There is change in the air when it comes to PINPad smartcard readers, with several models going out of production, and others either coming back or being launched.
Gemalto, who are now part of Thales, the multinational security and defence conglomerate, have re-launched the IDBridge CT700 desktop PINPad reader as a universal PC/SC desktop device that supports Secure PIN Entry (known as SPE – more of that below). This had previously been replaced with the CT710 model, a hand-held version, but it seems that the more solid CT700, which continued to be sold into the banking market as the Ezio PINPad, is preferred by their customers.
Indeed, it has the feeling of a high quality and robust smartcard reader, and sits firmly on the desktop for applications where smartcard PIN entry on the reader is required for maximum security.
At the same time, Advanced Card Systems (ACS) have launched the APG8201-B2 hand-held USB PINPad reader, which is similar in form and function to the Gemalto CT710, and which provides a lower cost entry to the world of high security smartcard and PKI-based solutions. It replaces the older ACR83 from ACS, which has been in the marketplace for many years but which has finally been retired due to changes in the underlying chipset. A popular PINPad reader, the APG8201-B2 also supports the SPE standard.
Most smartcard applications that use the concept of ‘unlocking’ a smartcard with a user-entered PIN can benefit from the use of a PINPad reader for added security. The card + PIN concept is the basis for many two factor security solutions, but it can still potentially be compromised if the PIN is typed into a PC keyboard if, for example, malware such as a key-logger has been installed.
The PC/SC standard, which provides a common API for applications to talk to smartcard readers, defines how Secure PIN Entry devices should work. It enables a way for applications to ask for the PIN to be entered into the PINPad and submitted directly to the inserted card, without going via the PC or software. This avoids the risk of interception unless the reader itself is compromised. There are further commands available for displaying messages to the user, if an LCD display is provided.
Any software or middleware involved must be capable of implementing the necessary PC/SC commands, but SPE is already supported in several application, including most PKI-based smartcard authentication drivers on Windows as well as various national ID card schemes around the world.