, through existing holes
or holes created in the housing without being evidenced or by visible changes in the terminal
cabinet or by activating the security mechanism.

They must be protected:

1. Magnetic head connectors both on the head as well as on the magnetic head
connector on the equipment board;
2. CHIP reader connectors;
3. Potential electronic media, such as resistors, transistors, board test points through
which cardholder data can pass before the data reaches the cryptographic processor.

Evaluation criteria:
If the laboratory is able to access the area where the magnetic card reader is installed, without
visible changes in the cabinet or terminal block, it is necessary to demonstrate the data capture
from this point.

Evidence must be collected as follows:

a) Installation of parallel device on card readers or on their connectors.
b) Installation of devices at points on the board that can capture cardholder data
c) It must demonstrate the log of the information captured by the parallel device.
d) Demonstrate whether the information is readable or encrypted.
Note: For the chip reader, insertion tests through the reader's mouth, simulating a card, will not
be considered valid.