Security is at the core of Ingenico s genes. It is the foundation on which we build our vision of an open and mobile world for the future of payment

Transcription

1 END-TO-END SECURITY IN AN OPEN AND MOBILE WORLD Security is at the core of Ingenico s genes. It is the foundation on which we build our vision of an open and mobile world for the future of payment Philippe Lazare, CEO Ingenico Authors: Jacques Stern Philippe Lazare Joël Chevillard David Naccache Thierry Spanjaard, Smart Insights

2 Executive Summary 2 The payment terminal market is expanding along with the development of payment cards in all geographies. Payment terminals play an essential role in increasing the security level of payment systems. Frost and Sullivan estimates 10.4 million terminals have been shipped worldwide in 2008, and 18.1 million payment terminals will be shipped by the payment terminal industry worldwide in 2013, giving a Compound Annual Growth Rate (CAGR) of 11.5% in volume. From the origin of the payment terminal industry, terminal manufacturers have developed an expertise in implementing security principles and security features in their offer. Thanks to these years of effort, they have been able to set up end-to-end security coverage encompassing security of payment transactions through the security of payment terminals wherever and whenever they are. These features have been able to adapt to changes in card technologies, and to always provide the most appropriate level of security. Nowadays, payment terminal architecture is facing new challenges amongst which the most notable are certainly operating systems and mobility. Open operating systems answer customer demand for more openness in software and easier application development, they allow to provide more users friendly interface, and to integrate additional services in payment terminals. With open operating systems, payment terminals are bound to evolve from a point of payment to a point of services, and further to a point of interaction, where the customer has access to a variety of information, commercial offers, multimedia contents etc. This way, customers will have a higher level of interaction with the terminal, leading to increased quality of relation for merchants. Open operating systems create new capabilities, but also new challenges for the payment industry. Payment terminal manufacturers have the right answers to provide end-to-end security, with open operating systems. As we live in an increasingly mobile world, demand for mobile payment terminals is increasing. Merchants, customers, and all stakeholders in the payment chain want to be able to perform transactions in any place, and fail to understand why transactions that are performed in a traditional shop could not be performed in the open. Mobility creates virtually infinite possibilities for payment terminals but also new security challenges. The payment terminal industry has the appropriate answers to enforce end-to-end security regardless of whether payment terminals are fixed or mobile. Enthusiastic with new opportunities, and facing these new challenges, all stakeholders in the payment industry are more and more relying on major manufacturers to provide them not only with payment terminals but also with a full service. Payment terminal manufacturers have developed the technical expertise, especially the security technology expertise, and the market understanding to provide point of services terminals, and all associated customer-oriented services. They are able to behave as a facilities management enabler for all players in the payment chain. Such an evolution ensures security and cost effectiveness for merchants, acquirers and all stakeholders in the payment chain. They guarantee future-proof investments in the payment chain that will enable the development and the implementation of new services.

3 Table of Contents Executive Summary 2 Table of Contents 3 Introduction: Payment Markets and Their Evolution 4 1. Security Principles CONFIDENTIALITY AUTHENTICITY INTEGRITY SECURITY ENCLOSURE CONCEPT END-TO-END SECURITY CONCEPT CARDHOLDER AUTHENTICATION METHODS PAYMENT PROCESSOR POWER INVOLVEMENT IN SECURITY 7 2. Card Technologies MAGSTRIPE SMART CARDS TRANSACTION SCHEME 8 3. Evolution Towards Open Operating Systems RATIONALE FOR USING OPEN OS ENFORCING SECURITY IN AN OPEN OS ENVIRONMENT Evolution Towards Mobility INCREASED MOBILITY ADVANTAGES OF MOBILE TERMINALS ENSURING SECURITY ON MOBILE TERMINALS 17 Appendix 19 Glossary 19 3

4 4 INTRODUCTION Payment Markets and Their Evolution The payment terminals market evolution is driven by a combination of industry and market trends. The natural growth of card based payments triggers the growth of the payment terminal industry. Also, the evolution in terms of card technology (switch from magnetic stripe to smart cards, or issuance of contactless cards) triggers a periodic renewal of the payment terminal installed base. Beyond these two major trends a wider list of factors play a role in the payment terminals installed base growth. Customers now expect their payment terminals to: Have a high level of performance, Be always more secure, Be equipped with multimedia and communication capabilities, Have an attractive mechanical design, Be easy to install plug and play, Support new functionalities such as contactless payments, Have a user friendly interface and facilitate the user experience when interacting with the device, Be operated in wireless mode. These new demands lead to a segmentation of the payment terminal vendors offer into: Countertop terminals, Wireless terminals, PINpads, Signature capture devices, Unattended terminals. To address new market demands, payment terminal manufacturers diversify even more their offer with open operating system payment terminals and mobile terminals. Thanks to industry s years of investment in the payment terminals environment, security is taken for granted, as in the automobile industry, consumers expect a car to have wheels and brakes. Security is at the core of the payment terminal industry. So, developing new types of payment terminals allowing more convenience and more service to customers will happen without ever compromising the security of the whole payment chain.

