Wisepad2 Security Policy
VERSION 2.7
November 17
WisePad2 Security Policy
Table of Content
1 Introduction ...... 4 1.1 Purpose and Scope ...... 4 1.2 Audience ...... 4 1.3 Reference ...... 4 1.4 Glossary of Terms and Abbreviations ...... 5 2 General Information ...... 6 2.1 Product Type ...... 6 2.1.1 Mobile Host Mode ...... 6 2.1.2 Stand-alone Mode ...... 6 2.2 Product Functionality ...... 7 2.2.1 Card Interface ...... 7 2.2.2 Communication Interface ...... 7 2.2.3 User Interface ...... 8 3 Product Identification ...... 9 3.1 Product Appearance ...... 9 3.2 Product Label ...... 10 3.2.1 Current Version ...... 11 3.3 Information Display ...... 11 3.4 PCI Listing ...... 11 4 Guidance ...... 12 4.1 Delivery and Deployment Inspection ...... 12 4.2 Regular Inspection ...... 12 4.3 Operation Environment ...... 12 4.4 Firmware and Configuration Maintenance ...... 13 4.4.1 Self-check ...... 13 4.4.2 Firmware/Application Update ...... 13 4.5 Hardware Security ...... 13 4.6 Software development ...... 13 5 Cryptography and Key Management ...... 14 5.1 Cryptographic Algorithms ...... 14 5.2 Key Management...... 14 5.3 Key Table ...... 14 5.4 Key Decommissioning and Replacement ...... 15
WisePad2 Security Policy 2/17
5.5 Key Loading ...... 15 5.5.1 Manual Key Component Loading ...... 15 5.5.2 Remote Key Distribution ...... 15 5.5.3 Service Centre Loading ...... 15 5.6 Configuration ...... 15 6 Administrative Responsibilities ...... 16 7 Environmental Requirements ...... 17
WisePad2 Security Policy 3/17
1 Introduction
1.1 Purpose and Scope
This security policy applies to Wisepad2 terminal, which is PCI PTS version 4.0 POI approved. It addresses the proper use of WisePad2 in a secure fashion. Improper use of WisePad2 will lead to incompliance to the PCI PTS POI Security Requirements version 4.1. 1.2 Audience
This policy is targeted for site administrators, managers, operators, technicians that can access the device during normal business operations and maintenance operations. 1.3 Reference
[1] ANSI X9.24-1:2009, Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques [2] ANSI X9.24 Part 2: 2006, Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys [3] ANSI X9.8 Banking - Personal Identification Number Management and Security - Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems [4] ANSI X9 TR-39/TG-3 Retail Financial Services Compliance Guideline - Part 1: PIN Security and Key Management [5] Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Security Requirements Version 4.0, June 2013 [6] Payment Card Industry (PCI) PIN Transaction Security (PTS) Device Testing and Approval Program Guide Version 1.4, March 2014 [7] BBPOS C Programming Coding Style version 0.3
WisePad2 Security Policy 4/17
1.4 Glossary of Terms and Abbreviations
AES Advanced Encryption Standard, a data encryption/decryption standard to supercede DES and TDES ATM Automatic Teller Machine, a unattended terminal for banking operations DES Data Encryption Standard, a data encryption/decryption standard DUKPT Derived Unique Key Per Transaction, a symmetric key management standard EMV Europay MasterCard Visa, an entity governing ICC payment GPRS General Packet Radio Service, a data service on 2G and 3G cellular communication System ICC Integrated Chip Card, aka Smartcard KDH Key Distribution Host LED Light emitting diode NFC Near Field Communication, a short-range wireless communication standard MAC Message Authentication Code, a cryptographic digital digest of a message OTA Over-the-Air, used to denote remote operation such as remote firmware update PCI Payment Card Industry, an entity governing the security level of payment devices PED PIN Entry device PIN Personal Identification Number, a 4-12 digit numeric password associated with payment card POI Point of Interaction POS Point of Sales, referring to the terminal used to process the payment PTS PIN Transaction Security RSA Rivest-Shamir-Adelman Algorithm, an asymmetric encryption/decryption standard TDES Triple DES, a symmetric key encryption/decryption standard based on DES TMS Terminal Management System USB Universal Serial Bus
WisePad2 Security Policy 5/17
2 General Information
2.1 Product Type
WisePad2 is a mobile Point of Sales (mPOS) payment device for payment processing in an attended environment. There are two modes of operations. 2.1.1 Mobile Host Mode When used in conjunction with a mobile phone or tablet, the mobile host device and WisePad2 together acts as a payment processing terminal at the point-of-interaction. The operation flow is partially controlled by the mobile host device and partially by the WisePad2. 2.1.2 Stand-alone Mode When used in stand-alone mode, the WisePad2 acts as the payment processing terminal. The operation flow is controlled solely by the WisePad2.
