LANDI APOS A7 Security Policy

Production Name APOS A7

Production Version 0.1

Fujian LANDI Commercial Equipment Co., Ltd

Contents

1. Document Information ........................................................................................................ 4

1.1. Evolution Follow-up................................................................................................. 4

1.2. Acronyms ................................................................................................................... 4

1.3. Reference ................................................................................................................... 4

2. Introduction ........................................................................................................................... 5

3. General Description ............................................................................................................. 6

3.1. Production Overview ............................................................................................... 6

3.2. Production Identification ........................................................................................ 7

3.3. Communication Methods and Protocols ........................................................... 7

4. Guidance ................................................................................................................................ 9

4.1. Installation Guide ..................................................................................................... 9

4.2. Installation and Environment ................................................................................ 9

4.3. Decommissioning/Removal ................................................................................... 9

4.4. PIN Confidentiality ................................................................................................... 9

4.5. Periodic Inspection ................................................................................................ 10

5. Product Hardware Security ............................................................................................. 11

5.1. Tamper Response Event ...................................................................................... 11

5.2. Environment Conditions and Environmental Failure Protection ............... 11

6. Product Software Security ............................................................................................... 12

6.1. Software Development Guidance....................................................................... 12

6.2. Firmware, Software and Configuration Parameters Update ....................... 12

6.3. Software Authentication ....................................................................................... 12

6.4. Update and Patch Management.......................................................................... 13

6.5. Self-Tests .................................................................................................................. 13

7. System Administration ..................................................................................................... 14

7.1. Configuration Settings .......................................................................................... 14

7.2. Default Value Update ............................................................................................. 14

Page 2 / 19
8. Key Management ................................................................................................................ 15

8.1. Key Management Techniques ............................................................................. 15

8.2. Master Key/Session Key....................................................................................... 15

8.3. Fixed Key .................................................................................................................. 15

8.4. DUKPT Key .............................................................................................................. 15

8.5. Cryptographic Algorithms ................................................................................... 15

8.6. Key Table .................................................................................................................. 16

8.7. Key Replacement ................................................................................................... 17

8.8. Key Loading Policy ................................................................................................ 17

8.8.1. Local Key Injection ............................................................................................ 17

8.8.2. Remote Key Injection ........................................................................................ 17

8.9. Key Lifetime ............................................................................................................. 18

9. Roles and Services ............................................................................................................ 19

Page 3 / 19
1. Document Information

1.1. Evolution Follow-up

Revision Type of modification Date

0.1 Document creation 2017-03-13

1.2. Acronyms

Abbreviation Description
AES Advanced Encryption Standard
DUKPT Derived Unique Key Per Transaction
N/A Not Applicable
PED PIN Entry Device
PIN Personal Identification Number
RSA Rivest Shamir Adelman Algorithm
SHA Secure Hash Algorithm
TDES Triple Data Encryption Standard
IC Card Integrate Circuit Card
RF Card Radio Frequency Card
AKMS Acquirer Key Management System

1.3. Reference
[1] ANS X9.241:2009, Retail Financial Services Symmetric Key Management Part 1: Using
Symmetric Techniques
[2] ANS X9.24 Part 2: 2006, Retail Financial Services Symmetric Key Management Part 2:
Using Asymmetric Techniques for the Distribution of Symmetric Keys
[3] X9 TR-31 2010, Interoperable Secure Key Exchange Key Block Specification for Symmetric
Algorithms
[4] ISO 9564-1, Financial ServicesPersonal Identification Number (PIN) management and
securityPart 1: Basic principles and requirements for PINs in card-based systems
[5] ISO 9564-2, BankingPersonal Identification Number management and securityPart 2:
Approved algorithms for PIN encipherment
[6] PCI PTS POI Derived Test Requirements V5.0
[7] LANDI_APOS user manual.doc
[8] EPT-AND application development guide.chm
[9] LANDI_APOS_ digital signature system.doc

Page 4 / 19
2. Introduction
This document addresses the proper use of the POI in a secure manner including information
about key-management responsibilities, administrative responsibilities, device functionality,
identification and environmental requirements.

The use of the device in an unapproved method, as describe on the security policy, will violate
the PCI PTS approval of the device.

Page 5 / 19
3. General Description

3.1. Production Overview

APOS A7 is the next generation of intelligent wireless POS with touch-screen and high-speed
communications. This product is mainly for indoor usage and its target merchant are the
restaurants, entertainment, chain stores, supermarkets, E-commerce and so on.

