Does anyone have experience in working with the PCI PED labs that they can share? I am working to select a PCI PED lab/vendor for my clients and want to ensure I select the "best". Any insight would be appreciated..the good the bad and the ugly,,,if it exists.:eek:

Hello Susan,

As far as I know, Witham Laboratories is the only PED lab represented on this forum. Certainly, we are the only lab that regularly posts to it. Also, I do not believe that there are any PED vendors represented on this list (although I could certainly be wrong about that). Although there is an obvious conflict of interest in my putting forward the case for my lab, you could email Mike for a personal reference regarding my general competence (I am the Technical Manger of Witham Laboratories).

Finally, before you proceed much further with your lab selection, it is important for you to clarify what your customers criteria are for establishing the "best" lab. Is it the cheapest? The one that does the most detailed work? The one that will do the work quickest? The one that will pass their device with the least problems?

The general procedure for a PED evaluation is that the vendor supplies a number of sample devices (3 or more), along with design details (schematics, PCB layouts, source code, software design procedures/policy, key loading details, amongst others). The lab then evaluates the samples and information according to the PCI PED criteria (v2.0 now), and produces a report.

If the report is positive, it can then be sent to PCI for evaluation. Here, it is examined by people from each of the five card brands, who may ask questions and seek clarifications on the content. Ten working days after the last question has been answered to the satisfaction of the reviewers, and no further questions have been forthcoming, the device will be approved and listed on the PCI PED approved devices list.

I do not know Andrew - but based on his knowledgeable posts to this forum alone - he would be on my shortlist for this type of review..

It doesn't look like there are many providers to choose from:[8] - and there is only one based in the US.

https://www.pcisecuritystandards.org/pin/pcilaboratories.html

I do know Andrew and most of the team he works with, and I'm happy to say I have worked together with them in the past, albeit briefly.

I also have clients who are using Andrew for device evaluations and are happy.

As Andrew said, ensuring clear selection criteria is important.
I'd add: finding a way to measure against these criteria, often in international locations is not trivial. Usually, getting some references from each of the labs is going to be the means of whittling down to a short list.

Other than those words, choose away!

lyalc

Does any one still remember that customer' pin was stolen after they used ATM because a false keypad were placed on the original keypad?

Recently, a homeATM device appears on the Website. It seems that the device has passed PCI PED 2.0 approval. Based on the picture of the device shown on the website (http://pindebit.blogspot.com/2009/02/homeatm-slider-now-compatible-with-your.html), if a false keypad which includes a bug monitoring the pin to be pressed can be adhere on the current keypad, do you think it will be easy or difficult to do this?