Commissioning Cards

What are commissioning cards?
Ingenico have devised a system that allows for dual control and traceability of who enabled the card reader and pinpad, the system involves a “Commissioning kit” of two smartcards each with a unique PIN, one card each is sent to the two individuals nominated by the person buying the equipment and then a PIN is sent via e-mail directly to the cardholder, so two people have one card each with a unique PIN. The equipment is shipped with the tamper switches free so in order to use the card reader and Pinpad the tamper switches must be depressed (as they would in the final enclosure, i.e. kiosk or pay machine), the two cards can then be entered to make the equipment usable or commissioned. Every time the card reader and pinpad are removed from the enclosure the tamper switches are released and the equipment must be commissioned again.

Why are commissioning cards necessary?

The latest PCI rules require that hardware that accepts credit card data in an unattended environment need an anti-removal mechanism (tamper switches) and a procedure for re-installation using dual control techniques and traceability of who enabled the equipment and when, so pinpads and card readers can only be used when installed by authorised personnel. In practice this means that Pinpad’s and card readers need a system that can demonstrate who commissioned the equipment and when that happened every time the tamper switches have been released.

Details of the PCI requirements
The PCI requirements in the Core Physical Security Requirements, A11 this states:-

  • Secure components intended devices contain an anti-removal mechanism to protect against unauthorized removal and/or unauthorized re-installation. Defeating or circumventing this mechanism must require an attack potential of at least 18 per device for identification an initial exploitation, with a minimum of 9 for exploitation.

This is further explained in the Derived Tests Requirements ( DTR) and FAQ which state:

  • Removal detection is mandatory for Smart Card Reader and PIN entry device
  • Procedures require for re-installatio
  • Use dual-control techniques
  • Provide accountability and traceability including logging of user IDs, date and time stamp, and actions performed
  • Prevent replay of authorization data
  • Cause the device to not process PIN data until authorized to do so.

Further if passwords are used, PCI PTS requires:

  • The process provides dual control (e.g. two operators on site) through use of two or more passwords/PINs that are at least seven characters and entered through the secure keypad of the device.