5 1. Security Principles Payment systems are based on confidence. Confidence can only exist if the appropriate security policy is implemented by all payment chain stakeholders. This security policy must be shared by all stakeholders and include provisions to ensure the right execution of payment transactions CONFIDENTIALITY Payment transactions must be kept confidential. Money matters are to be dealt with confidentiality ensuring that the right level of information is given to the cardholder, the issuer, the merchant and the acquirer. Each of these parties must have access to the necessary information to complete its tasks, but must not have access 1.2. AUTHENTICITY The whole payment system must enforce transaction authenticity. Authenticity ensures that each transaction is actually 1.3. INTEGRITY The payment system ensures the integrity of each transaction. This means that a transaction must be processed as it was performed. Any modification in the content of any data belonging to a transaction must be detected and the 1.4. SECURE ENCLOSURE CONCEPT In order to ensure that all transaction items are kept secure, the payment terminal industry developed the secure enclosure concept. Once a payment terminal is manufactured, and its firmware, software and keys downloaded, it cannot be tampered with. If there is any attempt to tamper with a payment terminal, such an attempt is detected (tamper detection), and the payment terminal reacts by erasing its content making it unusable (tamper responsiveness). As it is a secure enclosure, a payment terminal ensures to information that would threaten confidentiality of the transaction. For instance, the issuer needs not to know the detail of transactions, and the type of goods or services purchased with a given transaction. The merchant only needs data to ensure completion of the transactions, but does not need to know the details of the cardholder s identity, for instance. performed by a legitimate card, in the hands of its legitimate cardholder, on a legitimate terminal, under the control of is legitimate merchant. transaction refused. Controlling transaction integrity means controlling that all elements of the transaction have not been modified at any time or in any place between the transaction performance and its treatment. that there is no means to make external measurements that would threaten the security of the terminal operation. Such behavior is made possible by hardware sensors that detect any attempt to open a payment terminal, and by software detectors that will react to any attempt of interfering with the security of the payment terminal. As a payment terminal is a secure enclosure, it is a secure place where to run cryptographic algorithms. 5

6 1.5. END-TO-END SECURITY CONCEPT 6 The need for secure transactions, along with the security enclosure concept is the cornerstone of the end-to-end security concept End-to-End Geographically Ensuring the security of a payment system means that all its elements must be secure. Payment terminal manufacturers have developed a long-standing expertise in securing their payment terminals. But threats may come from the use of insecure networks. For this reason, the best way to enforce end-to-end security was to use secure networks. The first payment terminals worked only on specific (ad-hoc) networks. Nowadays, public networks (PSTN), or packet networks, or TCP/IP networks are used. The mobile payment industry has developed skills in cryptography to communicate securely over insecure networks End-to-End during Terminal Lifetime End-to-end security also means that security is based on the fact the payment terminal cannot be tampered with at any stage in its lifetime. Thus the payment terminal manufacturer must exercise control over payment terminals at all stages of their life cycle. Payment terminals design must take into account security issues to ensure the end-to-end security principle is enforced. For instance, at conception stage, terminal developers must take into account physical security aspects and include sensors to ensure the terminal will invalidate itself if there is any attempt to open it, and also logical security to protect the terminal against any attempt of software intrusion, or software malevolence. Payment terminal manufacturing must take place under tight control rules. Manufacturing must take place in a secure plant, and critical components must be sourced carefully, manufactured on demand in controlled quantities, and controlled at every manufacturing process step. The manufacturing process must ensure not only the quality of the finished product, but also its manufacturing according to security rules, ensuring that no one can interfere unduly with the payment terminal hardware, firmware, or software at manufacturing stage. Payment terminal initialization is a key step of the terminal lifecycle. At payment terminal initialization the terminal firmware is finalized, and downloaded with customerspecific applications. For instance, each terminal contains the specific payment application of its destination country and final customer. It may also include additional applications to support specific merchant cards, or additional applications such as loyalty programs or prepaid top-up for mobile communications subscriptions. Also at the initialization stage, security keys are injected into the terminal. This operation is performed in a secure environment, and uses routines that ensure that no one can access the keys that are downloaded into each terminal. When the terminal is in use, it must manage its own security, both from a software and from a hardware standpoint. The software and hardware of the terminal must ensure that if there is any attempt to compromise its security, the terminal will become unusable. When the terminal is in use, there may be needs to upgrade its software, or in some cases, update its keys. Of course, this is done using secure procedures, and ensuring the update or upgrade process can only be performed by the legitimate authority allowed to perform upgrades and updates. The recycling or the destruction of payment terminals is also to be taken into account. Before it is totally destroyed, the terminal still contains sensitive firmware and data that could be considered by a fraudster as a hint to threaten payment application security. The terminal managers are generally held responsible for the proposed destruction or the safe recycling of the terminals once they reach the end of their useable life End-to-End Security with All Stakeholders To ensure the end-to-end security of the payment chain, all stakeholders must follow coordinated security principles. Obviously, the payment terminal manufacturer must follow security principles, and the communication with the acquirer is to be secured. But in fact, all other stakeholders are involved in the security chain. Installers play a role in the global security as they have access to the terminal while it is not functional and still unallocated to a specific merchant, people involved at the first level maintenance must perform their actions securely and see their actions limited to protect the global security of the system, and replacement of the payment terminal must be performed in a secure manner ensuring the destruction of the replaced terminal End-to-End with a Variety of Applications The end-to-end security has also consequences on application management. Application developers must ensure applications are properly isolated, and no application will unduly access data belonging to other applications. Rules apply to payment applications that ensure that each payment application evolves in its own environment and is unable to access other applications. Also, other applications developed on the same payment terminal can only access their own data, or exchange data with the consent of other payment application owners.

