[jpos-users] Establishing Security Zone Between POS terminal and HSM

> This is typically not done in software but in a PED - Pin Entry Device
>
> https://www.pcisecuritystandards.org/security_standards/ped/pedapprov...
>
> https://www.pcisecuritystandards.org/security_standards/ped/index.shtml
>
> David Bergert, CISSP, CISA, CPISM/Awww.paymentsystemsblog.com
>
> On Oct 14, 2009, at 11:11 AM, ola wrote:
>
>
>
> > I dont want to
> > transmit the PIN entered from the terminal PIN pad in clear text to
> > the HSM (which is usually through an IP and a port), but in an
> > encrypted PIN BLOCK format- Hide quoted text -
>
> - Show quoted text -

> ola wrote:
> > Yes, agreed, but all the POS terminal devices in my locality are not
> > PIN-PED certified, and I believe something is being used before PED
> > spec.
>
> So your POS devices pass you the PIN in the clear, across a network,
> between organisations, outside of a PIN block?
>
> May I ask what your locality is - just interested?
>
> > So, if the Pinpad has no PED, how do I still acheive my security
> > zone, saying generating PINBLOCK using tripple DES?
>
> I can accept your concern about not *adding* to the risk of exposure of
> the cardholders PIN, but does your locality permit the use of these POS
> devices with PIN *if* they do not protect the PIN at all?
>
> You can certainly make a PIN block (what format is your HSM expecting?),
> but as David indicates this seems very unusual.
>
> You could do this in software, you just need the algorithm, but you will
> need a clear DES key for generating the PIN block, unless you go to an
> HSM to generate the PIN block, but then you have the same problem (of
> transporting the PIN in the clear *and* the risk to you DES key(s).
>
> May I also check that you have exhausted all PIN processing options with
> your POS devices before arriving at this need?  To have to deal with
> clear PINs really are really unusual, I imagine your HSM does not expect
> a clear PIN to be placed in any of its input message fields.
>
> The approach feels flawed whilst you have the original problem of a
> clear PIN to deal with.
>
> Can you encrypt the whole message exchange (you to POS and/or you to HSM
> system?).
>
> --
> Mark

>
>> So your POS devices pass you the PIN in the clear, across a network,
>> between organisations, outside of a PIN block?
> NO! This is done through the software. What i mean is that most of
> the  terminals are not  PIN-PED, rather have encryption algorithm
> loaded to the pinpad or within the pos app.
>
>> but does your locality permit the use of these POS
>> devices with PIN *if* they do not protect the PIN at all?
>
> NO! The PIN has to be protected with at least Tripple DES
>
>> You could do this in software, you just need the algorithm, but you  
>> will
>> need a clear DES key for generating the PIN block
>> Can you encrypt the whole message exchange (you to POS and/or you  
>> to HSM
>> system?).
>
> I need guide on how to generate the PIN block.
>
>
> On Oct 14, 6:06 pm, Mark Salter <marksal...@...> wrote:
>> ola wrote:
>>> Yes, agreed, but all the POS terminal devices in my locality are not
>>> PIN-PED certified, and I believe something is being used before PED
>>> spec.
>>
>> So your POS devices pass you the PIN in the clear, across a network,
>> between organisations, outside of a PIN block?
>>
>> May I ask what your locality is - just interested?
>>
>>> So, if the Pinpad has no PED, how do I still acheive my security
>>> zone, saying generating PINBLOCK using tripple DES?
>>
>> I can accept your concern about not *adding* to the risk of  
>> exposure of
>> the cardholders PIN, but does your locality permit the use of these  
>> POS
>> devices with PIN *if* they do not protect the PIN at all?
>>
>> You can certainly make a PIN block (what format is your HSM  
>> expecting?),
>> but as David indicates this seems very unusual.
>>
>> You could do this in software, you just need the algorithm, but you  
>> will
>> need a clear DES key for generating the PIN block, unless you go to  
>> an
>> HSM to generate the PIN block, but then you have the same problem (of
>> transporting the PIN in the clear *and* the risk to you DES key(s).
>>
>> May I also check that you have exhausted all PIN processing options  
>> with
>> your POS devices before arriving at this need?  To have to deal with
>> clear PINs really are really unusual, I imagine your HSM does not  
>> expect
>> a clear PIN to be placed in any of its input message fields.
>>
>> The approach feels flawed whilst you have the original problem of a
>> clear PIN to deal with.
>>
>> Can you encrypt the whole message exchange (you to POS and/or you  
>> to HSM
>> system?).
>>
>> --
>> Mark
> >

