This is the first EMV payments terminal I've seen that allows PIN entry using a touch screen. Is that really allowed by EMV, as a tamper-evident PIN pad?
Doesn't it make it easier to spy?
Because you know where the numbers of the pin are located, you don't even need to look at the keys, but can easily cover it with your hands to prevent "shoulder surfers".
If I have to look where the keys are located, I can't really cover the pad and it'll be a lot slower and not more secure.
I've always felt like it's harder to spy on an LCD screen due to the limited viewing angles as opposed to physical buttons. And the physical layout of the PIN pad should be similar so it should be a smooth transition. The device will also be PCI PTS approved so it will be on par in terms of physical and logical security.
The requirements are that the consumer must have some way of concealing pin entry. That, and some stuff about how hitting different numbers can't make a different sound, or have easily picked-up electrical signatures, etc. I believe the EMV specs are publicly available, too.
Tamper-evident is likely baked into the device, instead. Make a circuit that trips when you open the thing up, wire that up to wipe the keys and brick the device until it goes back to factory.
Exactly what i was wondering. RBI (Reserve Bank of india) does not allow entering PIN's on touch screen. Infact they (RBI) go to such a length that a card processing terminal should be ONLY just the terminal and the hardware should be approved by the RBI which might take months.
