Ezetap V3 Security policy Page 1
Document changes Date Version Description 01 Feb 2015 Draft Initial document 08 Sep 2015 0.1 Added Key management 22 sep 2015 0.2 Specified security settings configuration Page 2
Contents Ezetap Mobile solutions Pvt, Ltd. 1. Scope of the document... 4 2. Glossary of words... 4 3. Introduction... 5 4. Product overview... 5 5. Product operational environment... 5 6. Product Specifications... 5 7. Product outline... 6 8. Product decommission (TB20.4)... 7 9. Privacy Shield (Appendix A.2 of DTR, DTR20.5)... 7 10. Key management (TB20.5)... 7 11. Cryptographic algorithms (TB20.6)... 7 12. Key Loading... 8 13. Display Prompts management (B4, DTR B16, TB20.7)... 8 14. Default values (TB20.8)... 8 15. Shim Inspection and detection (TB20.9)... 8 16. Software development guidance (TB20.10)... 9 17. Tamper response (TB20.11)... 9 18. Key Compromise detection (TB20.12)... 9 19. Commission and authentication of the device (TB 20.14)... 9 20. Self test (TB20.15)... 9 21. Roles and services of the device (TB 20.16)... 10 22. Version identification (TB20.17)... 10 23. Environmental failure detection (TB20.18)... 10 24. Local and remote patch update (TB20.19)... 10 25. Sources of vulnerability (TB3.11)... 11 26. Code review and security testing (TB3.12)... 11 27. Firmware release to production (TB3.13)... 11 Page 3
1. Scope of the document Ezetap Mobile solutions Pvt, Ltd. This security policy document from Ezetap addresses the proper use of the POI in a secure fashion, including information on key management responsibilities, administrative responsibilities, device functionality, identification, and environmental requirements. The security policy defines the roles supported by the POI and indicates the services available for each role in a deterministic format. The POI is capable of performing only its designed functions, i.e., there is no hidden functionality. Only approved functions are performed by the POI. The policy includes all configuration settings necessary to meet security requirements of PCI PTS POI DTRs v4.1. It includes procedures for the decommissioning of devices that are removed from service, including the removal of all keying material that could be used to decrypt any sensitive data processed by the device. Procedures differentiate between temporary and permanent removal. 2. Glossary of words CVV CVC CAV CSC DSS PAN PED POI DPRNG SHA TDES RSA SSL PIN RKI PKI BDK Card Verification Value (Visa and Discover payment cards) Card Validation Code (MasterCard payment cards) Card Authentication Value (JCB payment cards) Card Security Code (American Express) Data security Standard Primary Account Number Pin Entry Device Point Of Interaction Deterministic Pseudo Random Number Generator Secure Hash Algorithm Triple DES (Data Encryption Standard) Rivest Shamir Adelman asymmetric encryption algorithm Security Socket Layer Personal Identification Number Remote Key Injection Public Key Infrastructure Base Derived Key Page 4
3. Introduction The document address the requirement of vendor s response to Section B20 of the PCI PTS POI Evaluation Vendor Questionnaire and the response to Requirement B20 of the PCI PTS POI Security Requirements. 4. Product overview The Ezetap V3 is a handheld mpos device (POI + PED) to support PIN entry with credit and debit based transactions in an attended environment only. This device is able to accept MSR, ICC & NFC transactions and communicates externally using BT classic mode and micro USB. This mpos is able to perform both OTG & Device mode of USB communication. It has a secure capacitive touch keypad and a Monochrome graphic display of 128 x 64 resolution. 5. Product operational environment The Ezetap V3 is intended to be used as a handheld mpos device in an attended environment. Use of device in an unattended environment will violate the PCI PTS approval of the device. 6. Product Specifications Features V3 Device type PED Card Reader Magnetic Stripe Card Reader ( Track 1, Track 2 & 3) Contact EMV Chip Card Reader Authentication Signature, PIN PIN entry Secured key pad with capacitive touch technology Device Certification EMV L1 & L2 Pairing media USB (Device & OTG) Bluetooth (Class 2.1, EDR, Display Graphic OLED (128 x 64 ), GLCD (optional) Weight of the device (Gram) 92 Physical dimensions (mm) 12 X 64 X 118 (Volume : 91 CC) (H X W X L) Charge cycles 400 to 500 Battery - Li-Po (mah) 500 Charging Time (H) 2.5 Active time 5 Days or 250 continue transactions (?) Charger type 5V, 500mA standard Micro B type plug Platform ARM M4, 120 MHz, 1MB (flash) Dual USB to charge mobile Yes Haptic Feedback Vibrator Buzzer 4KHz beep Page 5
