No subject


Wed Nov 1 13:33:48 EST 2006


"PIN entry must be performed in such a way that cashiers, checkout=20
attendants, customers, and people nearby cannot easily observe the PIN=20
during entry by the cardholder. Therefore, PCI requires that the PIN entry =

device be equipped with proper shielding protection for privacy ? "to=20
provide a means to deter the visual observation of the PIN values as they=20
are being entered by the cardholder," '
=20
Is a little at odds with the 25% shoulder surf statistic Eoin commented on =

earlier in the week.=20
=20
Maybe card companies should ask restaurant staff that use the handhelds=20
how often they see the entire pin of the customer, (without actually=20
trying). Remember its not something they can look away from as they=20
generally have to walk the customer through the new process and of course=20
make sure that the customer leaves a tip at the appropriate stage when=20
paying!
(In our line of work its very good to be negative.....in a positive kind=20
of way.)
T
-----Original Message-----
From: Chris Madden [mailto:chris.madden at trintech.com]=20
Sent: 12 October 2005 11:16
To: 'Tony Palmer'; OWASP-Ireland at lists.sourceforge.net
Subject: RE: [OWASP-Ireland] chip & pin

Hi Tony,
=20
In general, the requirements for the "privacy shield" for pin entry=20
devices were relaxed since PCI PED superseded Visa's VisaPED specs.=20
Germany, having the most stringent PED security requirements in=20
Europe/worldwide, has not relaxed their requirements.
=20
AFAIK, this relaxation is partly related to accessibility and disability=20
requirements/specifications.
=20
PCI PED and VisaPED specify things like the minimum angle from the '5' key =

(5 being the middle key on the keypad) to the top of the wall of the=20
privacy shield above and to the sides of the '5' key.
=20
For handheld terminals, the requirements for the privacy shield are also=20
relaxed - the rationale being that the user can use their body as a shield =

when they are holding the terminal.
=20
See VisaPED section 3.4 Privacy Shield Requirement:=20
http://international.visa.com/fb/vendors/pin/Visa=5FPED=5FProgram=5FGuide.p=
df=20
for more info.
=20
Chris
=20

From: Tony Palmer [mailto:tony.palmer at vordel.com]=20
Sent: 11 October 2005 11:37
To: Eoin.Keary at allianz.ie; OWASP-Ireland at lists.sourceforge.net
Subject: RE: [OWASP-Ireland] chip & pin
=20
Hi,
 One thing that really bugs me about the new chip and pin system is way in =

which the pin is entered. Some of the terminals such as those in=20
supermarkets offer little in the way of privacy when inputting the pin. Up =

to now pins have been mostly used at ATM's where your body is a good=20
physical screen, but now usually the terminal is between you and the=20
retailer, more often than not in plain view of other cusomers too.=20
A step back for pin security???
T
-----Original Message-----
From: owasp-ireland-admin at lists.sourceforge.net=20
[mailto:owasp-ireland-admin at lists.sourceforge.net] On Behalf Of=20
Eoin.Keary at allianz.ie
Sent: 11 October 2005 12:28
To: OWASP-Ireland at lists.sourceforge.net
Subject: [OWASP-Ireland] chip & pin

http://news.bbc.co.uk/2/hi/business/4320072.stm        =20

BBC has an article on Chip and Pin and the affect it has had on card=20
fraud, as mentioned by Chris at his PCI presentation last meeting.=20
- might be "marketing guff"? Chris, any comments?=20

Eoin=20




BTW, Next OWASP meeting (End of NoV)=20


Wishlist for next meeting (end of November)=20

1. WebGoat tutorial/walkthrough.
2. WebScarab walkthrough. - DONE
3. Secure Code practices and pitfalls.
4. PCI (Credit card standard) - DONE
5. Integration of security into the SDLC.
6. OWASP Top 10
7. Forensics + best practice for incident response=20


Eoin Keary





xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies=20
of the Allianz Group, Europe's leading global insurer and provider of=20
financial services.=20
For more information on our products and services log on to www.allianz.ie =

or call us on (01)613 3000.

The information transmitted is intended only for the person or entity to=20
which it is addressed and may contain confidential and/or privileged=20
material. Any review, retransmission, dissemination or other use of, or=20
taking of any action or reliance upon, this information by persons or=20
entities other than the intended recipient is prohibited. If you have=20
received this in error, please contact the sender and delete the material=20
from your computer.

Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish=20
Financial Services Regulatory Authority (IFSRA).=20
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the=20
Irish Financial Services Regulatory Authority (IFSRA).
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx




This e-mail is business-confidential and may be privileged. If you are not
the intended recipient, please notify us immediately and delete it. If the
email does not relate to Vordel's business then it is neither from nor
authorized by Vordel. Thank you.

This e-mail is business-confidential and may be privileged. If you are not
the intended recipient, please notify us immediately and delete it. If the
email does not relate to Vordel's business then it is neither from nor
authorized by Vordel. Thank you.


