Q1 2009 Newsletter


Q1 2009 Witham Laboratories Newsletter This newsletter is issued quarterly, and contains information and updates on the payments security industry. This newsletter is issued by Witham Laboratories, and is not endorsed by any other association or agency. Comments and feedback are welcomed. Further information on any of the topics below can be obtained by emailing your question(s) to This e-mail address is being protected from spambots. You need JavaScript enabled to view it If you have received this email in error, or no longer wish to receive the Witham Laboratories newsletter, please respond to this email with the subject line "Unsubscribe". To view this newsletter in HTML, click the following link: http://www.withamlabs.com/witham-labs-resources/228-q1-2009-newsletter.html PCI PED/EPP v2.1 Released PCI SSC have released v2.1 of the PCI PED and EPP standards. These updated versions contain minor typographical fixes, and changes to the wording of some of the requirements to make them easier to understand and work with. None of the changes made to v2.1 should have a negative impact on any on-going device evaluations, or product design. The new v2.1 standards can be downloaded from the PCI SSC PIN website: https://www.pcisecuritystandards.org/security_standards/ped/index.shtml PCI SSC Announces 2009 Community Meeting Dates PCI SSC has provided the dates for the two community meetings to be held in 2009. These dates are: 22-24 September in Las Vegas 26-28 October in Prague Witham Laboratories staff will be attending the meetings, and we hope to see you there! Witham Laboratories to Speak at Cards Asia Andrew Jamieson, Witham Laboratories Technical Manager, will be providing a half hour presentation on the different PCI standards at the Cards Asia conference, held in Singapore from 22-24 April. This presentation will provide an overview of all of the PCI standards, and is recommended to anyone who has trouble understanding the scope and applicability of the many PCI standards. Andrew will be available throughout the Cards Asia show to talk to product and software vendors, merchants and acquirers about the PCI standards such as PCI PED, PCI DSS, PA DSS, and PCI PIN, and how they may apply to their own individual scenarios. Witham Laboratories to Present at the 2009 ATMIA Conference Andrew Jamieson, Witham Laboratories Technical Manager, will be presenting at the ATM Industry Association conference at the Grace Hotel in Sydney, on March 25th 2009. The presentation will cover the impact of the PCI standards on ATMs; which standards apply and what impact these standards have. There will also be details on the upcoming PCI ATM standard! The presentation will be of interest to both the manufacturers and purchasers of ATMs, as well as PCI Qualified Security Assessors who wish to know more about how ATMs fit into the PCI standards 'eco-system'. PCI SSC Place QSA Companies into Remediation The QA program initiated by PCI SSC last year is starting to take effect. At the time of writing this newsletter, three QSA companies have been placed into 'remediation'. What does this mean? There are a number of reasons that this may happen, but the root cause is generally that the audits conducted by the company have been found not to fulfill the QA requirements of PCI SSC. Details on which companies are currently in remediation can be found within the PCI SSC QSA companies list, located here: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf PCI SSC Launch Direct Merchant Training PCI SSC has launched a direct-to-merchant training program, aimed specifically at those that wanted to learn more about the PCI DSS, but could not fulfill the requirements to become a QSA. Details on the training, and dates/locations where the training will be held (including a session in Sydney, Australia) can be found here: https://www.pcisecuritystandards.org/education/training.shtml PCI SSC Launch a Prioritisation Framework for PCI DSS v1.2 PCI SSC have produced an informative document, and spreadsheet tool, with which merchants can prioritise and work towards compliance. This framework puts forward a possible order of 'attack' when considering which areas of non-compliance to address in which order, and is written with a risk management point of view. The framework puts forward 6 steps to compliance: 1) Remove sensitive authentication data and limit data retention. 2) Protect the perimeter, internal, and wireless networks. 3) Secure payment applications. 4) Monitor and control access to your systems. 5) Protect stored cardholder data. 6) Finalise remaining compliance efforts, and ensure all controls are in place. PCI PED FAQs Updated The PCI PED v2.x FAQs have been updated in February, to include information on how TR-31 keys are to be used and when it is acceptable for firmware to be updated without authentication, amongst other things. More updates are coming, so remember to check the FAQ list often! https://www.pcisecuritystandards.org/pdfs/pci_ped_technical_faqs.pdf Witham Laboratories Launches its Education Services Witham Laboratories has launched a series of education products providing information on all of the PCI standards, cryptography, and general payment systems operation. For examples of the types of information Witham can provide as part of these education services, visit the resources page of this website, where example presentations are provided. These presentations are just a small part of the education packages offered by Witham Laboratories, and for further information, please contact us at This e-mail address is being protected from spambots. You need JavaScript enabled to view it . Witham Laboratories Updates its 'Resources' Webpage The 'resources' area of www.withamlabs.com has been updated to include links to previous editions of the newsletter, and links to samples of the educational presentations provided by Witham Laboratories regarding PCI and payments security issues. New presentations linked on this page include 'PCI Standards - Scope and Application' (which is a companion presentation to the previously released 'PCI Standards Overview' presentation), as well as a short introduction to the PCI PED testing process. You can find the resources page here: http://www.withamlabs.com/witham-labs-resources.html MD5 Certificate Exploit For those of you who missed the news when it first appeared at the end of last year, an exploit using MD5 collisions to produce a fake CA certificate has been demonstrated. This is the final death knell for MD5 in applications where collisions could be a problem. Details on the exploit can be found here: http://www.withamlabs.com/witham-labs-resources/226-fake-ca-cert-produced-using-md5-collision.html	Entry Device Evaluations SRED & Open Protocols Device Security Evaluations Key Management Crypto PCI DSS PCI PIN Side Channel Analysis PCI ASV UL Expands Global Payment and Security Evaluation Services with Acquisition of Witham Laboratories PCI PTS Approved Devices now Accompanied by Images PCI SSC integrates PCI PIN into PTS Register for PCI Standards Team presentation on PIN Transaction Security Program Updates: PTS 3.1 and PCI PIN Security Requirements 1.0 2011 PCI SSC PTS Presentation at Cartes 2011, Paris