No subject


Wed Nov 1 13:33:48 EST 2006


"PIN entry must be performed in such a way that cashiers, checkout
attendants, customers, and people nearby cannot easily observe the PIN
during entry by the cardholder. Therefore, PCI requires that the PIN entry
device be equipped with proper shielding protection for privacy - "to
provide a means to deter the visual observation of the PIN values as they
are being entered by the cardholder," '

 

Is a little at odds with the 25% shoulder surf statistic Eoin commented on
earlier in the week. 

 

Maybe card companies should ask restaurant staff that use the handhelds how
often they see the entire pin of the customer, (without actually trying).
Remember its not something they can look away from as they generally have to
walk the customer through the new process and of course make sure that the
customer leaves a tip at the appropriate stage when paying!

(In our line of work its very good to be negative.....in a positive kind of
way.)

T

-----Original Message-----
From: Chris Madden [mailto:chris.madden at trintech.com] 
Sent: 12 October 2005 11:16
To: 'Tony Palmer'; OWASP-Ireland at lists.sourceforge.net
Subject: RE: [OWASP-Ireland] chip & pin

Hi Tony,

 

In general, the requirements for the "privacy shield" for pin entry devices
were relaxed since PCI PED superseded Visa's VisaPED specs. 

Germany, having the most stringent PED security requirements in
Europe/worldwide, has not relaxed their requirements.

 

AFAIK, this relaxation is partly related to accessibility and disability
requirements/specifications.

 

PCI PED and VisaPED specify things like the minimum angle from the '5' key
(5 being the middle key on the keypad) to the top of the wall of the privacy
shield above and to the sides of the '5' key.

 

For handheld terminals, the requirements for the privacy shield are also
relaxed - the rationale being that the user can use their body as a shield
when they are holding the terminal.

 

See VisaPED section 3.4 Privacy Shield Requirement:
http://international.visa.com/fb/vendors/pin/Visa_PED_Program_Guide.pdf
<http://international.visa.com/fb/vendors/pin/Visa_PED_Program_Guide.pdf>
for more info.

 

Chris

 


  _____  


From: Tony Palmer [mailto:tony.palmer at vordel.com] 
Sent: 11 October 2005 11:37
To: Eoin.Keary at allianz.ie; OWASP-Ireland at lists.sourceforge.net
Subject: RE: [OWASP-Ireland] chip & pin

 

Hi,

 One thing that really bugs me about the new chip and pin system is way in
which the pin is entered. Some of the terminals such as those in
supermarkets offer little in the way of privacy when inputting the pin. Up
to now pins have been mostly used at ATM's where your body is a good
physical screen, but now usually the terminal is between you and the
retailer, more often than not in plain view of other cusomers too. 

A step back for pin security???

T

-----Original Message-----
From: owasp-ireland-admin at lists.sourceforge.net
[mailto:owasp-ireland-admin at lists.sourceforge.net] On Behalf Of
Eoin.Keary at allianz.ie
Sent: 11 October 2005 12:28
To: OWASP-Ireland at lists.sourceforge.net
Subject: [OWASP-Ireland] chip & pin


http://news.bbc.co.uk/2/hi/business/4320072.stm         

BBC has an article on Chip and Pin and the affect it has had on card fraud,
as mentioned by Chris at his PCI presentation last meeting. 
- might be "marketing guff"? Chris, any comments? 

Eoin 




BTW, Next OWASP meeting (End of NoV) 


Wishlist for next meeting (end of November) 

1. WebGoat tutorial/walkthrough.
2. WebScarab walkthrough. - DONE
3. Secure Code practices and pitfalls.
4. PCI (Credit card standard) - DONE
5. Integration of security into the SDLC.
6. OWASP Top 10
7. Forensics + best practice for incident response 


Eoin Keary





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies of
the Allianz Group, Europe's leading global insurer and provider of financial
services. 
For more information on our products and services log on to www.allianz.ie
or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action or reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you have
received this in error, please contact the sender and delete the material
from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish
Financial Services Regulatory Authority (IFSRA). 
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the
Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx





This e-mail is business-confidential and may be privileged. If you are not
the intended recipient, please notify us immediately and delete it. If the
email does not relate to Vordel's business then it is neither from nor
authorized by Vordel. Thank you.


This e-mail is business-confidential and may be privileged. If you are not
the intended recipient, please notify us immediately and delete it. If the
email does not relate to Vordel's business then it is neither from nor
authorized by Vordel. Thank you.


