PED evaluations, pin entry device, PCI compliance, apca testing, information security, cryptography, payment industry requirements

Building Confidence in payment systems
Witham Labs

Security & Compliance - PIN Entry Device Evaluations

Witham Laboratories specialises in the independent security evaluation of all security aspects of payment devices - particularly PIN Entry Devices and those providing cryptographic services. 

We are accredited to evaluate devices against international standards such as those of the Payment Card Industry (PCI), as well as local standards of varying regions, such as those of the Australian Payments Clearing Association (APCA).

Our clients actively seek us from around the world for our flexibility, innovation and expertise:

  • Our evaluations cover both physical and logical security
  • Evaluations can be performed to a customer specified level or against industry standards
  • Many of our clients take advantage of our ability to produce reports for multiple payment schemes, minimising the cost and time involved
  • We are at the leading edge for knowledge of current best practice and evolving industry requirements

PCI PIN Entry Device requirements

A presentation detaiing the PCI PED testing and evaluation process can be downloaded here

All devices that accept MasterCard, Visa, JCB, Discover, or American Express PINs must be evaluated by a PCI approved laboratory. Witham Laboratories is the only organisation in the Asia-Pacific region accredited by the PCI to test PIN Entry Devices (PEDs), among only eight in the world.

Witham Laboratories can perform full evaluations on any device, and provide guidance to assist in the understanding of the PCI criteria, which can often be daunting. PCI currently have standards for the evaluation of POS PIN Entry Devices (POS PED), and Encrypting PIN Pads (EPP). New standards for Unattended Payment Terminals (UPT) and Hardware Security Modules (HSM) are under consideration.

Our clients find our knowledge on how the PCI criteria apply to their individual products invaluable. As an independent laboratory, we are not permitted to assist in the design of a product, but we offer a pre-evaluation service to begin assisting clients as early as possible in their projects.

Experience has shown that a pre-evaluation helps to avoid problems early in the design of a product, saving time and money further down the track. Many devices are not compliant with the PCI standard when submitted for the first evaluation.

We strongly recommend that additional time is factored into projects to allow for additional evaluations, and that the cost of a second evaluation is considered when comparing prices.

APCA requirements for PIN Entry Devices

All PIN Entry Devices for the Australian market must be evaluated by an APCA approved laboratory. Witham Laboratories is the only APCA accredited laboratory in the Asia-Pacific region.

As we are Australian based, we have close ties to APCA and can provide important insight into the requirements and processes involved in gaining accreditation. The APCA requirements are provided in Standards Australia's AS 2805.14, which is similar to ISO13491, from the International Organization of Standardization.

Currently, APCA recognises the evaluation of POS PIN Entry Devices (POS PED), Automatic Teller Machines (ATM), Hardware Security Modules (HSM), and Encrypting PIN Pads. We are the only laboratory with experience in evaluating all of these devices to APCA requirements.

Witham Laboratories is the premium provider of evaluations in the Asia-Pacific region:

  • We can conduct multiple evaluations at a discounted price for clients who want to gain both PCI and APCA approval, saving both time and money. Devices that will accept MasterCard, Visa, or JCB PINs in Australia will need APCA and PCI certification
  • The APCA requirements contain several subtle differences to those of PCI, and our clients have found that our detailed understanding of these differences has greatly assisted them when bringing products into the Australian market

The evaluation process

Once supplied with a minimum level of samples and supporting documentation, our evaluations are conducted as quickly and efficiently as possible - typically 4 weeks for a full report. A full APCA evaluation will take about 4 weeks as well. Once the report is completed, we seek client's approval before sending it to APCA for accreditation. This can take 2-4 weeks.

We happily provide valuable feedback to our clients throughout evaluations, maintaining close contact and offering as much advice and guidance as possible. Our advice has assisted a number of manufacturers to quickly bring their products into compliance with the new PCI requirements.