As an intelligent terminal, APOS A7 has both functions of smartphone and traditional POS. It is
configured with ARM Cortex-A7 quad-core processor to provide powerful processing capabili-
ties. It has passed a variety of industry certifications to ensure transaction security, including
PCI PTS, EMV, CE, CB, CCC, Paypass, Paywave, ROHS etc. This product integrates MSR
Card Reader, IC Card Reader, Contactless Card Reader, SAM Card Reader and high perfor-
mance thermal printer. And it can deal with diversified financial transactions.

APOS A7 is also an Android smart terminal. It supports the wireless communication, such as
GSM, CDMA, CDMA2000, TD-SCDMA, WCDMA, TD-LTE, FDD-LTE, WIFI, Bluetooth and
GPS.

Figure 1: APOS A7 Appearance

Page 6 / 19
 Table 1: APOS A7 Configuration

Configuration Description
1D barcode
Barcode
2D barcode
Camera 5M Pixels
2G/3G/4G
Wireless Communication GPS
WIFI + BT

3.2. Production Identification

The product name and hardware version are printed on a label on the device.

Figure 2: APOS A7 Label

The merchant or acquirer must visually inspect the terminal when received via shipping, as it is
described in the user manual.

For example, the merchant or acquirer should inspect the terminal to ensure that:

There is no evidence of unusual wires that have been connected to any ports of the
terminal
There is no shim device in the of the ICC acceptor

To examine the version of firmware of the device, we can launch Settings, then Epay Set-
tings, the version info will be shown in the column Security Firmware Version.

To examine the version of an application, we can launch Settings, then Apps, then click the
item of target app, we will see information of the app including version.

3.3. Communication Methods and Protocols

The following describes the communication methods and protocols available in the device.

Page 7 / 19
 Table 2. APOS A7 Communication Methods and Protocols

Interface Protocols
Wireless Modem SSL/TLS, TCP, UDP, DHCP, DNS, ICMP, HTTP, PPP, IP
(Support Stack
GSM,CDMA,TD-SCDMA,
Communication WCDMA, EVDO,
TD-LTE, FDD-LTE)
Wi-Fi SSL/TLS, TCP, UDP, DHCP, DNS, ICMP, HTTP, IP
Stack
Bluetooth Classic Bluetooth

Page 8 / 19
4. Guidance

4.1. Installation Guide

A user manual [7] including the following information is provided with the device

Equipment check list:

Device
Cable and connectors
Documents
Power and cable connections information
The main characteristics of the device (i.e. temperature, humidity, voltage)
Safety recommendations
Troubleshooting if the device does not work

4.2. Installation and Environment

Please ensure the terminal installation in favor of merchants and cardholders have very
convenient level, as close as possible to the power socket.

Terminal should stay away from all sources of heat, to prevent from vibration, dust, moisture
and electromagnetic radiation (including computer screen, motor, security facilities etc.).
Please be noted that the wireless terminal should also be away from complex condition like
electromagnetic radiation when in use.

Be sure that terminal is used in an attended way.

4.3. Decommissioning/Removal
When the device is no longer used for permanent decommissioning reason, the administrator
of the device needs to gather the device and disassemble the device to makes it unavailable.
Even though someone reassembles the device, it still cannot work as its all keys have been
erased automatically and it will warn exception because of the tamper triggered by disassem-
bling.

For the temporary removal, there is no need to change the state of the device, as all the keys
are still protected safely by the main board hardware tamper mechanism.

4.4. PIN Confidentiality

APOS A7 is a hand-held devices, it is required to provide cardholders with the necessary pri-
vacy during PIN entry. For example, the device will demonstrate a safe PIN-entry process how
to enter PIN. This message reminds cardholder that he can use his/her own body or his/her
free hand to block the view of keypad.

Page 9 / 19
 Figure 3: Safe PIN Entry Demonstration

4.5. Periodic Inspection

The merchant or acquirer should daily check that the keypad is firmly in place. Such checks
would provide warning of any unauthorized modification to the terminal, and other suspicious
behavior of the terminal.

The merchant or acquirer should also check that the installation/maintenance operations are
performed by a trusted person, especially check if the ICC reader slot is damaged, such as
abrasion, painting and other machining marks, and if there is any suspicious object like lead
wire over ICC reader slot, or any unknown object inside IC card. If
these suspicious circumstances are found, please stop using the device immediately and con-
tact the customer service to confirm if the device has been tampered.

Page 10 / 19
5. Product Hardware Security

5.1. Tamper Response Event

The device contains tamper mechanisms that will trigger when a physical penetration attempt
of the device is detected. A merchant or acquirer can easily detect a tampered terminal:

Warning message is displayed on the screen.

