I saw the following article http://technology.newscientist.com/channel/tech/dn13385-credit-card-readers-vulnerable-to-attack.html?feedId=online-news_rss20 in New Scientist and would like to get comments from this Forum. The article describes a vulnerability in PEDs, including (as far as I can read between the lines) PCI PIN PED approved devices.

Given the photos we saw in Toronto of compromised POS devices, does this article describe a potential vulnerability for PEDs, too? I'd be curious to see a response from the SSC Technical Committee if this is real.

It may be unusual to respond to my own post, but it appears after further reading and research that these devices were 'pre-PCI' certified. That is, there were not PCI PED certified. The exploits that are performed within the paper only apply to plaintext PINs used in EMV-based transactions. It appears, therefore, the risk can be addressed by regular inspection of the POS equipment. We saw pictures in Toronto of compromised POS devices with everything from a bug to a SIM card installed by bad guys. It looks like the idea is to physically check the devices. See also Mike's post in his blog: http://pcianswers.com/2008/02/28/hacking-chip-and-pin/

Keep in mind with PED's (and take with a grain of salt that I mostly deal with automated fuel dispensers, so I deal with DUKPT-style implementations of DES and 3TDES) that a certain level of relativity exists.

The PCI approved PED's are mostly to be considered "tamper resistant" and "tamper evident". The newer 3TDES capable models are even more secure and most of those can't be opened without wiping the key.

Does anyone know how long it will be possible to use VISA PED certified POS PIN PADs? Any links and information is highly appreciated. Thank you very much for your replies.

See https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

From what I recall, the Visa standards have been superseded by the PCI PIN Transaction Security (PTS) standard which itself is the outgrowth of the PCI PIN Entry Device (PED) standard. While no longer in effect, Visa still maintains the PIN Security and Key Management program information on their Web site above.

See https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

From what I recall, the Visa standards have been superseded by the PCI PIN Transaction Security (PTS) standard which itself is the outgrowth of the PCI PIN Entry Device (PED) standard. While no longer in effect, Visa still maintains the PIN Security and Key Management program information on their Web site above.

Further, some recent research shows that the previous brand PED certificaitons have been grandfathered into the PCI PED program untill the product's certification expires, notionally 10 years after being certified (this is a grey/complex area since product updates, redesigns etc may impact the 'certification date'. Check the exact model number and firmware on the PCI PED list closely before signing purchase orders!).

lyalc

You are no longer allowed (ie you no longer gain the associated liability shift, and you will not be compliant to your PCI PIN audit requirements) to purchase or deploy devices that are not on the PCI PTS approved list - this includes devices which are approved to 'pre-PCI' standards.

Devices which are already in the field have different mandates. If they have not been approved to any standard by a lab (ie niether PCI PTS or a 'pre-PCI' standard) then they must be removed from the field by the middle of next year. Devices which are 'pre-PCI' approved, and in the field already, currently do not have a sunset date, but this will come eventually. Planning for sometime around 2014 would be prudent, but I am not a card scheme, so don't take my word for this.