7. Product outline Top View Side View MSR slot Bottom View Label and version information at Back panel Page 6
8. Product decommission (TB20.4) The device can be decommissioned temporarily or permanently from the services. Server can decommission the device for temporary duration in case of any such need. In temporary decommission, device keys will be protected in secure RAM with dedicated primary battery power. If device needs to be permanently decommissioned, this can be achieved by triggering the device tamper mechanisms. In a tamper event, the device will lose all keys and sensitive information and it will not be in service any more. 9. Privacy Shield (Appendix A.2 of DTR, DTR20.5) Since the Ezetap V3 device is operated in an attended environment, it is not supplied with any add on parts, such as privacy shields, stands, additional card readers, etc. Ezetap instructs the user to protect their PIN by discouraging visual observations and being mindful of cameras pointed at the keypad and other such threats. 10. Key management (TB20.5) The Ezetap V3 device encrypts the PIN and other sensitive information using the Master Key/Session Key key management technique. Each PIN block is double encrypted using a session key that is unique per transaction. TDES (112 bit) is used as the encryption method for PINs & other Sensitive data. Whenever the compromise of the original key is known or suspected and whenever the time deemed feasible to determine the key by exhaustive attack elapses, the device must be shipped back to Ezetap or a certified customer care agency. Use of the POI with different key management systems will invalidate any PCI approval of this POI. 11. Cryptographic algorithms (TB20.6) Key Name Purpose Algorithm Size (Bits) Key Encrypting Key (KEK) Used to encrypt all secret keys stored in the device AES 128 MSR Encryption Key (MEK) Used to encrypt MSR data sent from the MSR PCB to the secure processor AES 128 CPU_ID Used to establish secure communication with AES 128 server Data Session Key (DSK) Used to establish secure communication with TDES 112 server Terminal Master Key Used to decrypt the AMK loaded into the device TDES 112 (TMK) Acquirer Master Key (AMK) Acquirer PIN Encryption Key (APK) Acquirer Account Data Encryption Key (AADK) Server Session Key (SSK) Used to encrypt/decrypt Acquirer session TDES 112 keys Used to encrypt PINs TDES 112 Used to encrypt PANs TDES 112 Used to encrypt encrypted PIN and PAN data sent to server TDES 112 Page 7
Key Name Purpose Algorithm Size (Bits) Server Public Key (SPK) Used to encrypt outbound data packages RSA 2048 from the device for secure communication Firmware Update Root Used to verify signature of Firmware Update RSA 2048 Public Key Public Key Firmware Update Public Used to verify firmware updates RSA 2048 Key Certificate Authority Public Keys Used for authentication during ICCR transactions RSA Varies ICC Keys Used during EMV transactions RSA Varies 12. Key Loading The key loading mechanism is authenticated and entered securely. This process is done in a controlled environment. The device doesn t accept manual cryptography key entry. The automated process will not reveal any sensitive information at any stage of the device life cycle (manufacturing to operation to maintenance). The key loading tool meets the key management requirements. 13. Display Prompts management (B4, DTR B16, TB20.7) The Ezetap V3 device does not support prompts for non PIN data or entry of non PIN data on the keypad. Vendor stored text prompts are stored in the cryptographic unit and NO external access is allowed. Audio and haptic feedback prompts are static and they have NO relation with the any sensitive information. The device allows updates of firmware. It cryptographically authenticates the firmware and if the authenticity is not confirmed, the firmware update will be rejected and deleted. 14. Default values (TB20.8) The device does not implement password based authentication methods, so there is no need for end users to set or update any kind of default passwords. 15. Shim Inspection and detection (TB20.9) The following inspections must be performed on the ICC reader (ICCR) daily and before using a chip card with the ICCR: Check the outside enclosure to verify that it is the right product. Check that there are no signs of modification, damage, cutting, or adhesive. Check that there is no evidence of unusual wires having been connected to the ICCR inside. Check that there is no shim device in the slot of the ICC acceptor. Check that there is no resistance when inserting the card. Inserted card direction is parallel with LCD direction. (Please refer to Section 7 above.) When the card is inserted into the ICC slot, the exposed portion of the ICC card is nearly 2/3 size of the ICC card and the front of the card (with name) should be facing up. These inspections should be performed in a well lit environment or using a light source. Page 8