Cant enter normal application and cant do any transaction.

The user needs to send the device to the manufacturer for safety inspection and repair.

Any physical penetration will result in a tamper event. This event causes the activation of
tamper mechanisms that make the device out of service.

There are two separate modes in which the device can be:

Activated mode: the device is fully operational.

Non-activated mode: the device is tampered, not operating and needs reactivation after
maintenance and security checks.
From Non-activated mode switch to Activated mode, the device has to do networking
activation for authentication.

5.2. Environment Conditions and Environmental Failure

Protection
The environmental conditions to operate the device are specified in the user manual.

The security of the device is not compromised by altering the environmental conditions (e.g.
subjecting the device to temperature or operating voltages outside the stated operating ranges
does not alter the security).

Page 11 / 19
6. Product Software Security

6.1. Software Development Guidance

When developing applications, the developer must respect the security guidance described in
the document [8].

During the software development, the following steps must be implemented

1. Code review
2. Security review and audit
3. Module test
4. Source code management and version control
5. Software test
6. Signature

For use of open protocol, the developer must respect the SSL security guidance, Bluetooth
Security Guide and Wi-Fi Security Guide. It is important to note that SSL3.0,TLS1.0,TLS1.1
are inherently weak and should be removed, but considering these version still exist in the
world, in order to be compatible, we temporarily keep them for non-financial applications use.
In addition, we strongly recommend a server should disable SSL protocol, and select TLS 1.2
or higher instead. To make it more secure, mutual authentication is recommended. The device
dont support Bluetooth Low Energy and dont support Just Works pairing option. The device
support security mode 4. Any insecure communication options is not allowed.

For SRED, device doesnt support pass-through of clear-text account data. All applications
running on device are considered to be in Account Data Encrypting Mode.

6.2. Firmware, Software and Configuration Parameters Up-

date
Updates and patches can be loaded in the device. They are cryptographically authenticated by
the device. If the authenticity is not confirmed, the update or patch is rejected.

Prompts updates are security related and any security related firmware changes will cause
firmware version update.

6.3. Software Authentication

Application code is authenticated before being allowed to run. The certificate and signature of
the application code is verified.

The certificate and signature are based on couples of RSA keys. The authenticity is guaran-
teed by a certificate issued by Landi.

Page 12 / 19
-SHA256 is used to compute the digest of software.
-RSA 2048 bit key is used for signature verification.
Please refer to <LANDI_APOS digital signature system.doc >.

The application managers must implement a full source code review to make sure that the
application does not have any of following behaviors:

PIN entry prompt while the keypad digit is displayed in plain-text.

Not using the correct security mechanism and APIs recommended in the user guidance
for PIN entry.
Storing or outputting any card holders account data without his/her authorization.

It is recommended that the application source code review and signing process is executed by
at least two persons and that an audit log is recorded for future trace back.

6.4. Update and Patch Management

The device supports both local and remote methods for updating or patching the software, the
firmware, and the configuration parameters.

1. The patch must be securely reviewed and audited before releasing.

2. The patch must be tested before releasing.
3. The patch must be digitally signed before releasing.
4. The downloaded patch is stored in the temporary directory of the device, then the device
uses digital signature to authenticate the patch. If the patch is illegal, then the device will
delete it.

6.5. Self-Tests
Selftests are performed upon start up/reset. In order to reinitialize memory, the device will
reboot in 24 hours after it starts up. Self-tests are not initiated by an operator.

Page 13 / 19
7. System Administration

7.1. Configuration Settings

The device is functional when received by the merchant or acquirer. No security sensitive
configuration settings are necessary to be tuned by the end user to meet security require-
ments.

7.2. Default Value Update

The device is functional when received by the merchant or acquirer and there is no security
sensitive default value (e.g. admin password) that needs to be changed before operating the
device.

Page 14 / 19
8. Key Management
Device support multi acquirers, each acquirer is assigned with a separate key store area (KAP)
by the owner of device. Each KAP supports key management techniques described below.

8.1. Key Management Techniques

The device implements different types of key management techniques:

Fixed Key: a key management technique based on a unique key for each terminal as
specified in [2].
Master Key/Session Key: a method using a hierarchy of keys. The session keys are
unique per transaction as specified in [2].
DUKPT: a key management technique based on a unique key for each transaction as
specified in [2].

Use of the terminal with a key-management system other than these three ones above will
invalidate any PCI approval of the terminal.

8.2. Master Key/Session Key

An acquirers MK/SK hierarchy can be used in a KAP.