7 1.6. CARDHOLDER AUTHENTICATION METHODS When performing payment transactions on a terminal, users can be identified thanks to a variety of methods. When using magnetic stripe cards, cardholders are asked to sign a paper slip, which is later physically forwarded to the acquirer. In most cases the signature is not checked, and even when checked, this only provides a first line of defense, as the signature may be easy to forge. Nowadays, many magstripe-based applications require a PIN to authenticate the cardholder. This solution brings an additional level of security, but in this case, the PIN has to be verified by the card issuer, meaning that the terminal must periodically go online and the acquirer must have established a high quality connection with issuers. When using smart cards, the most commonly accepted method of cardholder verification is the PIN: users type their PIN on the PINpad connected to the payment terminal, and the PIN is verified by the card, thereby allowing the payment terminal to operate in off line mode. An alternative cardholder verification method is the use of biometrics, such as fingerprints, face shape, retina scans, etc PAYMENT PROCESSOR POWER INVOLVEMENT IN SECURITY Using payment terminals with powerful processors ensures that they will be able to evolve, to support software upgrades aiming at increasing security even during the payment terminal lifetime. Such upgrades are sometimes necessary to ensure that security features in the payment terminal remains ahead of emerging security threats. Software upgrades may also be necessary to increase the performance of the terminals, for instance to reduce transaction time when using contactless cards. 2. Card Technologies For instance, over time the payment industry has transitioned from magnetic stripe to smart cards, then has increased the key length, then implemented EMV security features, and is now evolving from SDA (Static Data Authentication) to DDA (Dynamic Data Authentication). Using terminals with powerful processors is a means to ensure they will be upgradeable over time, thus will resist better, and will keep the highest security level over time. In the traditional security approach, the transaction security strategy is linked to the card technology that is used MAGSTRIPE As a magstripe card is moderately secure, the payment terminal end-to-end security relies on the availability of a payment server that will be responsible for security computations SMART CARDS Contact Smart Cards When using traditional contact smart cards, a part of security relies on the card s ability to perform an active authentication, and to perform cardholder verification thanks to the PIN presentation. The payment terminal has to be a secure enclosure, as it manages the security of the card when reading it, and the security of the communications with the acquirer s server. Authenticating an EMV (Europay MasterCard Visa) smart card can be done in two ways: SDA, Static Data Authentication: there is a cryptographic authentication value created once for all by the issuer, using a secret key not stored in the card. The cryptographic algorithm used is asymmetric which means that a so-called 7

8 public key suitably related to the issuer s secret key needs to be used to check this authentication value. DDA, Dynamic Data Authentication: the card has the capability to create a fresh digital signature for any transaction, by means of a secret key stored on board. The matching public key is handled to the terminal, together with credentials from the issuer, and an appropriate public key in the terminal allows to check the credentials, and next the signature. Additionally, in both case, the card may go on line while the transaction is performed, and send transaction data to the acquirer. These data are authenticated by a cryptographic check value (CCV) created using another secret key stored in the card. The cryptographic algorithm here is symmetric which means that the same secret key needs to be used on the acquirer s side to check this CCV. A payment terminal using smart cards will have to upload its transactions on a regular basis to the acquirer s server, a process requiring an appropriate level of security achieved thanks to cross authentication between the payment terminal and the server, and encryption of the communication TRANSACTION SCHEME Merchant Bank Account Acquirer Domestic or international clearinghouse Contactless Smart Cards Contactless smart cards provide the same type of security features as contact smart cards. But in many contactless applications, transactions below a certain threshold (often in the range of GBP 10, EUR 15, or US$ 20) can be performed without the presentation of a PIN by the cardholder. In such a case, the terminal authenticates the card, and then performs the payment transaction without cardholder verification. When a PIN code is required, it ensures the cardholder verification NFC NFC (Near Field Communication) communicates in emulating contactless card communication protocols. Depending on application requirements, a PIN can be asked from the consumer. And the consumer may type his PIN either on the payment terminal PINpad, or on his handset. In such a case, the PIN is transmitted to the payment terminal in a secure manner, over the NFC communication channel. Issuer Authorization request Authorization Fund transfer Cardholder Bank Account 8

9 3. Evolution towards Open Operating Systems Communication & Multimedia Attractive design Wireless Mobile Plug & Pay Userfriendly High Performance In a payment terminal context, the term Open Operating System (Open OS) is often used to describe the use of commercially available Operating Systems as the basis for point of sales terminals developments. Actually, these operating systems may be open stricto sensu or not. For instance, in 3.1. RATIONALE FOR USING OPEN OS Aesthetical Demand More secure Personal electronics are increasingly pervasive: all over the world, consumers are used to mobile phones (more than 4 billion users as of end of 2008), MP3 players are sold by hundreds of millions each year, etc Many households now have large LCD television sets, and are used to large high quality color images. At the same time, it is interesting to notice that the payment terminal has had few evolutions since its inception. Over years, the industry added the remote PINpad, at the end of a wire, and the portable terminal, but the global shape remained the same. Especially, most payment terminals currently on the market come with a PINpad, as prescribed in the PCI-PED standard, and a limited screen, most of the time a monochrome LCD, with limited display capabilities. New functionalities the POS terminal environment, we can consider Windows, or Linux as Open OS. When using the term Open OS, the industry means an Operating System that has not been developed by a payment terminal vendor, and that has uses other than payment, or that is used in a non-payment environment. Using an Open Operating System allows to use existing hardware building-blocks to build a payment terminal. This way, manufacturers are able to integrate large high quality displays, keyboards and other peripherals. Also, using an Open OS will unleash a new creativity in terms of aesthetic design, leading to new shapes for payment terminals. In the past, a payment terminal, was managing just one connection to the acquiring system. The demand is evolving towards more connectivity. For instance, a payment terminal screen could be used to optimize the merchant customer relation. Advertising could be displayed on payment terminal screens, or other messages. An internet connection is necessary to provide rich content to a payment terminal. All types of connectivity are available on Open OS that will be used as a basis for payment terminals. 9

10 User Friendliness Demand The former look of payment terminals with a limited PINpad, and a simple display is thing of the past. Users own personal electronic devices (mobile phones, MP3 players, GPS, cameras, ), and are used to a permanently evolving designs, and a permanent addition of new functionalities. Thus, to keep the shopping experience up to the customers expectations, payment terminals have to evolve to integrate a better user interface Global Evolution towards Merchant Point of Services Retailers demand an evolution from a pure payment terminal towards a more global point of services. Merchants want to be able to provide more services using the same hardware. Identified new services include mobile subscription prepaid top-up, gambling, self service kiosks, Also, as people get used to graphical interfaces, multiple windows, pop-ups, or Flash animations, payment terminals interface cannot remain in text mode. It has to evolve to include the latest user interface standards in use in most applications, and on the Internet. Such new services require larger color screens, communication capabilities, for instance a connection to the Internet, Payment terminals will need a signature capture, or using a touch screen as a PINpad Market Demand for New Applications Given the evolution of the merchant customer relationship, there is a demand to integrate more merchant-oriented applications. For instance, merchants ask for advertising on terminals: they would be happy to display advertising on the terminal screen, using still pictures or films. This advertising can be permanent or change according to daily promotions, or targeted marketing actions, such as marketing actions depending on each customer shopping pattern This demand leads to the inclusion of larger, color, high quality displays, with a connection allowing to download Internet content, or just to receive targeted contents from a server. Of course, once advertising is displayed, merchants want to be able to go further into the sales process, and integrate customer interaction, with a touch screen. This way, the customer no only sees the advertising, but (s)he is also able to make instant purchase decisions. With a touch screen, and the capability to run actions based on customer decisions, merchants anticipate an enrichment of the POS operation, thus an evolution from a point of payment towards a global point of interaction. Multimedia content can either be standard (i.e. the same at a given time for all customers) or customer-specific. Once the customer is identified, thanks to his/her payment card, a specifically targeted advertising can be displayed. The objective is to provide more targeted content to the customer and thus to trigger purchase decisions, thanks to actions decided by the customer, and input through the touch screen. The touch screen can also be used as a signature capture device. In most countries using magstripe, customer signature is required at each transaction, or at each transaction over a given threshold. Signatures are often collected on a paper slips or thanks to graphics tablets. Having a touch screen allows collecting the cardholder s signature on the touch screen, making the customer experience more comfortable and more enjoyable Market Demand for Payment Related Applications Merchants have identified sources for growth through paymentrelated applications. Payment at a point of sales terminal is the best opportunity to provide additional services. Mobile communication prepaid top-up at the point of sales has been in existence for a few years. Thanks to a transaction on a payment terminal, customers are able to purchase airtime from their mobile network operator. The result is generally delivered in the form of a code the customer has to type on his/her handset. Having an enhanced interaction with customer at point of sales allows to partner with mobile network operators (or other third parties) and propose specific targeted offers to customers. This will allow customers to not only purchase airtime, but also to gain access to all types of value added services. Also, payment system operators have developed a long experience of partnership with loyalty operators, and have in many cases implemented loyalty programs aboard the cards. A more elaborate terminal, with an enriched user interface allows developing more elaborate loyalty programs, in which the offer is even better tailored for the consumer. A large high quality display screen allows to better interact with the customer as he pays the best attention to what is being displayed on a screen: the payment moment. Of course, implementing vertical functions on a payment terminal require an easy development environment. Open systems provide development tools, and are supported by a large community of developers, ensuring a quick and easy development of applications under the supervision of payment operators Market Demand for Non-Payment Related Applications A market demand for interfacing with professional applications is emerging.

11 For instance, in many restaurants, waiters take orders on PDAs, which are integrated in a global restaurant management system. However, these PDAs rely on payment terminals to acquire payment as the client departs. This implies additional equipment for restaurant owners, time waste for waiters, and additional mistake risks. Restaurant owners would be happy to use a single device that could both be integrated in the restaurant management system and used to perform payment. Of course, such a system must be as easy and as convenient to use as a PDA, and as secure and reliable as a payment terminal. Many sales professionals use PDAs, netbook PCs, tablet PCs, etc. to manage their sale relation with their customers and interact with their company s CRM system. The devices are perfectly integrated in ERP systems. For the time being they have to be totally separated from the payment terminal, or rely on insecure payment transactions, such as Internet card-not-present transactions. In the retail industry, and especially in supermarket and hypermarket chains, there is an identified demand for including of the payment transaction in the global inventory management system. For the time being, in many cases, the cashier has to rekey the final amount into the payment terminal to perform the payment transaction. In some cases, integration has been done allowing to transmit the amount from the POS terminal (cash register) to the payment terminal. A better integration would allow performing additional services, and for instance, implement more elaborate loyalty programs. At smaller merchants, equipped with payment terminals, there is a demand for providing additional payment terminal usage: many merchants would be happy to reclaim more space on their counter, and drop the cash register altogether. To that end, there is a need for a single device that would allow the performing of secure payments, and also to the deployment of applications, like on a cash register Development Environment In the Open OS realm, industry grade development environments (SDKs) are available. These development environments can either come from the OS developer, e.g. for Microsoft Windows, or from a community of Open Source developers, as is the case for Linux. Open OS development environments, are elaborate, userfriendly, and complete with debugging and validation tools. Developers are used to these development tools that become de facto standards Community of Developers Many software programmers are used to developing applications on Open OS. Developer communities count millions of software programmers who already have the expertise in development tools for open operating systems environments. Thanks to this extensive developer community third parties can deploy developments on devices such as Open OS Payment terminals. This allows the partners of payment terminal vendors to develop their own added value applications thanks to more active development and more adaptation of products to specific customer needs Existing Application Base Thanks to this huge developer community and the ease of access and user-friendliness of software development tools, many application layers, or application buildingblocks already exist, e.g. multimedia, connectivity, web browsers, With these preexisting ingredients, application development becomes easier, faster, and more reliable. Also, application maintenance requires skills that are found among a larger community of application developers ENFORCING SECURITY IN AN OPEN OS ENVIRONMENT Switching to Open Operating Systems is an essential disruption for the payment terminals industry. This evolution brings lots of advantages essentially in terms of flexibility, and eases development. However, easing application development should not happen at security s expense. Payment terminal industry customers, and more globally, all stakeholders in the payment chain, accept no compromise on security Modular Security A way to enforce security is to build payment terminals blending Open OS environments and secure payment environments. Such a dual environment terminal is actually built around two subsets: An Open OS, allowing all multimedia functions, and enabling an easy application development, thanks to existing development tools, and A secure Payment OS, allowing developing payment functions securely. The architecture ensures that all communications between the two environments are secured. The Payment OS will send commands to use the peripherals of the Open OS, such as communication ports, display, etc But the Payment OS must only communicate with the outer world using a limited command set. The Payment OS must only accept legitimate commands coming from the Open OS. 11