------_=_NextPart_001_01C5CF1C.ECACD1F0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Message</title>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place" downloadurl=3D"http://www.5iantlavalamp.com/"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"country-region" =
downloadurl=3D"http://www.5iantlavalamp.com/"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:PMingLiU;
	panose-1:2 1 6 1 0 1 1 1 1 1;}
@font-face
	{font-family:"Arial Black";
	panose-1:2 11 10 4 2 1 2 2 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:"\@PMingLiU";
	panose-1:0 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
h2
	{margin-top:12.0pt;
	margin-right:0cm;
	margin-bottom:6.0pt;
	margin-left:0cm;
	font-size:12.0pt;
	font-family:Arial;
	font-weight:normal;}
h3
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:36.0pt;
	margin-bottom:.0001pt;
	text-indent:-36.0pt;
	mso-list:l3 level3 lfo1;
	font-size:12.0pt;
	font-family:"Times New Roman";
	font-weight:normal;}
h4
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:43.2pt;
	margin-bottom:.0001pt;
	text-indent:-43.2pt;
	mso-list:l3 level4 lfo1;
	font-size:10.0pt;
	font-family:Arial;
	font-weight:normal;}
h5
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:50.4pt;
	margin-bottom:.0001pt;
	text-indent:-50.4pt;
	mso-list:l3 level5 lfo1;
	font-size:10.0pt;
	font-family:"Times New Roman";
	font-weight:normal;}
h6
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:57.6pt;
	margin-bottom:.0001pt;
	text-indent:-57.6pt;
	mso-list:l3 level6 lfo1;
	font-size:10.0pt;
	font-family:Arial;
	font-weight:normal;}
p.MsoListNumber2, li.MsoListNumber2, div.MsoListNumber2
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:32.15pt;
	margin-bottom:.0001pt;
	text-indent:-18.0pt;
	mso-list:l1 level1 lfo2;
	font-size:12.0pt;
	font-family:"Times New Roman";}
p.MsoListNumber3, li.MsoListNumber3, div.MsoListNumber3
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:49.9pt;
	margin-bottom:.0001pt;
	text-indent:-21.6pt;
	mso-list:l0 level1 lfo3;
	font-size:10.0pt;
	font-family:"Times New Roman";}
p.MsoListNumber4, li.MsoListNumber4, div.MsoListNumber4
	{margin-top:0cm;
	margin-right:0cm;
	margin-bottom:0cm;
	margin-left:60.45pt;
	margin-bottom:.0001pt;
	text-indent:-18.0pt;
	mso-list:l2 level1 lfo4;
	font-size:10.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
strong
	{font-family:"Arial Black";
	color:red;}
p.minute, li.minute, div.minute
	{margin:0cm;
	margin-bottom:.0001pt;
	layout-grid-mode:char;
	font-size:10.0pt;
	font-family:Arial;}
p.default, li.default, div.default
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:Arial;
	color:black;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:Arial;
	color:navy;}
span.EmailStyle24
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:726534771;
	mso-list-template-ids:1045573530;}
@list l0:level1
	{mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level2
	{mso-level-tab-stop:72.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level3
	{mso-level-tab-stop:108.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level4
	{mso-level-tab-stop:144.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level5
	{mso-level-tab-stop:180.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level6
	{mso-level-tab-stop:216.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level7
	{mso-level-tab-stop:252.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level8
	{mso-level-tab-stop:288.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l0:level9
	{mso-level-tab-stop:324.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1
	{mso-list-id:872621193;
	mso-list-template-ids:-848925538;}
@list l1:level1
	{mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level2
	{mso-level-tab-stop:72.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level3
	{mso-level-tab-stop:108.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level4
	{mso-level-tab-stop:144.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level5
	{mso-level-tab-stop:180.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level6
	{mso-level-tab-stop:216.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level7
	{mso-level-tab-stop:252.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level8
	{mso-level-tab-stop:288.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l1:level9
	{mso-level-tab-stop:324.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2
	{mso-list-id:930158640;
	mso-list-template-ids:1188970400;}
@list l2:level1
	{mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level2
	{mso-level-tab-stop:72.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level3
	{mso-level-tab-stop:108.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level4
	{mso-level-tab-stop:144.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level5
	{mso-level-tab-stop:180.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level6
	{mso-level-tab-stop:216.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level7
	{mso-level-tab-stop:252.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level8
	{mso-level-tab-stop:288.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l2:level9
	{mso-level-tab-stop:324.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3
	{mso-list-id:1706976662;
	mso-list-template-ids:-589385154;}
@list l3:level1
	{mso-level-tab-stop:36.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level2
	{mso-level-tab-stop:72.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level3
	{mso-level-tab-stop:108.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level4
	{mso-level-tab-stop:144.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level5
	{mso-level-tab-stop:180.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level6
	{mso-level-tab-stop:216.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level7
	{mso-level-tab-stop:252.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level8
	{mso-level-tab-stop:288.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
@list l3:level9
	{mso-level-tab-stop:324.0pt;
	mso-level-number-position:left;
	text-indent:-18.0pt;}
ol
	{margin-bottom:0cm;}
ul
	{margin-bottom:0cm;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I'd disagree with the idea of =
asking
staff about pin observations. This actively encourages staff to attempt =
to observe
pins even though this is not the intent - giving license/excuse to =
malicious
staff to do so.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Also, take the =
example:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>A staff member, Alice, reports =
that they've
observed more pins than other staff.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Another staff member Mallory, =
happens to
have observed lots of pins, including one for a card a customer left =
behind. Mallory
reports having seen no/low pins but commits fraud with the card and =
pin.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Simple example, but in this case =
Alice,
pin observer extraordinaire, would look more guilty than =
Mallory.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>A better approach would be for the =
staff
to actively warn/encourage the customer to block their pin when =
entering it and
then look away for this part of the transaction. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Some terminals take this approach =
by displaying
a prompt before pin entry that does this.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>This approach would be a =
preventative rather
than detective measure.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>I think with proper education this =
25%
figure could be significantly reduced.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Chris<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm =
0cm 4.0pt'>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Tony =
Palmer
[mailto:tony.palmer at vordel.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 12 October 2005 =
11:45<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
OWASP-Ireland at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: =
[OWASP-Ireland] chip
&amp; pin</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>From Section 3.4 =
</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>&quot;PIN entry must be performed =
in such
a way that cashiers, checkout attendants, customers, and people nearby =
cannot
easily observe the PIN during entry by the cardholder. Therefore, PCI =
requires
that the PIN entry device be equipped with proper shielding protection =
for
privacy - &quot;to provide a means to deter the visual observation of =
the
PIN values as they are being entered by the cardholder,&quot; =
'</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Is a little at odds with the 25% =
shoulder
surf statistic Eoin commented on earlier in the week. =
</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Maybe card companies should ask =
restaurant
staff that use the handhelds how often they see the entire pin of the =
customer,
(without actually trying). Remember its not something they can look =
away from
as they generally have to walk the customer through the new process and =
of
course make sure that the customer leaves a tip at the appropriate =
stage when
paying!</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>(In our line of work its very good =
to be
negative.....in a positive kind of way.)</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>T</span></font><o:p></o:p></p>

