Payment Mechanism of E-commerce and Application of the certificate. Antonius Sommer, CEO TÜViT GmbH

Transcription

1 Payment Mechanism of E-commerce and Application of the certificate Antonius Sommer, CEO TÜViT GmbH

2 Agenda Web site certification D21 initiative in Germany Situation in Europe Future certification for Online shops in Europe Recommendations from Federal office of information security ETSI Extended Validation (EV) certificates Security improvement with eid Data privacy requirements for browsers Mobile devices / mobile payment

3 D 21 recommended Online-certificates Initiative D 21: PPP for promotion the digital community for the 21. century in Germany Trusted Shops S@fer Shopping internet privacy standards EHI tested Online-Shop Quelle:

4 D 21 criteria - abstract Goals: transparency, reliability and credibility, consumer friendly general conditions and services D21-criteria for online shops Vendor identification Particular information duties (e. g. gamble) Price information Terms of contract (transparency, comprehensibility) Service delivery / consignment Applicable law Clear order transaction Revocation and restoration (special law in Germany: Fernabsatzrichtilinie) Data privacy Advertising with electronically communication (automatic call systems, , SMS, MMS, etc.) Data security Complaints and alterative arbitration procedure

5 D 21 criteria Data privacy & data security Data privacy Data avoidance and data thriftiness ( 3a BDSG) Voluntariness for declaration of personal data and orientation to the services offered, use of pseudonyms as much as possible Information about the kind, range and intended purpose of survey, processing and using of personal data or profiling as well as duration of keeping or transmission Public available information for consumers regarding revocation and restoration Control of admission, of access, of transfer, of declaration, of order, of availability, separate processing Data security IT security concept with all relevant threats and state of the art security mechanism Worth protecting: procedures and infrastructure, communication between vendor and consumer Information about cookies with personnel obtainable data protection against unauthorized access

6 D 21 scheme, assets and drawbacks Assets Third party analysis for online shops Not only IT security and data privacy issues Criteria with orientation to consumer right Drawbacks Inflation of certificates Consumers are not able to differentiate The scope of analysis is defined by the criteria, the depths of the analysis is not defined by the criteria Certificates are not comparable

7 Other certificates for Online shops in Europe almost from consumer point of view Austria: (Gütesiegel & Qualitätssiegel) Belgium: (BeCommerce trustmark) Finland: (ASML's trustmark) France: (fevad trustmark) Hungary: (Áruküldők s Gütesiegel) Netherland: (Thuiswinkel Waarborg) Portugal: (PACE trustmark) Switzerland: (VSV Garantie ) Schweden: (Trygg E-handel trustmark) Great Britain: ( Internet Shopping Is Safe Gütesiegel)

8 Future certification for Online shops in Europe The European parliament decided under the following number A7-0226/2010 to establish a unique European certificate for E-commerce

9 Federal office of information security Recommendations for Online-Shopping Threats and IT security mechanism Protection against phishing attacks (Passwords & bank account data) Protection of PCs (Virus protection, Firewall, Security updates, ) Usage of strong passwords and regular change of passwords Seriousness of the online service provider Usage of big and well known service provider or additional analysis for unknown service provider Usage of cryptographic algorithm / SSL-certificates Lock-symbol and EV-certificate (green balk ) Certificates for Online-Shops Initiative D21: Only input and storage of mandatory data; the consumer shall select advertising and newsletter by himself 12 recommendations for Online-Auction Quelle:

10 Extended Validation (EV) certificates CA/Browser Forum = Owner and Issuer of the EV criteria cooperation of browser developer (Apple, Google, KDE, Microsoft, Mozilla, Opera, RIM) and certification bodies Goals Showing identity of the web site Secure crypted communication Aggravation of phishing intuitive method to show secure web sites (green balk + lock with additional information about the service provider) Important differences and increase of trust to normal TLS/SSLcertificates Verification of the legal identity of the web site owner Proof of ownership and the rights of the domain name Verification regarding High Risk Status and Black Lists Special contractually agreements with the certification body EV scheme can be considered to improve the security of web-site of financial institute in Taiwan as well.

