FIME SECURITY OFFER. PCI PTS POI security evaluation process

Transcription

1 FIME SECURITY OFFER PCI PTS POI security evaluation process

2 ABOUT FIME Your partner in your project Global reach Unique portfolio tailored to your needs Independent third party 350 people over 1,000 customers 41 M revenue PCI PTS POI security evaluation process FIME

3 FIME S ASSETS FIME works with EWA-Canada Security Evaluation Lab Accredited ITSEF for Common Criteria security evaluations PCI accredited lab for PCI PTS security testing and Approved Scanning Vendor Accredited lab for Visa mpos testing NVLAP accredited lab for FIPS validations Accredited Lab for Australian Payments Clearing Association Wide range of expertise regarding security: source code audits software/hardware attacks, penetration testing, Common Criteria testing FIME is able to provide you with both functional and security testing as a global service offer FIME is your ideal partner to assess the security of your payment terminal PCI PTS POI security evaluation process FIME

4 WHAT IS PCI PTS POI? Security requirements for payment terminals Managed by PCI SSC: Payment Card Industry Security Standards Council PCI SSC members are: American Express, Discover, JCB, MasterCard and Visa PCI PTS POI evaluation is required by: American Express, Discover, JCB, Interac, MasterCard and Visa It is applicable to both magstripe and chip+pin card readers Approval expiration date is set as six years from the expiration of the relevant requirements Visa mpos is applicable to magstripe, chip and signature or chip and PIN. But chip and PIN has to undergo a PCI PTS security evaluation and will be Visa mpos certified without further testing PCI PTS POI security evaluation process FIME

5 PCI PTS POI V3.X APPLICABILITY VS PCI PTS POI V4.0 Jan-2011 PCI-PTS v3.0 applicable Jan-2014 PCI-PTS v4.0 applicable Oct-2011 PCI-PTS v3.1 released April-2014 PCI-PTS v4 must be used PCI-PTS v3.1 can only be used for delta testing PCI PTS POI security evaluation process FIME

6 PCI PTS POI SECURITY CERTIFICATION SCHEME PCI PTS POI = Payment Card Industry - PIN Transaction Security - Point of Interaction vendor selects an evaluation lab evaluation lab product evaluation certification body results endorsement verdict assignment 8 to 12 weeks* Evaluation duration: 8 to 12 weeks for v4.0 used to be 4 to 6 weeks for v3.x Certification Body = PCI SSC (Payment Card Industry - Security Standard Council) PCI PTS POI security evaluation process FIME

7 PCI PTS POI SECURITY REQUIREMENTS split into the following evaluation modules Requirements and evaluation module name Core Requirements POS Terminal Integration Open Protocols (OP) Secure Reading and Exchange of Data (SRED) Device Management Security Requirements Description Core logical and physical requirements of PIN acceptance devices Ensures that the integration of previously approved components does not impair the overall security. Supports the cost-effective maintenance of components. Includes security management requirements applicable to the integrated device. The interface of POI terminals to open networks using open protocols shall not have public domain vulnerabilities. A set of requirements that ensures cardholder data is protected. Life cycle requirements for POIs and their components up until the point of initial key loading. PCI PTS POI security evaluation process FIME

8 PCI PTS POI APPROACH TO SECURITY A terminal security evaluation consists in 3 phases: Scoping Usually done using a check-list in pre-sales Integration / Open Protocols/ SRED (Y/N) Outcome: applicable security requirements Exploration Documentation review Code review / Vulnerability analysis Security function evaluation / Initial testing Estimated resistance against attacks (CEM) Outcome: penetration test plan (lab internal)= Penetration Penetration test CEM rating of terminal product Outcome: final test report PCI PTS POI security evaluation process FIME

9 APPROACH TO SECURITY formal certification Internal review of the product (documentation review, source code review) Penetration testing (software attacks, side-channel attacks, physical perturbation attacks) security expertise: a white box approach Evaluator acquires product knowledge through internal review Penetration testing is done with this knowledge PCI PTS POI security evaluation process FIME

10 CUSTOMER-ORIENTED WORKFLOW Customer registers with the Authority (PCI SSC) Customer sends required documents to the Authority Customer chooses a Security Lab (free choice) Customer submits inputs to Security Lab POS or mpos terminal required: (3 to lab and 3 to MasterCard for new PCI; 1 for PCI delta; and 2 for mpos) source code and product documentation: EWA performs evaluation (using attack vectors, DPA and EM testing, functional testing) Checks if the product meets requirements EWA issues the Conformance Test Report (CTR) to customer and, once approved, to PCI SSC The Authority issues an approval letter PRE-REQUISITES: 3 samples to the lab for new PCI v3.1 or v4.0 testing : 2 of which could be destroyed 3 samples to MasterCard for new PCI v3.1 testing 2 samples to MasterCard for new PCI v4.0 testing All samples are to go to the lab first for test configuration and key loading 2 samples are required for Visa mpos or only 1 for Chip and PIN device after PCI-PTS PCI PTS POI security evaluation process FIME

11 CONTACT FIME For more information: