Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

Transcription

1

2 Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and responsive. We assist your organization in managing all aspects of information risk. We specialize in end-to-end services, comprehensive solutions, and tailored programs.

3 Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant

4 About Seccuris Established in 1999 Dedicated to information assurance consulting, services, and solutions Headquartered in Canada (with offices across Canada) USA headquarters in Dallas, TX; office in Austin, TX Approximately 100 staff and growing Unsurpassed depth in information assurance including security, privacy, and risk management with broad industry expertise 4

5 Research & Development Education & Training Managed Security Services Information Security Consulting

6 Mobile Device Payment Card Processing: How Secure is It? The standard, preliminary PCI QSA answer: It all depends. 6

7 Agenda 1. Differences between current and mobile processing 2. Challenges of using mobile devices for payment cards 3. Meeting the challenges 4. Resources available 5. Q&A 7

8 Current Processing vs. Mobile Processing 8

9 Current versus Mobile What are the Differences? Current: POS devices/pin pads Custom applications Payment Application Data Security Standard (PA-DSS) applications Web interfaces Usually within the confines of a business 9

10 Current versus Mobile Mobile: PIN pads Smartphones Tablets Reader attached to customer PC Can be anywhere! 10

11 Mobile Payment Devices 11

12 Mobile Device Payment Challenges 12

13 Mobile Device Payment Challenges Some of the Challenges in using Mobile Payment Card Industry Data Security Standard (PCI DSS) requirements Multiple options and form factors Maturity Attacker focus 13

14 Payment Card Industry Data Security Standard Requirements 14

15 PCI DSS What is the PCI DSS? One worldwide standard, introduced in 2005 All companies are now required to be compliant to do business PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements 6 goals and 12 high level requirements 15

16 Ecosystem, Roles, and Responsibilities PCI QSA PCI PA QSA PCI ASV PCI ISA 16

17 PCI DSS Where do the Requirements Apply? Requirements apply to wherever the primary account number (PAN) is stored, processed, or transmitted The Cardholder Data Environment Comprises people, processes, and technology that store, process, or transmit cardholder or sensitive authentication data The PCI DSS security requirements apply to all system components In the context of PCI DSS, system components are any network component, server, or application including in, or connected to, the cardholder data environment 17

18 PCI DSS Why Comply? Security threats are rising PCI compliance helps to protect: Cardholder data Your network Your customers Your business Merchants and service providers that do not comply with PCI face penalties in the event of a breach, along with non-compliance fees that could affect their bottom line 18

19 PCI DSS Merchants and service providers that do not comply with PCI face penalties in the event of a breach and non-compliance fees that could affect their bottom line Fines of up to $500,000 per incident Restrictions imposed on the merchant or service provider Monthly fines Higher processing fees Remediation costs (estimated at $90-$302 per record) Potential customer lawsuits Damage to company reputation and brand Forensic investigation costs can be up to $600/hour Forensic teams from each of the payment brands Breached company pays the tab 19

20 PCI DSS Benefits of Compliance Protect cardholder/sensitive data Prevent (reduce) identity theft Gain competitive advantage through validated compliance; increased revenues Streamline business processes Maintain positive consumer image Ensure confidence in the payment card industry Limit or reduce risk 20

21 Various Options and Form Factors 21

22 Mobile Device Options Categories App on PTS-approved mobile device Bundled Consumer handheld device 22

23 Mobile Device Options Category One App on PTS-approved mobile device 23

24 Mobile Device Options Category Two Bundled 24

25 Mobile Device Options Category Three Consumer handheld devices 25

26 Maturity 26

27 Mobile Device Challenges Maturity New application space Multiple platforms to support Lack of focus on security on devices 27

28 How to Prove Compliance 1. Determine scope of Cardholder Data Environment 2. Assess environment according to applicable PCI DSS requirements: Self-Assessment Questionnaire (SAQ); self-guided and/or Qualified Security Assessor assisted Report on Compliance (ROC); Level 1 Merchant or Service Provider 3. Repeat 28

29 Attacker Focus 29

30 Mobile Device Challenges Attacker Focus Attackers go where there is the most opportunity Greatest volume of transactions Greatest number of vulnerabilities Greatest exposure of victims 30

31 Meeting the Challenges 31

32 Mobile Device Challenges Some Challenges of Using Mobile PCI DSS requirements Multiple options and form factors Maturity Attacker focus 32

33 Meeting the PCI DSS Requirements Challenge Determine PCI Status Understand the current payment card processing environment. Are you currently compliant with the PCI DSS? What are your current payment channels? How will they change? Understand the PAN usage. Are the current applications being used also available for mobile devices? Use the PCI Security Standards Council s website for approved applications and devices. Talk to your acquirer/bank. Engage a QSA company. 33

34 Meeting the Multiple Options/Form Factor Challenge Understand what is currently approved for use in the company Get involved with the changes from the start Ask the tough questions Review what others in your industry are doing Determine the level of control required Determine whether the devices will be personal or corporate Work with IT 34

35 Meeting the Maturity Challenge Determine the risk that the company is willing to accept Acquirer(s)/bank(s) recommendations Due diligence for options Develop detailed requirements to access options 35

36 Meeting the Attacker Focus Challenge Work with solution vendors to identify associated risks Work with IT people to get their input from the start Acknowledge that attacks can come from internal and external sources Keep current with global events Keep current with industry events Continue networking Think like an attacker Don t forget about the non-mobile environment 36

37 Available Resources 37

38 Resources Acquirers/Banks PCI Security Standards Council website FAQs Qualified Security Assessors Approved payment applications and devices Qualified Security Assessor companies 38

39 Mobile Device Payment Card Processing: How Secure is It? Answer 39

40 It All Depends. on the following: Due diligence Enterprise fit Effort of nefarious individuals 40

41 Thank You. Any Questions? Richard Poworski, CISSP, ISP, ITCP, SCF, PCI QSA, PCIP (512) / rpoworski@seccuris.com