12 For instance, an Open OS application is allowed to request a payment transaction with a given amount from the Payment OS, but is not allowed to collect card details from the transaction. The Payment OS is to be built to ensure that no developer will be able to tamper with security functions, and Open OS applications will not access security sensitive data or functions. As the Payment OS is restricted to a reduced instruction set, it is protected against malicious program behavior. Payment terminal manufacturers have a long experience in building such Operating Systems. In addition, monitoring routines can be implemented to control the evolution of every piece of software and every piece of data in the terminal s secure part. That way, any attempt to interfere with routines in the terminal s secure part is detected and appropriate protective measures can be triggered. Application environment Secure environment USB Ethernet Modem Security sensors Security mechanism 12 RS232 Radio Wifi Bluetooth Flash Payment Dedicated Subset Application Processor SDRam Application & Communication Printer A way to enforce security is to dedicate a subset of peripherals to payment functions. For instance, the PCI-PED standard mandates that the PINpad must be dedicated to payment functions. This rule ensures that PIN presentation is properly handled, the PIN is only presented to the card, and not stored anywhere along the chain. Thus no malicious software can be used to sniff the PIN. Also, a display can be dedicated to the Payment Operating System. This display prompts only payment functions and is dedicated to the user interface dealing with Payment functions. This display will only display payment-related messages such as transaction amount, Enter your PIN, Transaction completed, etc. User interface needed for vertical applicative functions is kept separate and uses a different display. Finally, a printer can be dedicated to the Payment Operating System. This printer will only be used to print transaction receipts, whereas another printer can be used to print other information necessary as a part of the customer relationship, e.g. invoices, order confirmations, etc. Tamper detection Secure ASIC Contactless Smart Card Magstripe Security & Readers & Keyboard / Display Open OS Audit Display Keyboard As Payment OS are certified by independent labs, a payment terminal leveraging an Open Operating System should be certified. The following means can help achieve such a certification. Separation A way to ensure an Operating System can be certified is to isolate security functions from other functions and to control interaction with the security functions. That way, the certification covers payment functions and their interface with other functions. Collaboration Another way to ensure the certifiability of an Open OS is to collaborate with the OS developer. Access to the OS s source code is an integral part of the certification process. This means that the developer of such an OS must give access to the OS source code, and must be willing to provide an access to it to the certification lab. Pruning Developing a certifiable OS on the base of an Open OS can also be achieved by pruning the OS, and removing all

13 functions that are not totally required to support payment applications. This way, only payment-related functions can be used. The payment terminal developer ensures that, in this case, there is no way to install (or to re-install) other insecure functions on the same OS. Attack Trees Attack trees are a formal, methodical way of describing the security of systems, based on various attacks. Examining Open OS under the attack tree model ensures a more exhaustive modeling of potential security threats. An attack tree approach is a way to ensure security threats are properly assessed. In an Open OS environment, an attack tree allows to evaluate the risks associated with each attack strategy and to ensure the appropriate countermeasures are present. Subsequent Releases In an Open OS world, needs for Operating Systems new releases may arise. For instance new releases allow bug correction, the addition of new features, new interface capabilities, etc A payment terminal architecture based on an Open OS must ensure that new OS release downloads are controlled. To that end, the new OS release download is to be controlled by a secure part of the OS I/O Port Blocking and Limited Functionalities Most Open OSs are built to provide the easiest communication capabilities. Payment terminals are built to ensure secure communications. In the payment realm, one wants to control communications between payment functions. For this reason a payment terminal based on an Open OS must control non-payment functions. An essential point to control is the use of I/O ports. This way, no malicious code can be downloaded onto the Open OS device through an uncontrolled I/O port. All interfaces between the terminal and the outer world must be controlled by secure routines, running on the secure part of the Operating System. When using a pre-existent Open OS the payment terminal developer may limit security related function-use, in order, for instance, to ensure that no access is possible to secure memory areas, nor to cryptographic algorithms and their private data (keys) Certification To enforce security and maintain confidence from all stakeholders in the payment ecosystem, payment terminals must be certified. In a traditional approach, payment terminal developers have a total control of their development. They manage hardware design (including anti intrusion detectors and other types of detectors), hardware supply, software development, and payment terminals operation. That way, they can totally control the security of the payment terminal and its operation. In this traditional approach, product development steps are well identified: a terminal is developed, industrialized, certified, produced and sold. Certification is performed by independent labs, under the control of the following authorities: PCI (Payment Card Industry), on a global basis, Local certifications may be needed - depending on decisions made by local payment associations such as APACS in the UK or GIE-CB in France, for instance. PCI Security Standards Council The PCI Security Standards Council was established by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to build a common set of security requirements for the whole card payment industry. The PCI Security Standards Council defines the PCI security standards: technical and operational requirements to protect cardholder payment data. The standards globally govern all merchants and organizations that store, process or transmit this data with new requirements for software developers and manufacturers of applications and devices used in those transactions. PCI Standards include: PCI Data Security Standard (PCI DSS): the PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. Any business accepting or processing payment cards must comply with the PCI DSS. PIN Entry Device Security Requirements (PCI PED): PCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. For the time being, PCI PED does not allow to use a touch screen as a PINpad. Payment Application Data Security Standard (PA DSS): The PA DSS is for software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement. It also governs these applications that are sold, distributed or licensed to third parties. Open OS Environments In an Open OS environment, the certification process is bound to evolve. An Open OS device is bound to evolve with the addition of new applications, new OS releases, etc A terminal is no longer a device that is frozen in the state it had when coming out of the production line. The certification process must now take into account concepts such as a secure perimeter, or a secure kernel 13

14 14 that is certifiable, and accept that other device subparts running under an open operating system, will evolve during the terminal s lifetime. Major payment terminal vendors are currently in talks with PCI to reach a common understanding about Open OS, and establish processes for future certifications Update Mechanisms In a payment terminal s lifetime, both the OS and the applications may require updates. These updates may involve both secure and regular device subparts. While a classic payment terminal remains under control, an Open OS based payment terminal may be subject to updates by third parties. Updating the regular part of an Open OS terminal must be as easy as updating any other device. Updating the secure part of an Open OS payment terminal must be as secure as updating a classic payment terminal. For this reason mechanisms must be implemented to control the update of the Operating System and applications of the secure part of the payment terminal. Such mechanisms include authentication between the terminal and the server proposing the update, restricting the update to applications signed by the terminals manager, setting up a certification mechanisms to ensure that only safe certified applications (and OS evolutions) may be downloaded during an update process. Moreover, the payment terminal s secure subpart of the payment terminal must include mechanisms to control that an update in the regular part will not breach security. For instance, access to I/O ports must remain controlled. And paymentdedicated peripherals (PINpad, display), must not be accessible by update routines in the terminal s regular subpart Use of Existing Open OS Security Functions All Open OSs include security functions. For instance, they may include cryptography routines, signature functions, etc These pre-existing built-in functions have the advantage of being totally integrated in the Operating System, thus bringing developers the Open OS advantages (availability, stability, community of developers, ). However, using such routines to perform secure functions triggers some questions. For instance, it is necessary to ensure these functions actually perform what they are supposed to perform and nothing else. This means secure applications developers must have access to the source code of these security functions in order to ensure that they perform only safe functions. Also, if preexisting security functions are to be used in a payment terminal development (core or applications), the certification body needs to have access to these functions source code Flexibility for the Merchant to Choose any Acquirer In some areas, such as in Europe, merchants are given the possibility to choose any acquirer for each transaction. That way, a merchant is able to negotiate the best conditions for each transaction depending on different parameters such as the amount, type of sale, type of card, etc. While this is in general not practically the case, the chosen acquirer needs not to be in the same country as the merchant. The consequence of this is that old schemes where security was considered as a whole taking into account all intermediaries from the merchant and his terminal to the acquirer, including the network, no longer apply. Now, different entities may be responsible for the security of each payment chain subpart. And, as the configuration of the payment terminal may change at each transaction, the security policy must reflect this new reality: terminal security must be isolated from network security, and from the security of the transaction with the acquirer Terminal Monitoring In a payment network, monitoring can be implemented as a security means. By monitoring on a permanent basis what is happening in every terminal, the terminal management system (TMS) may keep track not only of all transactions, but also of all accesses to the secure terminal subpart and thus to every interaction with security. That way, the TMS can take appropriate actions in real time if a threat to the terminal security is detected. Open OS provide communication routines that can be used to implement monitoring systems for terminal fleets Facilities Management Approach As a conclusion, security in an Open OS environment is more complex than in traditional payment terminal environments. This is due to the intrinsic complexity of Open OS-based payment terminals, but also to issues relating to potential access to the regular part of the Open OS terminal. Many acquirers do not own the necessary infrastructure to implement an efficient and complete TMS incorporating the security constraints of Open OS payment terminals. Also, many acquirers do not have the appropriate security skills to ensure that an Open OS payment system is secure. For this reason, the whole payment infrastructure can be managed with a facilities management contract by a third party. This third party, typically a payment terminal expert, provides: Payment infrastructure control, to enforce security in the day-to-day operation and in the download of updates or new applications, Infrastructure consistence, to ensure an easy and safe

15 administration of the payment terminal fleet, Cost effectiveness, thanks to a single management system and a better control over hardware and software of the terminal fleet, Mass maintenance and replacements programs when applicable, Securely controlled environment, as the network is under the same management as the terminals fleet, any intrusion attempt is detected, and solutions can be implemented promptly, To enforce an end-to-end security, the organization in charge of facilities management may control not only the payment terminals fleet, and the networks linking them, but also the transaction acquisition in the facilities management, to ensure an easy and complete administration of the system. 4. Evolution Towards Mobility From pay at counter, to pay at table, and now to pay anywhere Originally, payment terminals were heavy dark boxes that needed to be connected to the main power supply, and that were using a dedicated telecom landline. These payment terminals were used in a pay at counter mode, where the customer comes to a counter, stands in front of the terminal, and completes its transactions facing the merchant. Then, came the pay at table concept: in restaurants, customers are reluctant to have to move to the counter, and line up just to pay for their meal. Terminal suppliers developed the pay at table terminal type, where most payment terminal functions are installed in a portable device: card reader, PINpad, display, printer, and communication peripherals. The terminal is to be put onto a cradle on a regular basis for battery recharging and also to download its transactions securely into the cradle, that 4.1. INCREASED MOBILITY Mobile Communications Availability Evolutions of the telecommunication industry have made data networks available on a wide scale. Data networks started with WAP, and then GPRS, Edge, and now 3G (in WCDMA, CDMA 2000 or TD-SCDMA modes). The common feature shared by all these protocols is to provide increasing data throughputs and an ever-increasing geographic coverage. Also, in more geographically limited environments, mobile communication can be provided thanks to Bluetooth or Wi-Fi standards. High-speed mobile data networks, available in most countries, make data communication easier. They support IP (Internet Protocol) making the Internet seamlessly will, in turn, transmit them over the network. Both in the pay at counter, and pay at table concepts, classic phone landlines are used to transmit data. The current industry trend is to go towards the pay anywhere concept. Our life is becoming more mobile, customers no longer understand why payment should be restricted to only one place or to only one environment when everyone has a mobile phone in his pocket. Terminal manufacturers must adapt to this demand, and provide fully functional devices including all the necessary terminal functions. Such terminals should be able to transmit data without the need to be put onto a cradle. In this context, a payment terminal can take advantage of mobile communication capacities to transmit its transactions to the acquirer. available on mobile devices. A branch of the industry has developed to supply mobile communication subsets dedicated to machine to machine (M2M) communication. Such M2M communication subsets integrate together communication capabilities and subscriber identification capabilities. That way, they are suitable for implementation aboard a payment terminal to ensure a smooth usage independently from the terminal location Cutting Communication Costs At the same time, mobile high speed data networks are less and less costly to access and to use. The cost of data transmission has sharply dropped over years. Now, most mobile network operators propose unlimited data access, included in their communication packages. 15

