Witham Laboratories
Witham Laboratories
PIN Entry Security Evaluations
PCI DSS Services
PCI PIN Audits
Key Loaders and PIN Mailers
Technical Consultancy
Contact Us
Contact Witham
Email:lab@withamlabs.com
Tel/Fax:  +61 3 9846 2751
Mobile:+61 414 991 231

Security Evaluations on PIN Entry Devices

Witham Laboratories specialises in the independent security evaluation of the physical and logical security of small devices, especially PIN entry devices and those providing cryptographic services.  Our evaluations cover both physical and logical security and can be performed to a customer specified level or against industry standards. We are accredited to evaluate devices against the standards of the Payment Card Industry (PCI - formed from Visa, Mastercard, and JCB), Australian Payments Clearing Association (APCA), ETSL (N.Z.) and NETS among others. Many of our clients take advantage of our ability to produce reports for multiple payment schemes, minimising the cost and time involved.

Once supplied with a minimum level of samples and supporting documentation, our evaluations are conducted at commercially viable cost and time scales — typically 4 weeks for a full report.  We happily provide feedback to the client throughout the evaluation, and our advice has assisted a number of manufacturers to quickly bring their products into compliance with the new PCI requirements.  Re-evaluation of products that have undergone minor changes following such advice is done at a greatly reduced fee.

For clients looking to learn more about the evaluation process, and the differences between various standards around the world, we can organise and run seminars that provide such information in detail. These seminars can be arranged either at our own location, or at the client's site - whether in Australia or overseas.

Materials required for evaluations
To conduct a PIN Entry Device (PED or EPP) security evaluation we will usually require:
  • Three fully sealed production units, which will usually be destroyed during our investigations. These units must be in working order, so that we can operate the device to confirm its logical security. Measurements of the TEMPEST radiation and the susceptibility to DPA attacks may also be performed.
  • Unsealed samples of any potted parts of the security hardware.
  • Wiring layout and schematics of the security components.
  • Documentation detailing the API command set, software assurance testing, and method of key loading.
  • Code extracts detailing the PIN, key, and function handling routines.
  • Any software necessary to operate and re-load the device.
Evaluation Process
Our reports provide a detailed description of the target device, showing each of its security mechanisms in detail and explaining how each could be attacked.  Methods of attack are discussed and the best attacks are fully detailed — we will provide guidance on how future products may be improved to increase their security.
Finished reports belong to our clients, and reports will not be transmitted to the certification body without the express permission of the client.  Obviously these reports are very highly sensitive; if requested we also issue a non-NDA version that omits the sensitive details.
 
 
© Copyright 2006 Witham Pty Ltd ABN: 25 063 282 753
Designed by WebPotato