BPK is used to protect session keys transferred. MK is used to encrypt session keys trans-
ferred. The session keys can be divided into three types: PEK (Pin Encryption Key), MAK
(MAC Calculating Key) and TDK(Track data encryption Key).

8.3. Fixed Key

The Fixed Key can be divided into two types: PEK (Pin Encryption Key) and MAK (MAC
Calculating Key).

8.4. DUKPT Key

Acquirer downloads initial key in the secure room. Then it will generate 21 future keys under
the ANSI X9.24 future key generate algorithm. Every future key can be divided into two parts:
one part is used as PEK (Pin Encryption Key); the other used as MAK (MAC Calculating Key).

8.5. Cryptographic Algorithms

The device includes the following algorithms:

1. RSA(Signature verification, 2048 bits)

2. SHA-256 (Signature digest)
3. Triple DES (128 bits and 192 bits)

Page 15 / 19
4. AES (128, 192 and 256 bits)

8.6. Key Table

Table 3: Triple DES Keys

Key Name Purpose/Usage Algo- Size (bits) Storage

rithm

BPK Load other keys(PEK or MAK, TDES 128 /192 Flash

TDK, KEK)

DTEK Device Transport Encryption Key, TDES 128/192 Flash

it is used to encrypt the keys
transported from AKMS to Device.

AUK Device Authentication key. It is TDES 128/192 Flash

used to implement the mutual au-
thentication between Device and
the remote AKMS.

MK Encrypt or decrypt other keys TDES 128/192 Flash

PEK in MK/SK System Encrypt PIN blocks TDES 128 /192 Flash

MAK in MK/SK System Generate or verify MAC of data TDES 128 /192 Flash
blocks

TDK in MK/SK System Encrypt input data using TDES TDES 128 /192 Flash

PEK in Fixed Transac- Encrypt PIN blocks TDES 128 Flash

tion Key System

MAK in Fixed Transac- Generate or verify MAC of data TDES 128 Flash
tion Key System blocks

Initial DUKPT Key Generate future keys TDES 128 Flash

Future Used Key of Every selected future used key TDES 128 Flash
DUKPT will be divided into two parts: the
two parts have different numeric
data, one part encrypt PIN blocks,
the other generates MAC of data
blocks

Page 16 / 19
8.7. Key Replacement
Any key should be replaced with a new key whenever the compromise of the original key is
known or suspected, and whenever the time deemed feasible to determine the key by
exhaustive attack elapses.

8.8. Key Loading Policy

The device does not propose manual cryptographic key entry. Specific tools, compliant with
key management requirements, shall be used for key loading.

8.8.1.Local Key Injection

Method 1:

The plain-text key (including MK, Fixed Key and DUKPT Initial Key) loading process must be
implemented in a secure room of acquirer and strictly protected under following dual control
and split knowledge techniques.

Dual control: The key loading process is strictly authorized and controlled by at least two
persons. An identification and authentication is performed first to make sure they are the
right operators for the key loading. Eight bytes of password is used in the key loader to
authenticate the operator.
Split knowledge: The initial plain-text key can never be mastered by only one person. It is
divided into two full-length key components and controlled by two different persons. Each
person is required to input his/her key component into the key loader separately.

The encrypted key loading is controlled by the acquirer through remote network. For Fixed key
method, no encrypted keys are used. And for DUKPT method, transaction keys are automati-
cally generated, hence no encrypted keys are needed to be loaded.

Method 2:

Furthermore, the POI device supports local key injection (LKI) method with an authentication
mechanism, to inject keys encrypted under Transport Key (TK) with a Key Loading Device
(KLD).

This method applies to the loading of MK, BPK, Fixed Key and DUKPT Initial Key.

8.8.2.Remote Key Injection

The encrypted key loading could be controlled by the acquirer through a network host.

BPK is used to encrypt other keys except DUKPT Future Key.

Page 17 / 19
MK is used to encrypt PEK/MAK/TDK in MK/SK System.

Furthermore, the POI device supports remote key-loading technique using symmetric and
asymmetric method. This method applies to the loading of MK, BPK, Fixed Key and DUKPT
Initial Key.

8.9. Key Lifetime

The key lifetime is controlled by Acquirer. Suggestions from the manufacturer are:

The maximum lifetime of MK is suggested to be 2 years.

The maximum lifetime of SK is suggested to be 1 day.
The maximum lifetime of DUKPT should not exceed 1 million transactions.

Page 18 / 19
9. Roles and Services
The device has no functionality that gives access to security sensitive services, based on roles.
Such services are managed through dedicated tools, using cryptographic authentication.

Page 19 / 19