Watchdata W9110 Security Policy Production Name: W9110 Production Version: 0.9
2/18 Table of Contents TABLE OF CONTENTS... 2 1. DOCUMENT INFORMATION...3 1.1 EVOLUTION FOLLOW-UP...3 1.2 ACRONYMS & TERMS... 3 1.3 REFERENCE... 3 2. INTRODUCTION... 5 3. GENERAL DESCRIPTION... 6 3.1 PRODUCTION OVERVIEW...6 3.2 PRODUCTION IDENTIFICATION... 7 3.3 COMMUNICATION METHODS AND PROTOCOLS... 7 4. GUIDANCE...8 4.1 INSTALLATION AND ENVIRONMENT... 8 4.2 EQUIPMENT... 8 4.2.1 USB Cable... 8 4.2.2 Power... 8 4.2.3 Equipment debugging and operation... 8 4.2.4 Environment Conditions and Environmental Failure Protection...9 4.2.5 Self-Tests... 9 4.3 DECOMMISSIONING/REMOVAL...9 4.4 PIN CONFIDENTIALITY... 9 4.5 PERIODIC INSPECTION... 10 5. PRODUCT HARDWARE SECURITY...11 5.1 TAMPER RESPONSE EVENT... 11 5.2 ENVIRONMENT CONDITIONS AND ENVIRONMENTAL FAILURE PROTECTION...11 6. PRODUCT SOFTWARE SECURITY...12 6.1 SOFTWARE DEVELOPMENT GUIDANCE...12 6.2 FIRMWARE, SOFTWARE AND CONFIGURATION PARAMETERS UPDATE... 12 6.3 SOFTWARE AUTHENTICATION...12 6.4 UPDATE AND PATCH MANAGEMENT... 13 6.5 SELF-TESTS... 13 7. SYSTEM ADMINISTRATION... 14 7.1 CONFIGURATION SETTINGS... 14 7.2 DEFAULT VALUE UPDATE... 14 8. KEY MANAGEMENT... 15 8.1 KEY MANAGEMENT TECHNIQUES...15 8.2 TRANSFER KEY/MASTER KEY/SESSION KEY...15 8.3 DUKPT KEY... 15 8.4 CRYPTOGRAPHIC ALGORITHMS... 15 8.5 KEY TABLE... 15 8.6 KEY REPLACEMENT...16 8.7 KEY LOADING POLICY...16 8.8 KEY LIFETIME... 17 9. ROLES AND SERVICES... 18
3/18 1. Document Information 1.1 Evolution follow-up Revision Type of modification Date 0.1 Document creation 2017-1-9 0.2 Update Key Table Remove fixed key description 2017-3-19 0.3 Update reference Update section 6.1, 6.2, 7.2 & 8.7 2017-4-3 0.4 Update section 3.2 2017-4-17 0.5 Update section 7 2017-5-5 0.6 Update section 6.1 2017-5-27 0.7 Update section 3.2 Update section 6.2 2017-6-8 0.8 Update section 3.3 Update section 6.1 2017-6-9 0.9 Update section 3.1 2017-7-13 1.2 Acronyms & Terms Abbreviation DUKPT N/A PED PIN RSA SHA TDES IC Card RF Card SK Description Derived Unique Key Per Transaction Not Applicable PIN Entry Device Personal Identification Number Rivest Shamir Adelman Algorithm Secure Hash Algorithm Triple Data Encryption Standard Integrate Circuit Card Radio Frequency Card Session Key 1.3 Reference [1] ANS X9.24 1:2009, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques [2] ANS X9.24 Part 2: 2006, Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys [3] X9 TR-31 2010, Interoperable Secure Key Exchange Key Block Specification for Symmetric Algorithms [4] ISO 9564-1, Financial services-personal Identification Number (PIN) management and security Part 1: Basic principles and requirements for PINs in card based systems
4/18 [5] ISO 9564-2, Banking-Personal Identification Number management and security Part 2: Approved algorithms for PIN encipherment [6] Device Default Settings Overview [7] Firmware Update User Manual
5/18 2. Introduction This document addresses the proper use of the POI in a secure manner including information about keymanagement responsibilities, administrative responsibilities, device functionality, identification and environmental requirements. The use of the device in an unapproved method, as describe on the security policy, will violate the PCI PTS approval of the device.
