AS 2805.14.2-2003

1 - AS 2805.14.2-2003 ELECTRONIC FUNDS TRANSFER-REQUIREMENTS FOR INTERFACES - SECURE CRYPTOGRAPHIC DEVICES (RETAIL)-SECURITY...
4 - PREFACE
6 - CONTENTS
7 - 1 Scope
7 - 2 Normative references
8 - 3 Terms and definitions
8 - 3.1 accredited evaluation authority
8 - 3.2 attack
8 - 3.3 audit report
8 - 3.4 audit review body
8 - 3.5 auditor
8 - 3.6 device security
8 - 3.7 evaluation agency
8 - 3.8 evaluation report
8 - 3.9 evaluation review body
8 - 3.10 formal claims
8 - 3.11 logical security
8 - 3.12 operational environment
9 - 3.13 physical security
9 - 3.14 secure cryptographic device SCD
9 - 3.15 secure operator interface
9 - 3.16 security compliance checklist
9 - 3.17 sensitive data sensitive information
9 - 3.18 sensitive state
9 - 3.19 software
9 - 3.20 sponsor sponsoring authority
9 - 3.21 tamper-evident characteristic
9 - 3.22 tamper-resistant characteristic
9 - 3.23 tamper-responsive characteristic
9 - 4 Use of security compliance checklists
9 - 4.1 General
10 - 4.2 Informal evaluation
10 - 4.3 Semi-formal evaluation
10 - 4.4 Formal evaluation
10 - 5 Summary
11 - Annex A - Physical, logical and device management characteristics common to all secure cryptographic devices
11 - A.1 General
11 - A.2 Device characteristics
15 - A.3 Device management
18 - Annex B - Devices with PIN entry functionality
18 - B.1 General
18 - B.2 Device characteristics
19 - B.3 Device management
21 - Annex C - Devices with PIN management functionality
21 - C.1 General
21 - C.2 Device characteristics
22 - C.3 Device management
23 - Annex D - Devices with message authentication functionality
23 - D.1 General
24 - D.2 Logical security device characteristics
25 - Annex E - Devices with key generation functionality
25 - E.1 General
25 - E.2 Device characteristics
27 - E.3 Device management
28 - Annex F - Devices with key transfer and loading functionality
28 - F.1 General
28 - F.2 Device characteristics
30 - F.3 Device management
32 - Annex G - Devices with digital signature functionality
32 - G.1 General
32 - G.2 Device management
34 - Annex H - Categorization of environments
34 - H.1 General
34 - H.2 Uncontrolled environments
34 - H.3 Minimally controlled environments
34 - H.4 Controlled environments
35 - H.5 Secure environments

This Standard provides a security compliance checklist for evaluating secure cryptographic devices (SCDs) used in magnetic stripe systems in accordance with AS 2805.14.1:2000.

This part of ISO 13491 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes, as specified in ISO 9564, ISO 9807 and ISO 11568, in a magnetic stripe card environment. It does not specify checklists for SCDs used in an integrated circuit card (ICC) environment.This part of ISO 13491 does not address issues arising from the denial of service of a SCD.In the checklists given in annexes A to H, the term “not feasible” is intended to convey the notion that although a particular attack might be technically possible it would not be economically prudent, since carrying out the attack would cost more than any benefits obtained from a successful attack. In addition to attacks for purely economic gain, malicious attacks directed toward loss of reputation need to be considered.

First published as AS 2805.14.2-2003.