16 Market Demand The demand for mobile terminals stems from an evolution in lifestyles. Users, all over the world, are now equipped with mobile phones (more than 4 billion at end 2008). Our lifestyle is increasingly mobile, thanks not only to mobile phone but also to more and more elaborate mobile devices. Consumers want to be able to purchase not only when they visit a shop, but also, on the move, by making instant purchase decisions. Merchants are also becoming increasingly mobile, or, to be more specific, already mobile merchants are becoming more integrated in modern banking and payment infrastructures. For this reason, they have to get equipped with payment terminals to provide their customers with multiple payment options. Consumers want to find everywhere the comfort and sales conditions they are used to in brick and mortar shops: they don t understand anymore why they can use payment cards when in a shop but would be limited to cash payment when in the open. Merchants must be ready to cope with these new customer needs and be ready to accept all types of payment everywhere. Typical examples include taxis, market places, transport on-vehicle payments, both for the ticket and for additional services (meals, visit tickets, ). The demand for mobile banking is also on the increase. In many places, the increasing bancarization of the population implies that the banker must be always accessible. The banker must be within reach when and where his customers are available. Bankers become increasingly present on markets, on work locations, in public transport stations, etc These bankers must be able to work with limited means, a payment terminal becoming the main means of interaction with customers. In traditional shops, there is also a demand for additional customer throughput. Typically, in a fast food outlet, at peak times, additional staff is hired to go down the customers queue and take orders before they reach the counter. That way, orders are transmitted thanks to a communicating PDA, and the meal is ready when customers reach the counter, thereby increasing the throughput of the fast food 4.2. ADVANTAGES OF MOBILE TERMINALS Depending on context, mobile terminals may need to be connected on demand or on a permanent basis On Demand Server Connection In the context of taxi payment for instance, when acquiring smart card based payments, the terminal does not need to be connected to the acquirer network on a permanent basis. The terminal just needs to connect when a spending limit is reached, or after a series of transactions. outlet. There is an identified demand for not only taking orders, but also acquiring their payment to reduce the last time-consuming step in the fast food meal process. Fast food chains, and other types of merchants expect a source of higher throughput, meaning additional income, if they are provided with queue optimization solutions to perform payment functions anywhere in their outlet. Depending on local regulations, a comparable demand appears in gambling terminals. Customers want to be able to gamble anywhere in a casino or in its environment, and, for the merchant, accepting payment cards on mobile terminals is a means to ensure an additional income thanks to the flexibility it provides to gamblers Pseudo Mobile Terminals such as Unattended Terminals Unattended terminals also constitute an essential market demand. Even if they are generally not mobile, payment terminals fitted in oil pumps, for instance, or mass transit ticket machines have the same interest in mobility as real mobile terminals, thanks to the ease of installation and availability provided by mobile data networks. Payment terminals aboard unattended devices need to accept cards, and to communicate with acquirers. Using M2M modules, and communicating Over the Air using mobile communication protocols, is a convenient way to design these communication features, without having to take into consideration the burden of a landline Limited Mobile Terminals to Reclaim Counter Space Merchants often consider their sales capacity is linked to their counter space. A traditional countertop terminal occupies space, thus prevents from using a few square centimeters to display merchandise for sale. Many merchants, for instance in high-end shops, such as jewelries, want a terminal with which they can move easily around the shop. A pay at table terminal is fit for purpose, a pay anywhere terminal allows more flexibility, and more ease of operation, as it does not need to be brought back to its cradle on a regular basis Permanent Server Connection In a restaurant, for instance, waiters want to use the same device to take orders, to make bills and print them, and to acquire payments. This device needs to incorporate payment terminal functions, or more globally to be considered as a payment terminal. In this case, the terminal needs to be connected to the acquirer network on a permanent basis.

17 4.3. ENSURING SECURITY ON MOBILE TERMINALS Terminal Initialization In traditional payment terminals operation, there was an installation phase, when, keys were injected in the terminal, to make it operational at the merchant s premises. communication network along with the transaction data. This signature is verified by the acquirer, to ensure the transaction not only comes from the legitimate merchant, but also that the transaction has not been tampered with between the merchant and the acquirer. Now, with a mobile terminal, installation tends to become thing of the past. Merchants expect to receive a mobile terminal by regular delivery means, unpack it, and have it ready to operate quickly. To cope with this request, keys are injected when the terminal reaches the merchant, without needing the intervention of a professional installer. Also, during transport the terminal must be protected against any fraudulent use. Payment terminal manufacturers have developed an expertise ensuring that payment terminals cannot tampered with during their transport. A mobile payment terminal can be protected with transport keys during its transport from the manufacturer to the merchant. With these transport keys no operational use of the mobile payment terminal can be done. Then, when the merchant receives the mobile payment terminal, he undertakes a secure connection with the manufacturer, and the manufacturer (or the TMS Administrator) remotely replaces the transport keys by actual operational keys. Of course, the replacement of the transport keys by operational keys is performed in a controlled manner, ensuring secure keys cannot be exposed, and they are only downloaded to legitimate terminals. From that moment, the mobile payment terminal is ready and operational Heterogeneous Networks A mobile payment terminal can be programmed to operate on a variety of networks, and support a variety of protocols. Some of these networks may be secure, and others not. As a payment terminal communicates over insecure networks (or networks whose security cannot be assessed), and can be operated from anywhere, a mobile payment terminal must have features ensuring the security of each transaction. It must especially include all security features to communicate securely on an insecure network. These security features include signature, data encryption, SSL tunneling, etc Transaction Integrity As mobile payment terminals communicate over insecure networks, there is a need to ensure the integrity of each transaction, i.e. that a transaction is not tampered with between the terminal and the acquirer system. Integrity is ensured using digital signatures: the terminal uses a key to compute a digital signature sent over the Moreover, as communication transits through a network that is beyond the control of the payment terminal developer and the TMS operator, there must be provisions to rebuild all transactions should the communication network would not transmit them at all Encrypted Communication As public networks are often insecure (or at least, we can t assess their security), the terminal should communicate securely with the acquirer by the means of encrypted communications. Transactions contain sensitive data: capturing a card number from a transaction would threaten the security of the whole payment system. Also, just allowing a transaction to be listened to might create a security issue: many cardholders want to be certain that their payment transactions will not be made public. To that end, mobile payment terminals are equipped with data encryption capabilities. That way, all sensitive communication between the payment terminal and the acquirer are encrypted, preventing any listener to get any information from the secure transactions SSL Tunneling Secure Sockets Layer (SSL), is a collection of cryptographic protocols that provide security and data integrity for communications over TCP/IP networks. In a nutshell, creating an SSL tunnel ensures the security of data exchanged over this tunnel. An SSL tunnel provides means to: authenticate each party, offer the confidentiality of transactions, ensure the integrity of transactions Transaction Atomicity As a mobile payment terminal has more risk to have its communications interrupted than a fixed one, a specific attention is to be paid to securing the risk of interrupted transaction. When communications is interrupted before a transaction is complete, the system needs to identify such issue, and to decide the transaction is not valid. To ensure that no transaction appears to be in an undefined state, the mobile terminal must implement transaction atomicity. This way, a transaction can only be either completed or not started, and no intermediate insecure third state can 17