> Mark Salter wrote:
>  
>> ola wrote:
>>    
>>> Yes, agreed, but all the POS terminal devices in my locality are not
>>> PIN-PED certified, and I believe something is being used before PED
>>> spec.
>>>      
>> May I ask what your locality is - just interested?
>>
>>    
> By your email headers, I surmise that your processing is running in Nigeria?
>
>  

> Andy Onyung wrote:
> > Mark Salter wrote:
> >> By your email headers, I surmise that your processing is running in Nigeria?
>
> > I'm pretty certain that all POS terminals certified to be used in
> > Nigeria are PIN-PED certified.
>
> I wonder which type (or network) ola is making use of.
>
> Perhaps something 'closed-loop'?
>
> Thanks for the detail Andy.
>
> 8)
>
> --
> Mark

>>> I'm pretty certain that all POS terminals certified to be used in
>>> Nigeria re PIN-PED certified.
>>>      
> Andy, pls can you give me sample terminals perhaps I am mis-
> conceiving!
>
>  
>>> By your email headers, I surmise that your processing is running in Nigeria?
>>>      
> well, i am still at developing stage, not at processing, and that is
> why i need guide pls, so that i put the right thing into production. I
> will appreciate here if guidance is being given rather than otherwise.
>
>  
>> How is that possible *if* the PIN 'has to be protected', please help me
>> understand the connection/link between your POS device(s) and your
>> application.
>>    
>
> see, the application  i refer to here is POS terminal application  NOT
> JPOS application, so the application is still on the device.
> My concern is how to get the PIN entered on the device being encrypted
> on the device before being transmitted at all across network to either
> an HSm or a JPOS application, thus i need to establish security zone.
>
>
> On Oct 15, 9:45 am, Mark Salter <marksal...@...> wrote:
>  
>> Andy Onyung wrote:
>>    
>>> Mark Salter wrote:
>>>      
>>>> By your email headers, I surmise that your processing is running in Nigeria?
>>>>        
>>> I'm pretty certain that all POS terminals certified to be used in
>>> Nigeria are PIN-PED certified.
>>>      
>> I wonder which type (or network) ola is making use of.
>>
>> Perhaps something 'closed-loop'?
>>
>> Thanks for the detail Andy.
>>
>> 8)
>>
>> --
>> Mark
>>    
> >
>
>  

> ola wrote:
> >>> By your email headers, I surmise that your processing is running in Nigeria?
> > well, i am still at developing stage, not at processing, and that is
> > why i need guide pls, so that i put the right thing into production. I
> > will appreciate here if guidance is being given rather than otherwise.
>
> I really am trying to help, but worry we are not seeing your true
> position...
>
>
>
> >> How is that possible *if* the PIN 'has to be protected', please help me
> >> understand the connection/link between your POS device(s) and your
> >> application.
>
> > see, the application  i refer to here is POS terminal application  NOT
> > JPOS application, so the application is still on the device.
>
> This is still unclear - to me anyway.  This appears to not be a jPos
> question at all?
>
> Are you writing code that is running *on* the POS device?
>
> > My concern is how to get the PIN entered on the device being encrypted
> > on the device before being transmitted at all across network to either
> > an HSm or a JPOS application, thus i need to establish security zone.
>
> I think you may need to be looking at the POS devices 'api', I am sure
> the ability to produce a PIN block *should* be available, otherwise how
> can these devices ever work in a production environment at all?
>
> --
> Mark

>
>> I think you may need to be looking at the POS devices 'api', I am sure
>> the ability to produce a PIN block *should* be available, otherwise how
>> can these devices ever work in a production environment at all?
>
> I have been trying to contact them but never get fruitful result. You
> see, I have with with a virgin/blank POS terminal, which I loaded
> kernel, ramdisk and develop my own app for and on the pos device.
> Anyway, I am still trying to get this security issue fix, God helps
> me!

