PCI and EMV Compliance Checkup

Transcription

1 PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated

2 Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations

3 A Changing Landscape The U.S. Secret Service reports magnetic stripe skimming cases have risen by 10% during the past three years and estimates that losses from ATM card fraud are over USD 1 billion per year or $350,000 a day Nilson Report research indicated U.S. card fraud losses are more than twice as much as global fraud losses 9 cents compared with 4.5 cents for every $100 in transactions In 2009, the FBI stated that each ATM skimming device typically costs banks about $33,000 in losses. In 2012, reports estimate that it is now at $50,000 per ATM

4 With Global Consequences Bank Info Security, reports that even after an uptick in skimming incidents in 2010, the U.S. will see more ATM skimming Increase in attacks being reported at smaller financial institutions Increase in skimming attacks on lobby type and drive up ATMs Card reader theft and internal skimming on the rise Latest European ATM Security Team (EAST) report indicates recent rise in skimming in at least seven countries Resurgence of card and currency trapping/fishing remains strong in Europe, according to EAST In 2011, EAST reported 7,722 incidents of ATM skimming and 1,559 incidents of card trapping

5 and Investment in New Criminal Tactics The total number of ATM attacks is up 63 percent in European markets primarily due to cash trapping EAST, 2012 In the first half of 2012, bank robberies and ATM attacks soared 50 percent in Brazil from 838 incidents reported between January and June of 2011 to 1,261 for the same period in 2012 Cash trapping incidents up from 240 incidents in 2010 to 10,808 incidents in Verizon Business, 2012, reported that organized criminal groups targeting payment card information from Internet-facing POS systems or physically-exposed ATMs and gas pumps can launch a sting against hundreds of victims during the same operation

6 New Skimming Technology Recent skimming innovations : Wafer thin skimming devices inserted into card readers (as reported by EAST). Drilling a hole to attach a skimmer read head to a third-party acrylic anti-skimming extension in Europe. In Ecuador, a black strip with a read head molded to fit over just a portion of the black part of the dip card reader.

7 Focus on Risk Management Compliance/Legal Risks Threat: ADA Lawsuits Transaction/Operation Risks Threat: System Disruptions / Fraud Financial Risk Threat: Skimming / Logical Attacks / Acquirer Responsibility / Loss of ADA Lawsuits Reputational Risk Threat: Loss of Trust / Failure to Deliver on Marketing Claims / Inability to solve Customer Problems / Confusion between services Strategic Risk Early Adopters = Higher Costs and complexity Late Adopters = Miss customer demand Resources to monitor and maintain

8 Compliance is a Driver EXPECTED COST OF A BREACH The Security GAP SECURITY SPENDING Perceived Financial Optimum Compliance Minimum Today LEVEL OF SECURITY

9 Loss Perspective at the ATM

10 Cardholder Data Chain of Trust

11 PCI Security Standards Council Payment Card Industry Every entity around the world involved in payment card transactions including hardware/device manufacturers and software developers, as well as banks, service providers and merchants must continually focus on safeguarding payment card data.

12 What Comprises PCI? Learn more at

13 PCI PTS and EPP PCI v1.0 compliant Triple data encryption standard protection (Triple DES) enforced Secure key entry / loading via EPP only Tamper-resistant security module Certificate validation between ATM & host Compliance requirements ATM installations after January 1, 2008 (all) ATM installations prior to January 1, 2008 ATMs moved EPP replaced

14 PCI PA-DSS The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. Agilis 91x, 2.4 SP5 Agilis 91x, 3.0 SP1 Agilis NDx, 3.0 SP3

15 PCI DSS Requirements

16 Why Comply with PCI PA-DSS? Compliance can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences Compliance means that your systems are secure and customers can trust you with their sensitive payment card information Trust means your customers have confidence in doing business with you Confident customers are more likely to be repeat customers and to recommend you to others Compliance improves your reputation with acquirers and payment brands -- the partners you need in order to do business