16. Software development guidance (TB20.10) The Ezetap V3 firmware implements the required security measures and functions to meet the PCI security requirements for authenticated firmware. The core certified functionality of firmware includes the following; Key Management System, Key loading, Crypto functions Open Protocol Physical interface & communication protocol SRED as the secure method for data exchange 17. Tamper response (TB20.11) The Ezetap V3 device contains tamper mechanisms. In the event of tamper detection, the device will enter the halt state and will be locked with the SYSTEM HALT message being displayed on the screen. In this case please contact your technical Service partner or Ezetap. 18. Key Compromise detection (TB20.12) Whenever the compromise of the original key is known or suspected and whenever the time deemed feasible to determine the key by exhaustive attack elapses, as defined in NIST SP 800 57 1, the compromised device needs to be shipped back to Ezetap to load the valid new key. 19. Commission and authentication of the device (TB 20.14) Each Ezetap V3 will have unique identification number (as shown in the device label in Section 22 below) which is registered in the Ezetap server while dispatching from the factory. At initial commission and initialization, the device will receive a set of bank keys from the bank server after being authenticated by the Ezetap server. It is not possible to commission an unauthorized device. 20. Self test (TB20.15) The Ezetap V3 device will automatically perform the self test routines at power on time. Self tests include the below routines: Valid authentication by boot firmware Checking the hardware security mechanisms for signs of tamper Key integrity check Self Integrity Check Keypad and MSR integrity check Every 24 hours the device will reboot automatically. If a failure has been detected in the process of selftesting, the device will show the warning message and will become inoperable. The device will not allow any operation in this state of fault. Page 9
21. Roles and services of the device (TB 20.16) 21.1. Roles The User should refer the user manual before installing this device. The device consist of following items: Device Power cable User manual OTG cable All software is installed before delivery to the end user. The User can start with the prepare device to fetch the latest keys into device. 21.2. Services The secure mpos services are listed below: Acceptance of MSR and ICC transaction Encryption of PIN and sensitive information Protection of sensitive information from unauthorized access Integrity of data and services User interface and remote server secure communication 22. Version identification (TB20.17) The serial number and hardware and firmware versions of the Ezetap mpos are independently identified on the sticker on the back of the product. 23. Environmental failure detection (TB20.18) The Ezetap mpos has been rated for the temperature range from 22 to + 100 C for storage, and operational temperature up to 50 C. Usage of the product beyond the specified range will cause the environmental failure protection mechanisms to trigger. Any warning indications shall be considered for the technical support from Ezetap. 24. Local and remote patch update (TB20.19) Device firmware upgrade can be accomplished by an authenticated local or remote process. The authenticity and integrity of the firmware are verified during patch or firmware upgrades. Unauthorized firmware upgrade is not possible. Page 10
25. Sources of vulnerability (TB3.11) No vulnerability was found for the Ezetap V3 device firmware in national public databases. 26. Code review and security testing (TB3.12) The Ezetap V3 device firmware is been reviewed by the technical experts who are not part of authorship of the POI code. 27. Firmware release to production (TB3.13) The Ezetap V3 device firmware is reviewed for every change and qualified before being releasing to production. Page 11