</div>

</div>

<blockquote =
style=3D'margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Chris Madden
[mailto:chris.madden at trintech.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 12 October 2005 =
11:16<br>
<b><span style=3D'font-weight:bold'>To:</span></b> 'Tony Palmer';
OWASP-Ireland at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: =
[OWASP-Ireland] chip
&amp; pin</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi =
Tony,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>In general, the requirements for =
the
&quot;privacy shield&quot; for pin entry devices were relaxed since PCI =
PED
superseded Visa's VisaPED specs. <o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:country-region =
w:st=3D"on"><font
  size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
  =
color:navy'>Germany</span></font></st1:country-region></st1:place><font
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>, having the most stringent PED security requirements in
Europe/worldwide, has not relaxed their =
requirements.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>AFAIK, this relaxation is partly =
related
to accessibility and disability =
requirements/specifications.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>PCI PED and VisaPED specify things =
like
the minimum angle from the '5' key (5 being the middle key on the =
keypad) to
the top of the wall of the privacy shield above and to the sides of the =
'5'
key.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>For handheld terminals, the =
requirements
for the privacy shield are also relaxed - the rationale being that the =
user can
use their body as a shield when they are holding the =
terminal.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>See VisaPED section 3.4 Privacy =
Shield
Requirement: <a
href=3D"http://international.visa.com/fb/vendors/pin/Visa_PED_Program_Gu=
ide.pdf">http://international.visa.com/fb/vendors/pin/Visa_PED_Program_G=
uide.pdf</a>
for more info.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Chris<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>=