> ola wrote:
> >> Are you writing code that is running *on* the POS device?
>
> > YES
>
> You 'shout' because I should have guessed this and didn't?
>
> 8)
>
>
>
> >> I think you may need to be looking at the POS devices 'api', I am sure
> >> the ability to produce a PIN block *should* be available, otherwise how
> >> can these devices ever work in a production environment at all?
>
> > I have been trying to contact them but never get fruitful result. You
> > see, I have with with a virgin/blank POS terminal, which I loaded
> > kernel, ramdisk and develop my own app for and on the pos device.
> > Anyway, I am still trying to get this security issue fix, God helps
> > me!
>
> So you have a supplier problem, as you are 'rolling your own'   I can
> imagine they may not be able to give fruitful support - just like us.
>
> Please mark off-topic postings to this list with OT in the subject line,
> that way we need not waste time reading them if they are nothing to do
> with jPOS.
>
> Good luck.
>
> --
> Mark

> Ola,
> If I got your question well, you need the setup below.
>
> POS <----> POS Switch <-----> HSM
>
> That means, POS application is made in C, POS Switch may be jPOS and HSM
> device may be from Thales.
>
> If that is the case, then your jPOS application should handle the field with
> PIN block and send the correct HSM command during POS terminal request
> processing.
>
> What do you think?
>
>
>
>
>
> On Wed, Oct 14, 2009 at 7:11 PM, ola <ollysof...@...> wrote:
>
> > Hello,
>
> > Please I am facing a security challenge here. I want to  establish a
> > security zone between my POS terminal application (written in C) and
> > say an HSM for PIN translation. How do i do this? I dont want to
> > transmit the PIN entered from the terminal PIN pad in clear text to
> > the HSM (which is usually through an IP and a port), but in an
> > encrypted PIN BLOCK format. Can some one please give me a guide?
> > Sample code and references will be appreciated.
>
> > Thanks,
>
> > Ola.
>
> --
> Zablon Ochomo- Hide quoted text -
>
> - Show quoted text -

> ola wrote:
> >> Are you writing code that is running *on* the POS device?
>
> > YES
>
> You 'shout' because I should have guessed this and didn't?
>
> 8)
>
>
>
> >> I think you may need to be looking at the POS devices 'api', I am sure
> >> the ability to produce a PIN block *should* be available, otherwise how
> >> can these devices ever work in a production environment at all?
>
> > I have been trying to contact them but never get fruitful result. You
> > see, I have with with a virgin/blank POS terminal, which I loaded
> > kernel, ramdisk and develop my own app for and on the pos device.
> > Anyway, I am still trying to get this security issue fix, God helps
> > me!
>
> So you have a supplier problem, as you are 'rolling your own'   I can
> imagine they may not be able to give fruitful support - just like us.
>
> Please mark off-topic postings to this list with OT in the subject line,
> that way we need not waste time reading them if they are nothing to do
> with jPOS.
>
> Good luck.
>
> --
> Mark

> ola wrote:
> >> Are you writing code that is running *on* the POS device?
>
> > YES
>
> You 'shout' because I should have guessed this and didn't?
>
> 8)
>
>
>
> >> I think you may need to be looking at the POS devices 'api', I am sure
> >> the ability to produce a PIN block *should* be available, otherwise how
> >> can these devices ever work in a production environment at all?
>
> > I have been trying to contact them but never get fruitful result. You
> > see, I have with with a virgin/blank POS terminal, which I loaded
> > kernel, ramdisk and develop my own app for and on the pos device.
> > Anyway, I am still trying to get this security issue fix, God helps
> > me!
>
> So you have a supplier problem, as you are 'rolling your own'   I can
> imagine they may not be able to give fruitful support - just like us.
>
> Please mark off-topic postings to this list with OT in the subject line,
> that way we need not waste time reading them if they are nothing to do
> with jPOS.
>
> Good luck.
>
> --
> Mark