Secure Payments, PCI DSS, Regulatory Compliance Blog

PIN security rises in importance

August 8th, 2008 by admin Posted in Chip PIN, Credit Card Fraud, Merchant, PCI PIN

Evan Schuman of StoreFrontBackTalk reminds us that credit card compromises that result in fraudulent ATM use can mean only one thing: they had access to the cardholder’s PIN.  In reference to the recent indictment he reminds us about such details.

But the indictment casually mentions a potentially very serious fact. The group was charged with possessing customers’ track 2 debit card data—among other things. In theory, that shouldn’t have permitted ATM cash access because of the typical debit card key management technique known as DUKPT (Derived Unique Key Per Transaction).

If the hackers were able to decrypt the encrypted-PIN-block or simply had access to the unencrypted PIN value, this raises awareness of the ever important PCI PED requirements.  For years now companies have been working to address PCI DSS compliance, but have they ever stopped to ask if they are PCI PED compliant?

The PED or PIN Entry Device refers to the hardware and integration software used in such devices as ATMs and retail debit machines.  If you ever type your PIN into a terminal then you are using a PED device or piece of software.  There is an intricate list of steps and procedures for properly receiving, loading, and managing the encryption/decryption keys that are used to protect the PIN number.  There are an equal number of mistakes a company can make that lead to an unprotected PIN number.

Remember that when it comes to fraud, and the financial risk to a company, it is pivotal on the hackers ability to compromise what is called Sensitive Authentication Data.  This sensitive authentication data includes:

  1. Magnetic Stripe or Track Data
  2. CVV2, CVC2, CID
  3. PIN numbers or PIN block data

The PCI PED standard goes into far more detail about protecting the third piece of sensitive authentication data: PIN and PIN block data.  If you feel safe and secure about your current environment because you are PCI DSS compliant or because you use Chip-PIN, then ask yourself if you are also PCI PED compliant and are using PED-lab approved devices.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. One Response to “PIN security rises in importance”

  2. By Andrew on Aug 8, 2008

    Your link to the approved devices is actually for devices approved under the old Visa PED standard, which is now deprecated. Devices approved under this standard no longer convey the liability shift if bought after December 2007.

    The list for PCI approved devices can be found at the PCI SSC PED page.

    It is not clear to me how the parties involved in this attack gained access to the plaintext PIN blocks, although it is probably because of one of:
    i) They PEDs were being deployed / used in an insecure way
    ii) The PEDs were using single DES for PIN encryption
    iii) The hackers gained access to the DP centre through which the PINs being switched/translated

Sorry, comments for this entry are closed at this time.