WisePad2 Security Policy 6/17
2.2 Product Functionality
2.2.1 Card Interface WisePad2 is equipped with the following payment card interfaces:
• Magnetic Stripe Reader • ICC/EMV Contact Card Reader • NFC/EMV Contactless Card Reader
WisePad2 also has a built-in Secure Key Pad for entry of PIN associated with the payment card. The PIN Pad can be used for entering other data such as transaction amount. 2.2.2 Communication Interface In the mobile-host mode operations, WisePad 2 can communicate with the mobile host device through one of the following interfaces:
• Bluetooth o Version 2.1 o Profile L2CAP o Secure mode: Mode 4 with SSP passkey o Authentication method: passkey only o Application profiles: SSP • Audio Jack • USB
Specific on the Security Guidance on Bluetooth as mentioned above, there are 3 potential attacks identified which are Blueprinting, BluleStumbling and BlueSmack. The use of the device may introduce an avenue of attack for an adversary to capture keystrokes and spoof a user to gain access to the device.
To mitigate the risk, the capabilities of both authentication and encryption are used on Bluetooth communication ports.
- For end user it needs to enable the connection only when needed and make devices discoverable only when necessary. - Pairing with PIN exchange is required for each new connection even if it has previously been authenticated
In addition, the default configuration of the Bluetooth can be defined and modified by btstack-config
In Stand-alone mode, WisePad2 can be connected to processing gateway via the internet by
• WiFi • GPRS
For both WiFi and GPRS interface, secure protocol, TSL 1.2, shall be used to protect data confidentiality, integrity and provide server authentication.
WisePad2 Security Policy 7/17
Following cipher suites should be used: TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECHDE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS 1.2 framework also prevent message replay or modification attacks by MAC which computed from the MAC key, sequence number, message length, message content and two fixed character strings.
The PCI approval is only valid for the platform containing the security protocol provided by BBPOS.
2.2.3 User Interface The user-interface consists of the following:
• A dot-matrix display • 4 LEDs • Buzzer • Key Pad
WisePad2 has an internal battery and can be recharged via the USB interface.
WisePad2 Security Policy 8/17
3 Product Identification
Operators and owners of WisePad2 should get familiar to its appearance so that any alterations and tampering attempts can be detected and reacted to in a timely manner. 3.1 Product Appearance
Front View Back View
WisePad2 Security Policy 9/17
3.2 Product Label
Product information is Laser-etched at the back of the device. This includes:
• Product Name and Model • Serial Number • Hardware Version • IMEI • Compliance Logos, e.g. CE Mark • Voltage and Current Rating
The operator should check that the information is complete and not altered, covered or otherwise rendered incomprehensible.
Hardware Version no. System Table WP X 2 X XXX-XX-XXX The “X” are not security relevant variables
Software Version no. System Table WP X 20.003-12 The “X” is not security relevant variable
3.2.1 Hardware Variables Hardware #: W P X 2 X X X X - X X - X X X Variables: 1 2 3 4 5 6 7 8 9 10
‘X’ Description 1 Hardware config: C = WisePad 2, P = WisePad 2+ 2 Hardware config: 0 = BT with WiFi, 2 = BT with WiFi & 2G feature, 3 = BT with WiFi & 3G feature 3-5 Customer number: e.g. 000 – BBPOS, 001 – 999 = Other Customers 6-7 Color of plastic: e.g. 00 = White, 01 = Black, 02 – 99 = Other color 8-10 Hardware revision: 001
WisePad2 Security Policy 10/17
3.2.2 Current Version Hardware Version: WPC22001-01-001
Software Version: WPC2 0.003-12 (Refer from LCD display)
WPC2 0.005-00 (Refer from LCD display)
3.3 Information Display
Additional Information about the WisePad2 can be displayed by pressing the Menu button and then selecting the Device function.
Menu button -> Device
The following information will be displayed:
• Bootloader Version • Firmware Version (refer to Software Version no. System Table) • Application Version • Serial Number • Battery Level 3.4 PCI Listing
To verify that WisePad 2 is a PCI approved device, browse at the PCI Security Standards Council web site www.pcisecuritystandards.org.
WisePad2 Security Policy 11/17
4 Guidance
4.1 Delivery and Deployment Inspection
At the initial delivery and deployment of WisePad 2, the merchant or acquirer must visually inspect the device for signs of tampering. In particular, the following must be checked.
• The label on delivered/deployed device is complete and not altered. • The Model and Serial Number match with the information provided in the documents that accompany the delivery/deployment, e.g. Delivery Note, Invoice, etc. • The device is intact and there is no signs of tampers such as torn labels, cracks, holes, loosen or missing screws. • No other attachments are added to the device: no overlay, inserts, plugs, wires or other unidentified appendages. • The IC card insertion area of the device has no signs of tampers such as cracks, hole or loosen. • No warning message is displayed. • The keypad area has no signs of being modified. 4.2 Regular Inspection
In normal operation environment, the merchant or acquirer must visually check the device for any signs of tampering every 24 hours. This includes:
• The label on delivered/deployed device is complete and not altered. • The device is intact and there is no signs of tampers such as torn labels, cracks, holes, loosen or missing screws. • No unidentified attachments are added to the device. Protective jackets, mounting fixture, security locks an chains with known purposes are acceptable. • The IC card insertion area of the device has no signs of tampers such as cracks, hole or loosen. • No warning message is displayed, as defined in section 4.5. • The keypad area has no signs of being modified. 4.3 Operation Environment
The device should be used in an attended environment where the cardholder presents the card in the presence of the merchant or acquirer. WisePad 2 is a handheld device which is given to the customer to enter the PIN. The body of the customer and the orientation of the device towards him will protect the PIN entered from visual observation.