11 Country: The country in which the scheme operates Hungary Spain Country Link setlanguageaction.do?lang= en stadores/busquedaprestado res.jsp The European Telecommunications Standards Institute (ETSI) Source of information Type 1 29/7/10 Last Updade 1 29/7/10 No Germany 2 04/6/10 Yes asp Type: The type of body operating the scheme 1.1.TSL: Governmental body or scheme operator 2.2.National bodies recognized by the government, i.e. the German TÜViT 3.3.Others: ETSI members, auditing companies, freelancers, etc. EV: Includes CAs issuing certificates in accordance with CAB Forum Guidelines Further information: Japan is planning to use this ETSI certification in the whole country under support of TÜViT (ETSI TS ) EV

12 The new eid in Germany (npa) Online-identification function (eid-function) for bilateral identification within the Internet mandatory: eid-pin for eid-owner mandatory : authorization certificate for service providers Signing function qualified electronic Signature compliance to German SigG (QES) mandatory : QES-PIN for eid-owner mandatory : qualified certificate from CA

13 eid-function: simplified process Webshop/-application Service provider eid Service 2. forward 4. eid - data 1. request 5. approval 3. bilateral authentification and read data from eid browser used by consumer with eid-app, smart card reader and npa

14 Authentication via using the npa Requirements for the consumer npa and eid-pin Smart card reader (basic, standard or comfort) Internet-PC with browser and installed eid-app Requirements for the service provider (web shop, online shop) Authority certificate for reading the content of npa Authentication procedure 1. Service provider identifies itself against the npa 2. Showing data privacy information and showing the approval of data with are transferred from the npa 3. consumer identifies itself using the npa via the eid-pin

15 Data privacy information and data approval Data privacy information (Example from user tests) Transmitted data (Example from user tests)

16 Using the eid-pin Basis-smart card reader With mouse on the screen (scrambled key board) => minimum protection against spy out Standard- und Comfort-smart card reader Input only on the keypad from the smart card reader => high protection against spy out

17 Available data / information within the npa The authority certificate defines, which data can read from the npa Surname and given name, title if available, Religious order name, stage name, Address including post box, Birthday and birth town, Indication if the age exceeds or is lower than a specified age Indication if the place of residence is the same as requested Kind of ID and issuing country D service- and card specific characteristics Additional data, which are always transmit Disable attribute (for test if the npa is disabled or not) Result of this validation

18 Authority certificates ( 21 PAuswG) Issuer is a government organization based on a law: PAuswV (Bundesverwaltungsamt) Before issuing the authority certificates the service providers are check up by this governmental organization

19 Further security features Data privacy compliance npa-authentification -> unique characteristics is service- and card specific and prevent tracking QES for legally binding commercial operations Immediately disable of authority certificates and lost npas Cryptography used is state of the art Government Security Agency certified smart card reader & eid-app The PC must be secured state of the art by the consumer

20 New data privacy requirements for browsers The European Commission as well as the Article 29 Data Protection Working Party (WP 29) called on the industry to make concrete suggestions especially concerning the transparent and consensual use of cookies deployed by online behavioral advertising (OBA) systems. 1. Requirements for transparency of online behavioral advertising systems are enhanced. This concerns both the duty of information to users and the duty of enabling users to exercise their right of access. 2. Providers of online behavioral advertising systems need to take first steps towards an implementation of opt-in mechanisms as required by the new legal situation. 3. The requirements that were developed under the former legal situation (e.g., waiver of sensitive categories) retain their validity and must be met.

21 Mobile devices / mobile payment Juniper Research forecasts that global NFC mobile contactless payment transactions will reach nearly 50 billion Dollars worldwide by 2014 Senior Analyst David Snow: "Based on our analysis and interviews with key industry players our view is that the next 18 months will see launches in up to 20 countries

22 Mobile devices / mobile payment

23 Mobile devices / mobile payment Infineon provides NFC SIM chips for most NFC pilots worldwide, e.g. in France (for project Cityzi in Nice) where operators like Orange plan full migration of their current SIM to NFC SIMs. The Infineon embedded secure element is used in a majority of NFC smart-phones hitting the market in 2011, putting them in a leading position in the NFC security market. Source: Infineon Technologies

24 Mobile devices / mobile payment NXP & G&D announced at February 15, 2011 Full validation of a joint software solution offering secure interfaces between handsets, NFC functionality and secure elements such as the SIM card The Software enables NFC to be integrated securely into mobile handsets based on the Android platform and other OS Source: NXP Semiconductors Source: Giesecke & Devrient GmbH

25 Mobile devices / mobile payment What is a Secure Element? Secure storage in your NFC device Current Secure Element Implementations: Embedded in Mobile Phone SIM Based RemoveableSecure Element (SD Card) Source: G&D

26 Mobile devices / mobile payment Validation and Certification of mobile payment 1.Evaluation and certification of the HW & SW of the SE 2.Evaluation of the mobile payment applet 3.Evaluation of the secure download and installation of the applet 4.Evaluation of other applications loaded in the SE not to be malicious (i.e. not attacking the payment applet)

27 Thank you for your attention! Contact data TÜV Informationstechnik GmbH Member of TÜV NORD Group Antonius Sommer CEO Langemarckstr. 20 D Essen Telefon: Telefax: URL: Tiger Teng Business development Director, AP Langemarckstr. 20 D Essen Telefon: Telefax: URL:

28 Thank you for your attention! Q&A