EPC: Publication of two documents providing guidelines on cryptography and key management, and requirements on privacy shielding for PIN ent

13 December 2016

The European Payments Council published two updated documents useful for payment services providers and their technical suppliers, in particular professionals dealing with payment security issues.

The “Guidelines on cryptographic algorithms usage and key management” specifies a number of recommendations on crypto algorithms, digital signatures, security protocols, cryptographic transformations and key management, used to implement security mechanisms in payment systems, in order to protect customer and transaction data.

This document was updated to reflect newsworthy developments in cryptography, including the impacts of the latest progress in cryptanalysis (e.g. on hash functions). It further has a new section on considerations on quantum computing impacting cryptography and specifies a related recommendation.

Moreover, the document has been restructured to improve its readability. A new section devoted to the recommendations and best practices was introduced at the beginning of the document, while providing cross references to further parts in the document for readers requiring more background and details. The list of references was also updated since its last publication in March 2016.

The “Privacy shielding for PIN entry” document defines requirements through the specification of common criteria for the privacy shielding of Point of Sale (POS) and Automated Teller Machine (ATM) installations used by customers to enter their PIN. Privacy shielding is a means to reduce the risk of PIN disclosure (e.g. through shoulder surfing) when a cardholder enters their PIN.

The document describes requirements to ensure an efficient privacy shielding, based on existing European hardware requirements and the work executed by PCI (Payment Cards Industry) for POS, and provides refinements and additions. Technical details on how privacy shielding installations should be built and placed (height and position of the shield, for each type of PIN pad devices) are provided. The last publication of this document dated from 2009. It was updated to improve its readability, and include new references. Moreover an annex on keypad layout was added to make the document more self-contained.

Guidelines on cryptographic algorithms usage and key management

Privacy Shielding for PIN entry


© EPC