When choosing the operation location, one should take into consideration the following:
• The presence of any surveillance camera that can unintentionally capture the PIN entered by a cardholder. • The presence of any mirrors that can unintentionally reveal the PIN entered by a cardholder.
WisePad2 Security Policy 12/17
4.4 Firmware and Configuration Maintenance
4.4.1 Self-check When the WisePad 2 is turned on, a self-test is run to check the integrity of the firmware, application, configuration and keys. The firmware will also perform self-test automatically for every 24 hours. 4.4.2 Firmware/Application Update The firmware and application can be updated in two manners:
• Using a PC tools via USB, which can only be done by authorized technicians or administrators in a secure environment. • Using the over-the-air (OTA) remote update process, where the WisePad2 communicates with a Key Distribution Host via a mobile host device.
Update of the configuration is similar and can be done by the above two methods. In additional to 4.5 Hardware Security
WisePad2 has several tamper detection mechanism. When a tamper detection mechanism is triggered, the internal working keys will be erased and a warning will be displayed.
4.6 Software development
Software development on WisePad 2 should follow the guidance in the BBPOS C Programming Coding document.
WisePad2 Security Policy 13/17
5 Cryptography and Key Management
5.1 Cryptographic Algorithms
WisePad2 supports the following cryptographic algorithms
• TDES • AES • RSA • MAC X9.19 • SHA-256 5.2 Key Management
WisePad2 supports the following key management schemes:
• Fixed Key • Master Key/Session Key • DUKPT 5.3 Key Table
The following table lists all keys and Certificates that may be stored in a WisePad2
Key Name Key Size Algorithm Key Usage Terminal Public Key 2048-bit RSA OTA Remote Update – terminal auth Sub CA Public Key 2048-bit RSA OTA Remote Update – terminal auth KDH Public Key 2048-bit RSA OTA Remote Update – KDH auth Terminal SSL Key Pair 2048-bit RSA TLS Authentication Terminal TLS 2048-bit RSA TLS Authentication Certificate Server TLS CA 2048-bit RSA TLS Authentication Certificate DUKPT PIN key 112-bit TDES PIN encryption Fixed/MK/SK PIN key 112/168- TDES PIN encryption bit DUKPT Data key 112-bit TDES Data encryption Fixed/MK/SK Data 112/168- TDES Data encryption key bit DUKPT Track key 112-bit TDES Mag Track encryption Fixed/MK/SK Track 112/168- TDES Mag Track encryption key bit DUKPT MAC Key 112-bit TDES MAC calculation Fixed/MK/SK MAC 112/168- TDES MAC calculation key bit
WisePad2 Security Policy 14/17
5.4 Key Decommissioning and Replacement
When the tamper-protection mechanism is triggered, the keys stored inside the WisePad 2 are erased. If a key is suspected to be compromised or its life-time has ended, the key must be replaced with a new key. A key replacement can be done by authorized personnel either on-site or remotely via a KDH. If a terminal is suspected to be compromised, the terminal cannot be used again and must be returned to the service provider immediately. 5.5 Key Loading
5.5.1 Manual Key Component Loading The device does NOT supports any manual plaintext key components loading, manual encrypted key loading, and public key loading. 5.5.2 Remote Key Distribution The remote key distribution follows asymmetric method. 5.5.3 Service Centre Loading The reloading of device in service centre follows all requirements for a KIF (key injection facility) 5.6 Configuration
The device does not support any modes or configuration that will output any sensitive information in plaintext.
WisePad2 Security Policy 15/17
6 Administrative Responsibilities
The following lists the roles and operations allowed to each role.
Operator – The regular operator of the terminal at the payment site with minimum authorization level.
Supervisor – The supervisor of the terminal at the payment site has higher authorization level than the operator. Some sensitive operations need his/her approval and authentication.
Administrator/Technician – This is an authorized personnel from the merchant, the payment service provider or the device vendor who has the authorization to perform firmware/configuration and key updates at the payment site or remotely using the OTA feature.
Role Operations Note Operator Purchase/Sales Operator/Supervisor Refund/Void Depends on Terminal Management Requirement Administrator/Technician Firmware/Application Update Administrator/Technician Configuration Update Administrator/Technician Key Update
WisePad2 Security Policy 16/17
7 Environmental Requirements
WisePad2 must be kept within specific environmental conditions during normal operation and storage.
Parameter Min Max Temperature (Working) 0oC 45oC Humidity (Working) 0% 95% Temperature (Storage) -20oC 55oC Humidity (Storage) 0% 95%
WisePad2 Security Policy 17/17