***************************************************************************=
***
This email and any files transmitted with it are confidential and=20
intended solely for the use of the individual or entity to whom=20
they are addressed. If you have received this email in error please=20
contact the Helpdesk at 3955.
***************************************************************************=
****

--=_alternative 0044A1B100257098_=
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">At the point of &quot;shoulder surfi=
ng&quot;
it would be up to the supermarket staff, the cashier, to assure the security
of the company.</font>
<br><font size=3D2 face=3D"sans-serif">I don't think this will ever happen
for obvious reasons.</font>
<br>
<br><font size=3D2 face=3D"sans-serif"><br>
<br>
Eoin Keary<br>
Contractor<br>
Allianz Ireland<br>
IT Security (Tech Admin)<br>
Security Projects Division<br>
Dir: + 353-1-613-3490<br>
Mob: + 353-87-904-1922<br>
Mailto:eoin.keary at allianz.ie<br>
Ph &nbsp;01 6133490</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td width=3D40%><font size=3D1 face=3D"sans-serif"><b>&quot;Tony Palmer&quo=
t;
&lt;tony.palmer at vordel.com&gt;</b> </font>
<br><font size=3D1 face=3D"sans-serif">Sent by: owasp-ireland-admin at lists.s=
ourceforge.net</font>
<p><font size=3D1 face=3D"sans-serif">12/10/2005 11:46</font>
<td width=3D59%>
<table width=3D100%>
<tr>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">To</font></div>
<td valign=3Dtop><font size=3D1 face=3D"sans-serif">&lt;OWASP-Ireland at lists=
.sourceforge.net&gt;</font>
<tr>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">cc</font></div>
<td valign=3Dtop>
<tr>
<td>
<div align=3Dright><font size=3D1 face=3D"sans-serif">Subject</font></div>
<td valign=3Dtop><font size=3D1 face=3D"sans-serif">RE: [OWASP-Ireland] chip
&amp; pin</font></table>
<br>
<table>
<tr valign=3Dtop>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=3D2 color=3Dblue face=3D"Arial">From Section 3.4 </font>
<br><font size=3D2 color=3Dblue face=3D"Arial">&quot;PIN entry must be perf=
ormed
in such a way that cashiers, checkout attendants, customers, and people
nearby cannot easily observe the PIN during entry by the cardholder. Theref=
ore,
PCI requires that the PIN entry device be equipped with proper shielding
protection for privacy &#8211; &quot;to provide a means to deter the visual
observation of the PIN values as they are being entered by the cardholder,&=
quot;
'</font>
<br><font size=3D3>&nbsp;</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">Is a little at odds with the=
 25%
shoulder surf statistic Eoin commented on earlier in the week. </font>
<br><font size=3D3>&nbsp;</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">Maybe card companies should =
ask
restaurant staff that use the handhelds how often they see the entire pin
of the customer, (without actually trying). Remember its not something
they can look away from as they generally have to walk the customer through
the new process and of course make sure that the customer leaves a tip
at the appropriate stage when paying!</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">(In our line of work its very
good to be negative.....in a positive kind of way.)</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">T</font>
<br><font size=3D2 face=3D"Tahoma">-----Original Message-----<b><br>
From:</b> Chris Madden [mailto:chris.madden at trintech.com] <b><br>
Sent:</b> 12 October 2005 11:16<b><br>
To:</b> 'Tony Palmer'; OWASP-Ireland at lists.sourceforge.net<b><br>
Subject:</b> RE: [OWASP-Ireland] chip &amp; pin<br>
</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">Hi Tony,</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">In general, the requireme=
nts
for the &quot;privacy shield&quot; for pin entry devices were relaxed since
PCI PED superseded Visa's VisaPED specs. </font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">Germany, having the most =
stringent
PED security requirements in Europe/worldwide, has not relaxed their requir=
ements.</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">AFAIK, this relaxation is=
 partly
related to accessibility and disability requirements/specifications.</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">PCI PED and VisaPED speci=
fy
things like the minimum angle from the '5' key (5 being the middle key
on the keypad) to the top of the wall of the privacy shield above and to
the sides of the '5' key.</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">For handheld terminals, t=
he
requirements for the privacy shield are also relaxed - the rationale being
that the user can use their body as a shield when they are holding the
terminal.</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">See VisaPED section 3.4 P=
rivacy
Shield Requirement: </font><a href=3Dhttp://international.visa.com/fb/vendo=
rs/pin/Visa=5FPED=5FProgram=5FGuide.pdf><font size=3D2 color=3Dblue face=3D=
"Arial"><u>http://international.visa.com/fb/vendors/pin/Visa=5FPED=5FProgra=
m=5FGuide.pdf</u></font></a><font size=3D2 color=3D#000080 face=3D"Arial">