6/18 3. General description 3.1 Production Overview W9110 is a new generation of intelligent wireless POS with touch screen and high-speed communications. This product is mainly for indoor usage, its target merchant are the restaurants, entertainment, chain stores, supermarkets, E-commerce and so on. W9110 is configured with ARM Cortex-A53 quad-core processor to provide powerful processing capabilities. This product integrates MSR Card Reader, IC Card Reader, Contactless Card Reader, SAM Card Reader and high performance thermal printer. And it can deal with diversified financial transactions. W9110 supports various wireless communication such as GSM, CDMA, CDMA2000, TDSCDMA, WCDMA, LTE, WIFI, Bluetooth and GPS. Figure 1 W9110 Appearance W9110 Configuration Configuration Barcode Function 1D barcode 2D barcode Camera 2M Pixels 2G/3G/4G Wireless communication GPS WIFI + BT
7/18 3.2 Production Identification The product name and hardware version are printed on a label on the device. Figure 2 Device Label The merchant or acquirer must visually inspect the terminal when received via shipping, as it is described in the user manual. For example, the merchant or acquirer should inspect the terminal to ensure that: There is no evidence of unusual wires that have been connected to any ports of the terminal, There is no shim device in the of the ICC acceptor To examine the firmware version, after POS boot up, enter into Settings - About terminal - Firmware version. 3.3 Communication methods and protocols Communication methods: USB, 2G/3G/4G, WIFI, GPS, BLUETOOTH Communication protocols: TCP/IP stack, SSL/TLS, PPP
8/18 4. Guidance 4.1 Installation and Environment Please ensure the terminal installation in favor of merchants and cardholders have very convenient level, as close as possible to the power socket. Terminal should stay away from all sources of heat, to prevent vibration, dust, moisture and electromagnetic radiation (such as a computer screen, motor, security facilities etc.). The wireless terminal please pays attention away from electromagnetic radiation complex place when in use. Be sure that terminal is used in an attended way. 4.2 Equipment 4.2.1 USB Cable The USB of W9110 for the Micro USB interface, with the need to use USB cable suitable. The cable specifications and methods of use, can consult the WATCHDATA customer service, in order to get professional help. 4.2.2 Power Take out the power supply in a packaging box, the DC plug into the power socket, as shown in figure 2: Figure 3 Power Socket Specification of power supply: Input: 100 to 240V AC, 50 Hz /60Hz Output: 10V 1A 4.2.3 Equipment debugging and operation (1) Power supply socket terminal is connected; check the line of communication, SAM card, SIM card is connected. (2) Press the power button, to observe whether the terminal starts. (3) Do test run after the equipment installed to ensure the device installed successfully.
9/18 4.2.4 Environment Conditions and Environmental Failure Protection The environmental conditions to operate the device are specified in the user manual. The security of the device is not compromised by altering the environmental conditions (e.g. subjecting the device to temperature or operating voltages outside the stated operating ranges does not alter the security). 4.2.5 Self-Tests Self tests are performed upon start up/reset. In order to reinitialize memory, the device will reboot in 24 hours after it starts up. Self-tests are not initiated by an operator. 4.3 Decommissioning/Removal When the device is no longer used for permanent decommissioning reason, the administrator of the device needs to gather the device and then erase all the key materials on it. It can be done by directly dis-assemble the device to make it tampered. For the temporary removal, there is no need to change the state of the device, as all the keys are still protected safely by the main board hardware tamper mechanism. 4.4 PIN Confidentiality W9110 is a hand-held device; it is required to provide cardholders with the necessary privacy during PIN entry. For example, the device will demonstrate a safe PIN-entry process how to entry PIN. This message reminds cardholder that he can use his own body or their free hand to block the view of keypad. Figure 4 Safe PIN Entry Logo Example
10/18 4.5 Periodic Inspection The merchant or acquirer should daily check that the keypad is firmly in place. Such checks would provide warning of any unauthorized modification to the terminal, and other suspicious behavior of the terminal. The merchant or acquirer should also check that the installation/maintenance operations are performed by a trusted person. Especially check if the ICC reader slot is damaged, such as abrasion, painting and other machining marks, and if there is any suspicious object like lead wire over ICC reader slot, or any unknown object inside IC card. If you find these suspicious circumstances, please stop using the device immediately and contact the customer service to confirm if the device has been tampered with.