<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0cm 0cm =
0cm 4.0pt'>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabIndex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Tony =
Palmer
[mailto:tony.palmer at vordel.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 11 October 2005 =
11:37<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
Eoin.Keary at allianz.ie;
OWASP-Ireland at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> RE: =
[OWASP-Ireland] chip
&amp; pin</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>Hi,</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>&nbsp;One thing that really bugs =
me about
the new chip and pin system is way in which the pin is entered. Some of =
the
terminals such as those in supermarkets offer little in the way of =
privacy when
inputting the pin. Up to now pins have been mostly used at ATM's where =
your
body is a good physical screen, but now usually the terminal is between =
you and
the retailer, more often than not in plain view of other cusomers too. =
</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>A step back for pin =
security???</span></font><o:p></o:p></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dblue face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:blue'>T</span></font><o:p></o:p></p>

</div>

<blockquote =
style=3D'margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt'>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
owasp-ireland-admin at lists.sourceforge.net
[mailto:owasp-ireland-admin at lists.sourceforge.net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Eoin.Keary at allianz.ie<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> 11 October 2005 =
12:28<br>
<b><span style=3D'font-weight:bold'>To:</span></b>
OWASP-Ireland at lists.sourceforge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [OWASP-Ireland] =
chip
&amp; pin</span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><br>
</span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:
Arial'>http://news.bbc.co.uk/2/hi/business/4320072.stm &nbsp; &nbsp; =
&nbsp;
&nbsp;</span></font> <br>
<br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>BBC
has an article on Chip and Pin and the affect it has had on card fraud, =
as
mentioned by Chris at his PCI presentation last meeting.</span></font> =
<br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>-
might be &quot;marketing guff&quot;? Chris, any comments?</span></font> =
<br>
<br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Eoin</span></font>
<br>
<br>
<br>
<br>
<br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>BTW,
Next OWASP meeting (End of NoV)</span></font> <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><br>
<br>
Wishlist for next meeting (end of November)</span></font> <br>
<br>
1. WebGoat tutorial/walkthrough.<br>
2. WebScarab walkthrough. - <b><span =
style=3D'font-weight:bold'>DONE</span></b><br>
3. Secure Code practices and pitfalls.<br>
4. PCI (Credit card standard) - <b><span =
style=3D'font-weight:bold'>DONE</span></b><br>
5. Integration of security into the SDLC.<br>
6. OWASP Top 10<br>
7. Forensics + best practice for incident response <br>
<font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><br>
<br>
Eoin Keary</span></font><br>
<br>
<br>
<br>
<br>
<br>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br>
Allianz <st1:country-region w:st=3D"on">Ireland</st1:country-region> =
p.l.c. and
Allianz Corporate Ireland p.l.c. are companies of the Allianz Group, =
<st1:place
w:st=3D"on">Europe</st1:place>'s leading global insurer and provider of =
financial
services. <br>
For more information on our products and services log on to =
www.allianz.ie or
call us on (01)613 3000.<br>
<br>
The information transmitted is intended only for the person or entity =
to which
it is addressed and may contain confidential and/or privileged =
material. Any
review, retransmission, dissemination or other use of, or taking of any =
action
or reliance upon, this information by persons or entities other than =
the
intended recipient is prohibited. If you have received this in error, =
please
contact the sender and delete the material from your computer.<br>
<br>
Allianz <st1:place w:st=3D"on"><st1:country-region =
w:st=3D"on">Ireland</st1:country-region></st1:place>
p.l.c. trading as Allianz is regulated by the Irish Financial Services
Regulatory Authority (IFSRA). <br>
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the =
Irish
Financial Services Regulatory Authority (IFSRA).<br>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br>
<br>
<br>
<o:p></o:p></p>

</blockquote>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
This e-mail is business-confidential and may be privileged. If you are =
not<br>
the intended recipient, please notify us immediately and delete it. If =
the<br>
email does not relate to Vordel's business then it is neither from =
nor<br>
authorized by Vordel. Thank you.<o:p></o:p></span></font></p>

</div>

</blockquote>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
This e-mail is business-confidential and may be privileged. If you are =
not<br>
the intended recipient, please notify us immediately and delete it. If =
the<br>
email does not relate to Vordel's business then it is neither from =
nor<br>
authorized by Vordel. Thank you.<o:p></o:p></span></font></p>

</div>

</div>

</body>

</html>

------_=_NextPart_001_01C5CF1C.ECACD1F0--




More information about the Owasp-ireland mailing list