for more info.</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">Chris</font>
<br><font size=3D2 color=3D#000080 face=3D"Arial">&nbsp;</font>
<div align=3Dcenter>
<br>
<hr></div>
<br><font size=3D2 face=3D"Tahoma"><b>From:</b> Tony Palmer [mailto:tony.pa=
lmer at vordel.com]
<b><br>
Sent:</b> 11 October 2005 11:37<b><br>
To:</b> Eoin.Keary at allianz.ie; OWASP-Ireland at lists.sourceforge.net<b><br>
Subject:</b> RE: [OWASP-Ireland] chip &amp; pin</font>
<br><font size=3D3 face=3D"Times New Roman">&nbsp;</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">Hi,</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">&nbsp;One thing that really =
bugs
me about the new chip and pin system is way in which the pin is entered.
Some of the terminals such as those in supermarkets offer little in the
way of privacy when inputting the pin. Up to now pins have been mostly
used at ATM's where your body is a good physical screen, but now usually
the terminal is between you and the retailer, more often than not in plain
view of other cusomers too. </font>
<br><font size=3D2 color=3Dblue face=3D"Arial">A step back for pin security=
???</font>
<br><font size=3D2 color=3Dblue face=3D"Arial">T</font>
<br><font size=3D2 face=3D"Tahoma">-----Original Message-----<b><br>
From:</b> owasp-ireland-admin at lists.sourceforge.net [mailto:owasp-ireland-a=
dmin at lists.sourceforge.net]
<b>On Behalf Of </b>Eoin.Keary at allianz.ie<b><br>
Sent:</b> 11 October 2005 12:28<b><br>
To:</b> OWASP-Ireland at lists.sourceforge.net<b><br>
Subject:</b> [OWASP-Ireland] chip &amp; pin</font>
<br><font size=3D2 face=3D"sans-serif"><br>
http://news.bbc.co.uk/2/hi/business/4320072.stm &nbsp; &nbsp; &nbsp; &nbsp;=
</font><font size=3D3 face=3D"Times New Roman">
<br>
</font><font size=3D2 face=3D"sans-serif"><br>
BBC has an article on Chip and Pin and the affect it has had on card fraud,
as mentioned by Chris at his PCI presentation last meeting.</font><font siz=
e=3D3 face=3D"Times New Roman">
</font><font size=3D2 face=3D"sans-serif"><br>
- might be &quot;marketing guff&quot;? Chris, any comments?</font><font siz=
e=3D3 face=3D"Times New Roman">
<br>
</font><font size=3D2 face=3D"sans-serif"><br>
Eoin</font><font size=3D3 face=3D"Times New Roman"> <br>
<br>
<br>
<br>
</font><font size=3D2 face=3D"sans-serif"><br>
BTW, Next OWASP meeting (End of NoV)</font><font size=3D3 face=3D"Times New=
 Roman">
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
<br>
Wishlist for next meeting (end of November)</font><font size=3D3 face=3D"Ti=
mes New Roman">
<br>
<br>
1. WebGoat tutorial/walkthrough.<br>
2. WebScarab walkthrough. - <b>DONE</b><br>
3. Secure Code practices and pitfalls.<br>
4. PCI (Credit card standard) - <b>DONE</b><br>
5. Integration of security into the SDLC.<br>
6. OWASP Top 10<br>
7. Forensics + best practice for incident response </font><font size=3D2 fa=
ce=3D"sans-serif"><br>
<br>
<br>
Eoin Keary</font><font size=3D3 face=3D"Times New Roman"><br>
<br>
<br>
<br>
<br>
<br>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br>
Allianz Ireland p.l.c. and Allianz Corporate Ireland p.l.c. are companies
of the Allianz Group, Europe's leading global insurer and provider of finan=
cial
services. <br>
For more information on our products and services log on to www.allianz.ie
or call us on (01)613 3000.<br>
<br>
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged materi=
al.
Any review, retransmission, dissemination or other use of, or taking of
any action or reliance upon, this information by persons or entities other
than the intended recipient is prohibited. If you have received this in
error, please contact the sender and delete the material from your computer=
.<br>
<br>
Allianz Ireland p.l.c. trading as Allianz is regulated by the Irish Financi=
al
Services Regulatory Authority (IFSRA). <br>
Allianz Corporate Ireland p.l.c. trading as Allianz is regulated by the
Irish Financial Services Regulatory Authority (IFSRA).<br>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br>
<br>
<br>
</font>
<br><font size=3D3 face=3D"Times New Roman"><br>
This e-mail is business-confidential and may be privileged. If you are
not<br>
the intended recipient, please notify us immediately and delete it. If
the<br>
email does not relate to Vordel's business then it is neither from nor<br>
authorized by Vordel. Thank you.</font>
<p><font size=3D3><br>
This e-mail is business-confidential and may be privileged. If you are
not<br>
the intended recipient, please notify us immediately and delete it. If
the<br>
email does not relate to Vordel's business then it is neither from nor<br>
authorized by Vordel. Thank you.<br>
<br>
<br>
***************************************************************************=
***<br>
This email and any files transmitted with it are confidential and <br>
intended solely for the use of the individual or entity to whom <br>
they are addressed. If you have received this email in error please <br>
contact the Helpdesk at 3955.<br>
***************************************************************************=
****</font>
<p>
--=_alternative 0044A1B100257098_=--




More information about the Owasp-ireland mailing list