[OWASP-Ireland] chip & pin

Wed Oct 12 06:15:34 EDT 2005

Hi Tony,

In general, the requirements for the "privacy shield" for pin entry devices
were relaxed since PCI PED superseded Visa's VisaPED specs. 

Germany, having the most stringent PED security requirements in
Europe/worldwide, has not relaxed their requirements.

AFAIK, this relaxation is partly related to accessibility and disability
requirements/specifications.

PCI PED and VisaPED specify things like the minimum angle from the '5' key
(5 being the middle key on the keypad) to the top of the wall of the privacy
shield above and to the sides of the '5' key.

For handheld terminals, the requirements for the privacy shield are also
relaxed - the rationale being that the user can use their body as a shield
when they are holding the terminal.

See VisaPED section 3.4 Privacy Shield Requirement:
http://international.visa.com/fb/vendors/pin/Visa_PED_Program_Guide.pdf
<http://international.visa.com/fb/vendors/pin/Visa_PED_Program_Guide.pdf>
for more info.

Chris

  _____  

From: Tony Palmer [mailto:tony.palmer at vordel.com] 
Sent: 11 October 2005 11:37
To: Eoin.Keary at allianz.ie; OWASP-Ireland at lists.sourceforge.net
Subject: RE: [OWASP-Ireland] chip & pin

Hi,

 One thing that really bugs me about the new chip and pin system is way in
which the pin is entered. Some of the terminals such as those in
supermarkets offer little in the way of privacy when inputting the pin. Up
to now pins have been mostly used at ATM's where your body is a good
physical screen, but now usually the terminal is between you and the
retailer, more often than not in plain view of other cusomers too. 

A step back for pin security???

T

-----Original Message-----
From: owasp-ireland-admin at lists.sourceforge.net
[mailto:owasp-ireland-admin at lists.sourceforge.net] On Behalf Of
Eoin.Keary at allianz.ie
Sent: 11 October 2005 12:28
To: OWASP-Ireland at lists.sourceforge.net
Subject: [OWASP-Ireland] chip & pin

http://news.bbc.co.uk/2/hi/business/4320072.stm         

BBC has an article on Chip and Pin and the affect it has had on card fraud,
as mentioned by Chris at his PCI presentation last meeting. 
- might be "marketing guff"? Chris, any comments? 

Eoin 

BTW, Next OWASP meeting (End of NoV) 

Wishlist for next meeting (end of November) 

1. WebGoat tutorial/walkthrough.
2. WebScarab walkthrough. - DONE
3. Secure Code practices and pitfalls.
4. PCI (Credit card standard) - DONE
5. Integration of security into the SDLC.
6. OWASP Top 10
7. Forensics + best practice for incident response 

Eoin Keary

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of
the Allianz Group, Europe's leading global insurer and provider of financial
services. 
For more information on our products and services log on to www.allianz.ie
or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action or reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you have
received this in error, please contact the sender and delete the material
from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish
Financial Services Regulatory Authority (IFSRA). 
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the
Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

This e-mail is business-confidential and may be privileged. If you are not
the intended recipient, please notify us immediately and delete it. If the
email does not relate to Vordel's business then it is neither from nor
authorized by Vordel. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-ireland/attachments/20051012/cfe45399/attachment.html 