atsec China adds PCI QPA qualification

atsec China (with the official name – atsec (Beijing) Information Technology Co., Ltd) has been qualified by the PCI SSC (Payment Card Industry Security Standards Council) as a QPA (Qualified PIN Assessor) company to perform the PCI personal identification number (PIN) security assessments according to the PCI PIN Security standard. The recent version of the standard is "PCI PIN Security Requirements and Testing Procedures version 3.0", released by PCI SSC in August 2018.

The QPA list can be found on the official website of PCI SSC:
https://www.pcisecuritystandards.org/assessors_and_solutions/qpa_assessors

The PCI PIN security standard contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. 

The PCI PIN standard is intended for use by all acquiring institutions and agents (e.g. acquiring banks, service providers, key-injection facilities and certificate processors) responsible for PIN transaction processing on the payment card accounts.

PCI PIN assessment and compliance can be a mandatory validation requirement defined by individual card brands and the organizations (e.g. banks, payment service providers) in the payment industry. The PIN security assessment programs previously managed by individual card brands (e.g. VISA) have migrated to the new PCI QPA program in 2019. According to the validation requirements from the card brand VISA, effective 1 January, 2020, all PIN assessments must be performed using PCI PIN v3 and the associated PCI reporting materials. As of this date PCI PIN v2 assessments will no longer be accepted. All Visa PIN assessments must be performed by a QPA that is listed on the PCI SSC assessor website.

In addition to PCI QPA, as an accredited PCI QSA, ASV, PA QSA, P2PE and 3DS assessor and PFI, atsec China offers a full range of services to support organizations in achieving PCI compliance.

For more information about atsec’s service on PCI PIN, please visit:
http://www.atsec.cn/it-security-services/pci/en/pci-pin-security/index.html

Stephan Mueller publishes SP800-90B compliant Linux implementation of CPU Jitter RNG

NIST’s Special Publication 800-90B “Recommendation for the Entropy Sources Used for Random Bit Generation” (SP800-90B) lays out the testing requirements for random bit generators. According to Implementation Guidance 7.18, compliance to SP800-90B will be mandatory for FIPS 140-2 validations starting November 8th 2020.

Our colleague Stephan Mueller recently published an updated, SP800-90B compliant version of his Jitter RNG suite for Linux to give our customers a head-start to achieve compliance before the transition date. While the SP800-90B compliance of the Jitter RNG was reviewed by NIST, official approval is only given when the Jitter RNG is used as part of an actual FIPS 140-2 validation.

In his documentation (Section 7.4) he explains the steps a user has to follow to claim SP800-90B compliance using the Jitter RNG, thus removing the need for them to prepare their own SP800-90B analysis.

Stephan Mueller made the Jitter RNG suite available for the public:

The code for the CPU Jitter RNG can be downloaded here:
https://github.com/smuellerDD/jitterentropy-rngd
https://github.com/smuellerDD/jitterentropy-library

The documentation can be downloaded here:
http://www.chronox.de/jent/doc/CPU-Jitter-NPTRNG.pdf

The associated tests can be downloaded here:
http://www.chronox.de/jent.html

atsec at the International Common Criteria Conference (ICCC) 2019

atsec participated in ICCC 2019 held in Singapore from October 1st to 3rd in conjunction with Singapore International Cyber Week (SICW).



It was the perfect venue to celebrate the 20th anniversary of the Common Criteria standard with an increase of the Common Criteria Recognition Arrangement (CCRA) membership from 27 to 31 with the addition of Indonesia, Slovakia, Ethiopia and the Philippines.

The UK updated their CCRA status from a certificate issuing country to a certificate consuming country, with continuous commitment to both the CCRA and the International Technical Communities (iTC).

As a Silver Sponsor of the ICCC 2019, atsec hosted one of four ICCC booths on the exhibition floor among the other exhibitors participating in the SICW. In addition to attending ICCC 2019, some atsec consultants also participated at the CCUF a week prior to ICCC.

atsec gave the following three presentations at ICCC.

• Mr. Michael Vogel with Ms. Terry Diaz (Cisco): iTC: General Update and TLSv1.3 integration into NDcPP
• Mr. Di Li : The Chinese Commercial Cryptography Scheme and ISO/IEC 19790
• Dr. Andreas Hohenegger: The Common Criteria and IEC-62443

During the award ceremony two customers received certificates as successful results of atsec’s evaluation work: Oracle and Qualcomm. At the same time atsec was mentioned as one of the five labs that have been licensed by the Cyber Security Agency (CSA) to be a Common Criteria Testing lab (CCTL) under the Singapore Common Criteria Scheme (SCCS).