17 PCI ATM Security Guidelines Currently an Information Supplement under development Version 0.2 Draft is in the review cycle Objective is to identify security guidelines for ATMs Primary focus is on mitigation of magnetic stripe skimming and PIN stealing attacks at ATMs, which are most prevalent during the transition of the payment systems to EMV chip technology Considering protection that can be provided by hardware and software

18 PCI ATM Security Guidelines ATM Security Overview Vulnerabilities, security requirements, services, and technical standards Integration of Hardware Components EPP, readers, cabinet, anti-skimming, encryption, and third party monitoring Security of Basic Software OS, XFS, XV, open protocols, devices Device Management / Operation Key management, life cycle management, configuration, environment Application Management security functions, patching, access control New technology support EMV, NFC

19 Coming to a Card Reader Near You Global Defense EMV Chip Cards Europay, MasterCard and Visa - EMV Organized to define a global standard for chip cards and security applications Ensures mutual acceptance of EMV cards between financial Institutions (FIs) and card associations EMV chip greatly reduces the fraudulent redemption of cash using a cloned magnetic stripe card EMVCo has a plan for the future

20 Source: EAST, 2011 EMV Impact on Card Fraud

21 Overview of EMV The card s chip communicates with card-accepting devices (POS and ATM terminals) through direct contact with the reader by way of a contact plate The chip contains info needed to use the card for payment and is protected by various security features Facilitates robust authentication, which can significantly reduce fraud at the POS or ATM Chip Cards or Smart Cards

22 The Security of Chip Cards Using EMV-compliant chip card technology improves security by adding functionality in three areas: 1. Card authentication, protecting against counterfeit cards 2. Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards being used for fraudulent transactions 3. Transaction authorization, using issuer-defined rules to authorize transaction

23 Overview of Contactless Technology Contactless devices use radio wave technology to transfer account information from the user device to a terminal reader An embedded chip and antenna enable consumers to wave their card or fob over a reader at the terminal Solution requires change/investment in the card/token, reader, ATM application and host authorization Examples include: PayWave: Visa (May 2009) PayPass : MasterCard (August 2007)

24 Near Field Communication (NFC) NFC technology is a standards-based wireless communication technology that allows data to be exchanged between devices in close proximity NFC-enabled mobile phones incorporate smart chips that allow the phones to securely store the payment application and account information NFC-enabled mobile phones will be able to carry one or more payment applications and accounts from different issuers

25 EMV ATM Transaction

26 Visa and MasterCard Announcements August 9 April Visa issues Acquirer Processor Mandate Merchant acquirers must be certified to accept EMV chip transactions Liability shift for merchants October 2015 September April MC issues EMV Mandate USA participation in the Global Liability Shift program begins for Maestro interregional ATM Transactions Liability shift for merchants October 2015

27 Chip Liability Shift Goes Global How does chip liability shift work? When both parties to a transaction are in participating countries: Issuers assume counterfeit fraud-related liability if a non-emv chip card is used at a hybrid terminal (a payment device that can accept transactions using both contact chip and magnetic stripe technologies) Acquirers assume counterfeit fraud-related liability if an EMV chip card is used at a magnetic stripe-reading-only terminal

28 Liability Shift for Global EMV

29 Diebold Recommendations Utilize various sources and training to raise your knowledge level of PCI and EMV and the impact on security Initiate internal discussions regarding the U.S. migration to EMV and why it is important Discuss the move to EMV with ATM processing entities to understand their roadmaps Develop strategies associated with issuing of chip cards and the future contactless technology Assess your ATM needs for EMV for hardware and software Establish and execute on a plan to move to EMV

30 ATM Security Alert Diebold Subscription Created whenever an ATM attack trend is detected Attack details and pictures Recommendations for how to protect from this type of attack Diebold free service sent to over 3,000 global subscribers

31 Diebold ATM Security Websites For more information, please visit: