Normative Annex C – Minimum and Equivalent Key Sizes and Strengths for Approved

Algorithms
Approved Algorithms in connection with the requirements in this document are based on the approved algorithms listed in NIST SP 800-57 Part 1
Rev. 4, Section 4;

▪ Hash functions: only algorithms from the SHA2 and SHA3 family are allowed on POI v3 and higher devices, with output size >2551
▪ Symmetric-Key Algorithms used for encryption and decryption: AES must be used, with key size >= 128 bits or TDEA with keys size >=
112 bits
▪ Message Authentication Codes (MACs): CMAC or GMAC can be used with AES, as well as HMAC with an approved hash function and a
key size >=128
▪ Signature algorithms: DSA, RSA (with PKCS1-v1.5 or PSS) and ECDSA with key sizes specified below.

▪ Approved key establishment schemes are described in NIST SP800-56A (ECC/FCC2-based key agreement), NIST SP800-56B (IFC-
based key agreement) and NIST SP800-38F (AES-based key encryption/wrapping).

1 Except as noted, the use of SHA-1 is prohibited for all digital signatures used on the device that are used in connection with meeting PCI security requirements.
This includes certificates used by the device that are non-device-specific that are part of a vendor PKI, up to and including a vendor root certificate. The only
exception to this is that the initial code on ROM that initiates upon the device start may authenticate itself using SHA-1, but all subsequent code must be
authenticated using SHA-2.
SHA-2 or higher is recommended for other usages, but SHA-1 may be used in conjunction with the generation of HMAC values and surrogate PANs (with salt),
for deriving keys using key derivation functions (i.e., KDFs) and random number generation. Where applicable, appropriate key length minimums as delineated
in the Derived Test Requirements are also required.
2 IFC: Integer Factorization Cryptography; ECC: Elliptic Curve Cryptography; FFC: Finite Field Cryptography

PCI PIN Security Requirements and Testing Procedures v3.1 – Normative Annex C March 2021
Copyright © 2011-2021 PCI Security Standards Council, LLC. All Rights Reserved. Page 198
The following are the minimum key sizes 3 and parameters for the algorithm(s) in question that must be used in connection with key transport,
exchange, or establishment and for data protection in connection with these requirements. Other key sizes and algorithms may be supported for
non-PCI payment brand relevant transactions

Algorithm

IFC ECC FFC

DEA (RSA) (ECDSA, ECDH, ECMQV) (DSA, DH, MQV) AES

Minimum key size

112 2048 224 2048/224 128
in number of bits:

Key-encipherment keys shall be at least of equal or greater strength than any key that they are protecting.4 This applies to any key-encipherment
keys used for the protection of secret or private keys that are stored or for keys used to encrypt any secret or private keys for loading or transport.
For purposes of this requirement, the following algorithms and keys sizes by row are considered equivalent.

3
Other key sizes and algorithms specified in this appendix may be supported for non-PCI payment brand relevant transactions. They are also not applicable to
the EMV kernel; cryptographic requirements for EMV Contactless transactions are set by EMVCo and/or the Schemes.
4 Notwithstanding the statement, 2048 RSA keys may be used to transport 128 AES keys when performing remote key distrubution using asymmetric techniques.

PCI PIN Security Requirements and Testing Procedures v3.1 – Normative Annex C March 2021
Copyright © 2011-2021 PCI Security Standards Council, LLC. All Rights Reserved. Page 199
 Algorithm

Bits of IFC ECC FFC

Security DEA (RSA) (ECDSA, ECDH, ECMQV) (DSA, DH, MQV) AES

80 112 1024 160 1024/160 –

112 168 2048 224 2048/224 –

128 – 3072 256 3072/256 128

192 – 7680 384 7680/384 192

256 – 15360 512 15360/512 256

DEA refers to TDEA keys with non-parity bits. The RSA key size refers to the size of the modulus. The Elliptic Curve key size refers to the
minimum order of the base point on the elliptic curve; this order should be slightly smaller than the field size. The DSA key sizes refer to the size of
the modulus and the minimum size of a large subgroup.
TLS implementations must prevent the use of cipher suites that do not enforce the use of cryptographic ciphers, hash functions and key lengths as
defined in the Technical FAQs.
For implementations using FFC or ECC:
▪ FFC implementations entities must securely generate and distribute the system-wide parameters: generator g, prime number p and
parameter q, the large prime factor of (p - 1). Parameter p must be at least 2048 bits long, and parameter q must be at least 224 bits long.
Each entity must generate a private key x and a public key y using the domain parameters (p, q, g).
▪ ECC implementations entities must securely generate and distribute the system-wide parameters. Entities may generate the elliptic
curve domain parameters or use a recommended curve (see FIPS 186-4). The elliptic curve specified by the domain parameters must be
at least as secure as P-224. Each entity must generate a private key d and a public key Q using the specified elliptic curve domain
parameters. (See FIPS 186-4 for methods of generating d and Q.)
▪ Each private key must be statistically unique, unpredictable and created using an approved random number generator as described in this
document.
▪ Entities must authenticate the FFC or ECC public keys using DSA, ECDSA, a certificate, or a MAC (see ISO 16609 – Banking –
Requirements for message authentication using symmetric techniques. One of the following should be used: MAC algorithm 1 using
padding method 3, MAC algorithm 5 using padding method 4).
IFC, FFC and ECC are vulnerable to attacks from large-scale quantum computers. In 2017, NIST initiated a process to solicit, evaluate, and
standardize one or more quantum-resistant public-key cryptographic algorithms, planned to end with a selection of new algorithms by 2023-2025.

PCI PIN Security Requirements and Testing Procedures v3.1 – Normative Annex C March 2021
Copyright © 2011-2021 PCI Security Standards Council, LLC. All Rights Reserved. Page 200
Because of rapid progress in the field of quantum computing, it is advised to become informed/aware of this specific threat and its potential
mitigations.

PCI PIN Security Requirements and Testing Procedures v3.1 – Normative Annex C March 2021
Copyright © 2011-2021 PCI Security Standards Council, LLC. All Rights Reserved. Page 201