18 18 exist. This is achieved through a coding methodology called Atomicity Enforcement Terminal Communities Theft is a specific risk associated with mobile payment terminals. An answer to this specific threat is to create terminal communities in which each member terminal will ensure that fellow terminals belonging to the community are present. This can be done using proximity radio frequency protocols, such as Bluetooth, or rely on base station beaming in GSM-Edge, or 3G settings. When a terminal goes mute, its muteness is interpreted by the network as removal from its normal zone of operation, which can be interpreted as a threat. The TMS can detect the absence of the terminal, and take appropriate actions Anonymization role Cardholders are increasingly privacy aware. All transaction details may be considered as sensitive data. For instance, cardholders names are obviously confidential, but less direct data elements such as a transaction location may be looked upon as private. Customers want to ensure that their transactions are properly managed by all stakeholders in the payment chain, but not disclosed to a third party. Specific points in the payment chain may play the role of an anonymizer, making transactions anonymous without preventing their execution. Anonymizers will enforce privacy by making transactions anonymous, without impeding transaction management and clearing Secure Dynamic Currency Conversion Customers wish to make transactions in any country in their own currency. That way, they can know with absolute precision how much they will be charged in their own currency. Currency conversion can be done on the payment terminal at time of transaction. This implies that currency exchange rates become a sensitive data, as interfering with exchange rates might impact the way in which transactions are conducted. On a mobile payment terminal, exchange rates are time stamped and digitally signed. In addition internal controls with respect to the terminal s internal real time clock are necessary to allow a dynamic currency conversion Real Time Clocks Time stamps play a crucial role in payment transactions. As a rule of thumb, all transactions are time-and-date-stamped. Tampering with time and date on the terminal, may invalidate some transactions, or change the value of others (as exchange currencies and tax rates may vary over time). For this reason a mobile payment terminal are equipped with secure real-time clocks allowing the device to be selfaware of time and date information Best Operator Selection Mobile payment terminals may give more flexibility to the merchant: e.g. the terminal may automatically choose the best mobile network operator (MNO) at each transaction. As subscription conditions for different MNOs are different, with different communication allowances depending on time, the best MNO may vary over time. This can be done by using a multi operator SIM card in the terminal, and by setting up rules that will allow the terminal to choose the best MNO at any point in time. But such a choice can only be given if it does not threaten global system security. Rules allowing the choosing of an MNO must be under the management of the terminal management system, and evolutions in these rules and on MNO s subscription plans must be downloaded in a secure manner.

19 Appendix Glossary 3G 3 rd generation mobile communication: (WCDMA, CDMA2000, TD-SCDMA protocols) APACS Association for Payment Clearing Services Bluetooth Open wireless protocol for exchanging data over short distances from fixed and mobile devices, creating personal area networks (PANs) CDMA rd generation evolution of CDMA (Code Division Multiple Access) CRM Customer Relationship Management CCV Cryptographic Check Value DDA Dynamic Data Authentication EDGE Enhanced Data Rates for GSM Evolution EFTPOS Electronic Funds Transfer Point of Sale EMV Europay MasterCard Visa ERP Enterprise Resource Planning GPRS General Packet Radio Service GIE CB Groupement d Intérêts Economiques Carte Bancaire French interbank organization in charge of banking cards GSM Global System for Mobile Communication GSMA Global System for Mobile Communication Association I/O Input / Output LCD Liquid Crystal Display M2M Machine to Machine Magstripe Magnetic stripe MNO Mobile Network Operator NFC Near Field Communication OS Operating System OTA Over The Air PA-DSS Payment Application Data Security Standard PCI Payment Card Industry PCI DSS Payment Card Industry Data Security Standard PCI PED Payment Card Industry PIN Entry Device PCI SSC Payment Card Industry Security Standards Council PDA Personal Digital Assistant PIN Personal Identification Number PINpad Keyboard dedicated to typing a PIN PSTN Public Switched Telephone Network SDA Static Data Authentication SDK Software Development Kit SSL Secure Sockets Layer TMS Terminal Management System WCDMA 3 rd generation evolution of GSM - Wideband Code Division Multiple Access Wi-Fi Wireless Local Access Network 19

20 All graphics, photographs, and text appearing in this document produced by are protected by copyright. Redistribution or commercial use is prohibited without express written permission. 192, avenue Charles de Gaulle Neuilly-sur-Seine France Tel. +33(0) Fax +33(0)