11/18 5. Product Hardware Security 5.1 Tamper Response Event The device contains tamper mechanisms that will trigger when a physical penetration attempt of the device is detected. A merchant or acquirer can easily detect a tampered terminal: Device shows a dialog to notify that PED TAMPERD!, after close it,then turn to Non-activated mode. Any physical penetration will result in a tamper event. This event causes the activation of tamper mechanisms that make the device out of service. There are two separate modes in which the device can be: Activated mode: the device is fully operational. Non-activated mode: the device is tampered, not operating and needs reactivation after maintenance and security checks. 5.2 Environment Conditions and Environmental Failure Protection The environmental conditions to operate the device are specified in the user manual. The security of the device is not compromised by altering the environmental conditions (e.g. subjecting the device to temperature or operating voltages outside the stated operating ranges does not alter the security).
12/18 6. Product Software Security 6.1 Software Development Guidance During the software development, the following steps must be implemented: 1. Code Review. 2. Security review and audit 3. Module test 4. Source code management and version control 5. Software test 6. Signature For SSL application, the developer must respect the SSL security guidance, it is important to note SSL is inherently weak and should be removed, but considering the SSL server still exist in the world, in order to compatible, we temporarily keep SSL as non-financial applications use. In addition, Our SSL only as the client, so we strongly recommend a server disables SSL protocol, select TLS1.2 or higher. For more secure, mutual authentication is recommended. The SSL/TLS version supported in this device shown as following table: SSL/TLS Capability Version SSL v3 TLS v1.0, v1.1, v1,2 Refer to the document Software Development Guidance. 6.2 Firmware, Software and Configuration Parameters Update Updates and patches can be loaded in the device. They are cryptographically authenticated by the device. If the authenticity is not confirmed, the update or patch is rejected. Prompts updates are security related and any security related firmware changes will cause firmware version update. The update package transfer over-the-air (OTA) via the HTTPS protocol. Refer to the document Firmware Update User Manual. 6.3 Software Authentication Application code is authenticated before being allowed to run. The certificate and signature of the application code is verified. The certificate and signature are based on couples of RSA keys. The authenticity is guaranteed by a certificate emitted by WATCHDATA. SHA256 is used to compute the digest of software. RSA 2048 bit key is used for signature verification. The application managers must implement a full source code review to make sure that the application does not have one of following behaviors: PIN entry prompt while the keypad digit is displayed in plain-text. Not using the correct security mechanism and APIs recommended in the user guidance for PIN entry. Storing or outputting any card holder s account data without his/her authorization.
13/18 It is recommended that the application source code review and signing process is executed by at least two persons and that an audit log is recorded for future trace back. 6.4 Update and patch management The device supports both local and remote methods for updating or patching the software, the firmware, and the configuration parameters. 1. The patch must be Security reviewed and audited before releasing. 2. The patch must be tested before releasing. 3. The patch must be digital signed before releasing. 4. The downloaded patch is stored in the temporary directory of the device, then the device uses digital signature to authenticate the patch. If the patch is illegal, the device will delete it. 6.5 Self-Tests Self tests are performed upon start up/reset. In order to reinitialize memory, the device will reboot in 24 hours after it starts up. Self-tests are not initiated by an operator.
14/18 7. System Administration 7.1 Configuration Settings The device need to configure when received by key-loading facility. About the configuration settings of admin and key-loading operator password, please refer to the Device_Default_Settings_Overview. The device is functional when received by the merchant or acquirer. No security sensitive configuration settings are necessary to be tuned by the end user to meet security requirements. 7.2 Default Value Update The device default value (e.g. admin password, key loading operator passwords) should be updated before load keys or activate device. About the default value update flow, please refer to the document Device_Default_Settings_Overview. The device is functional when received by the merchant or acquirer and there is no security sensitive default value (e.g. admin password) that needs to be changed before operating the device.
