Witham Laboratories Q4 2008 Newsletter

This newsletter will be issued quarterly, and contains information and updates on the payments security industry. This newsletter is issued by Witham Laboratories, and is not endorsed by any other association or agency. Comments and feedback are welcomed. Further information on any of the topics below can be obtained by emailing your question(s) to This e-mail address is being protected from spambots. You need JavaScript enabled to view it

If you have received this email in error, or no longer wish to receive the Witham Laboratories newsletter, please respond to this email with the subject line "Unsubscribe".

PCI PED v2.0 Gains Traction

After what may be described as a slow start, new devices are starting to appear more frequently on the PCI PED v2.0 list. At the time of writing 6 devices have been accredited to this new standard by PCI SSC, and more are on the way. Devices accredited to the v2.0 standard are approved until 30th April 2017, whereas v1.x devices are approved until 30th April 2014.

PCI Prepares to Issue New Standards

Two new standards will be added to the PCI PED banner next year - PCI UPT and PCI HSM. These standards have been released in draft form to PCI SSC Participating Organisations, and will be finalised late this year / early next year. All PCI PED approved testing laboratories will be able to test against these standards once released next year, although mandates for the testing of devices are not expected until sometime after 2009.

The PCI UPT standard addresses the PIN and magnetic strip reader (MSR) security of Unattended Payment Terminals, such as kiosks, ticketing and vending machines, etc. The security of Automatic Teller Machines (ATMs) is not covered in this standard - this will be addressed in an up-coming PCI ATM standard.  The PCI HSM standard addresses the security of Hardware Security Modules (HSMs), which are used to switch, generate, or verify customer PINs.

Witham Laboratories Launches New Website

Witham Laboratories has implemented a refresh of its website, to provide easier access to its services and offerings. The launch of this website coincides with the launch of this quaterly newsletter, and the launch of the Witham education services. As part of this eduction service, a new presentation will be provided for free download with each issue of this newsletter. Information on first of these presentations is provided below.

PCI Standards Overview

In the first of its free presentation downloads, Witham Laboratories provides an overview of the existing and up-coming PCI standards. This presentation is perfect for merchants, acquirers, and product vendors who are confused by the 'word soup' of PCI, and want a quick high-level view of what they need to know and which standards apply to their situation. The presentation also includes a list of associated standards that would be useful to those who crave more detail.

Download the presentation here.

Witham Laboratories Finishes PCI PED Seminars In AP Region

Witham has finished its first round of education seminars on the PCI PED v2.0 standard. The seminar was provided in 6 different countries (China, Japan, Hong Kong, Korea, Taiwan, and Australia), with translations in both Mandrin and Cantonese, as well as Japanese and Korean. In all, 110 people attended the seminars, representing 50 different companies.

Feedback from the seminars was very positive - the averaged results of the feedback forms distributed after each seminar are provided below (where a score of 1 indicates that the attendee strongly disagrees, and a score of 5 indicates that the attendee strongly agrees; so the closer the score is to 5, the better).

Information

Japan

Korea

Shanghai

Taipei

Hong Kong

Melbourne

PCI PED Testing

4.1

4.2

4.6

4.2

3.7

4.1

PCI PED Process

3.9

4.4

4.6

4.2

3.9

4.1

PCI PED v2.0 Detail

3.9

4.4

4.6

4.5

3.8

4.2

Security Requirements

 

 

 

 

 

 

Core Physical

4.2

4.4

4.6

4.5

4

4

Core Logical

4.1

4.2

4.5

4.3

3.9

4

Online

3.8

4.2

4.3

4.3

3.9

4.1

Offline

3.9

4.3

4.5

4

3.9

3.9

Many attendees commented that the presentation provided an excellent overview of the PCI PED standard and testing process. The sections covering the way in which the attack potential is calculated in v2.0, key management, and EPP removal detection were the sections that attendees found most useful.

Witham would like to thank all attendees to the seminars for their valuable input. Further seminars on various topics will be held next year, and details will be released in this newsletter once dates and locations are determined.

Witham to Present at the 2009 ATMIA Conference

Andrew Jamieson, Witham Laboratories Technical Manager, will be presenting at the ATM Industry Association conference at the Grace Hotel in Sydney, on March 25th 2009.  The presentation wil cover the impact of the PCI standards on ATMs; which standards apply and what impact these standards have.  The presentation will be of interest to both the manufacturers and purchasers of ATMs, as well as PCI Qualified Security Assessors who wish to know more about how ATMs fit into the PCI standards 'eco-system'.

Visa Issues Global Track Data Storage Mandate

Visa has recently issued a global mandate requiring that all Acquirers confirm that their Level 1 and Level 2 merchants do not store sensitive authentication data post authorisation, before 20th September 2009.  Acquirers must also issue attestations of compliance confirming that their Level 1 merchants are fully PCI DSS compliant by 30th September 2010. Risk controls, up to and including fines, will be imposed on acquirers who do not comply to these mandates.

Witham Laboratories has tools that can examine systems at the lowest level to determine if they have residual track data, and the results of such examination can be used as proof of compliance to this mandate.  For further information, please contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it  

Visa AP Launches Compliant Services Provider Registry

Visa Asia Pacific has launched a list of service providers that are compliant with the PCI DSS standard. This list will provide information on the compliant services provided by any particular service provider, and therefore service providers who do not have all services compliant with the PCI DSS may still be listed in regards to those services they offer which are already compliant.

APCA aligns its Feasibly Requirements with PCI v2.0 Attack Potential

The Australian Payments Clearing Association has introduced new  feasibility requirements for PIN Entry Devices. The feasibility of PED attacks can now be calculated using the attack potential table from Appendix B of the PCI POS PED v2.0 standard. The minimum attack potential levels for the various feasibility requirements are listed below.

Online PIN Security

25 points

Secret Key Security

35 points

Public Key Security

35 points

MSR Security

16 points

ATM casing Security

14 points

Testing against the new feasibility requirements will be mandated from 20 April 2009. Until this time, evaluations can be performed against either the previous or the new feasibility definitions.

Vendors that are interested in distributing their products in the Australian region should note that the security requirements for public keys, and for MSR security, exceed those set by PCI PED v2.0.  For information on how these changes may affect your products, it is recommended that you contact your evaluation facility.

APCA to Issue Key Injection Facility Requirements

The Australian Payments Clearing Association will be introducing a new set of audit requirements for Key Injection Facilities (KIFs) next year.  Witham Laboratories has been contracted by APCA to consolidate the disparate key management and key/PIN security standards into a single audit requirement document, and to create an accompanying audit guide to assist assessors during the audit process.