15/18 8. Key Management Device support multi acquirers, each acquirer is assigned a separate key store area (KAP) by the owner of device. Each KAP supports key management techniques described below. 8.1 Key Management Techniques The device implements different types of key management techniques: TLK/Master Key/Session Key: a method using a hierarchy of keys. The session keys are unique per transaction as specified in [2]. DUKPT: a key management technique based on a unique key for each transaction as specified in [2]. Use of the terminal with a key-management system other than these two above will invalidate any PCI approval of the terminal. 8.2 Transfer Key/Master Key/Session Key A acquirer s TLK/MK/SK hierarchy can be used in a KAP. MK also named TMK in this device. SK is session key, including TPK/TAK/TEK/TDK/TTK commonly. SEK is used to encrypt/decrypt MK and SK stored in FLASH. MK is used to encrypt session keys transferred. TLK is used to encrypt MK transferred. The session keys can be divided into three types: TPK (Terminal Pin Encryption Key), TAK (Terminal MAC Calculating Key) and TDK(Terminal Data encryption Key). 8.3 Dukpt Key Acquirer downloads initial key in the secure room. Then it will generate 21 future keys under the ANSI X9.24 future key generate algorithm. Every future key can be divided into two parts: One part is used as TPK (Pin Encryption Key); the other part is used as TAK (MAC Calculating Key). 8.4 Cryptographic Algorithms The device includes the following algorithms: 1. RSA(Signature verification, 2048 bits) 2. SHA-256 3. Triple DES 8.5 Key Table Key Name Purpose/Usage Algorithm Size (bits) Storage TLK Terminal load Key. TDES 128/192 Flash
16/18 TMK Terminal Master Key. TDES 128/192 Flash TPK in MK/SK System Terminal PIN Key TDES 128/192 Flash TAK in MK/SK System Terminal MAC Key TDES 128/192 Flash TEK in MK/SK System Terminal Encrypt Data Key TDES 128/192 Flash TDK in MK/SK System Terminal Decrypt Data Key TDES 128/192 Flash TTK in MK/SK System Terminal Track Encrypt Key TDES 128/192 Flash TIK in DUKPT DUKPT Initial Key TDES 128/192 Flash DUKPT Future Key DUKPT Future Key TDES 128/192 Flash Table 1 Triple DES keys 8.6 Key Replacement Any key should be replaced with a new key whenever the compromise of the original key is known or suspected, and whenever the time deemed feasible to determine the key by exhaustive attack elapses. 8.7 Key Loading Policy The device does not propose manual cryptographic key entry. Specific tools, compliant with key management requirements, shall be used for key loading. The plain-text key (including TLK, TMK and DUKPT Initial Key) loading process must be implemented in a secure room of acquirer and strictly protected under the following dual control and split knowledge techniques. Dual control: The key loading process is strictly authorized and controlled by at least two persons. An identification and authentication is performed first to make sure they are the right operator for the key loading. Eight bytes of password is used in the key loader to authenticate the operator. Split knowledge: The initial plain-text key can never be mastered by only one person. It is divided into two full-length key components and controlled by two different persons. Each person is required to input his key component into the key loader separately.
17/18 The encrypted key loading is controlled by the acquirer through remote network. For DUKPT method, transaction keys are automatically generated, so no encrypted keys are needed to load. Refer to Device_Default_Settings_Overview, the Default TLK example should not be load. 8.8 key lifetime The key lifetime is controlled by Acquirer. Suggestions from the Manufacturer are: The maximum lifetime of TLK is suggested to be 2 years. The maximum lifetime of TMK is suggested to be 2 years. The maximum lifetime of SK (TPK/TAK/TEK/TDK/TTK) is suggested to be 1 day. The maximum lifetime of DUKPT cannot exceed 1million transactions.
18/18 9. Roles and services The device has no functionality that gives access to security sensitive services, based on roles. Such services are managed through dedicated tools, using cryptographic authentication.