Data Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

Transcription

1 Data Protection and Mobile Payments Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

2 2 Today s reality It s a data-centric world. And the data is getting More valuable... More regulated More accessible More vulnerable. The IT security landscape is changing - Your data is getting More valuable... More regulated More accessible More vulnerable.

3 3 These vulnerabilities are being exploited by all sides

4 4 Verizon Data Breach Report

5 5 Victim industry Source: Verizon 2013 Data Breach Investigations Report

6 6 Compromised data Source: Verizon 2013 Data Breach Investigations Report

7 7 Mobile threats global overview 5.6 million potentially malicious files reported on Android, of which 1.3 million are confirmed malicious by multiple AV vendors Source: APWG White Paper: Mobile Fraud, May 2013

8 8 Does anybody care? Source: Advanced Payments Report 2013 Edgar, Dunn & Company, Sponsored by First Data

9 9 Overview of PCI DSS What? Measures to protect card data Mandatory Created by card schemes Enforced via contract Why? Manage risk Reduce likelihood Reduce impact Reduce fraud Who? All entities which: Store cardholder data Process cardholder data Transmit cardholder data

10 PCI Point-to-Point Encryption

11 11 Scope reduction using P2PE PCI Point-to-Point Encryption Solution Requirements Defines requirements for P2PE solutions, with goal of reducing scope of PCI DSS assessment for merchants using such solutions Encrypted data is out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it.

12 12 Implementing P2PE Acquirer Domain Payments network POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Reduces pain of audit compliance for merchant Eliminates card data from merchant environment Protects data from POS device to Gateway or Acquirer

13 13 Data breach the latest one Massive data breach exposed personal and financial information on more than 110 million customers 40 million cards, 70 million customer contact records Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores In the wake of breach, Steinhafel has urged retailers and banks to deploy EMV chip-based cards to thwart data breaches at the point of sale This time around, Target is not alone. Visa, MasterCard, American Express and Discover have all set timelines for most merchants to accept EMV cards by October 2015 Target announced a $5 million investment in a new cybersecurity coalition to help educate consumers and organizations about digital crimes and how to protect payment and personal data Krebson Security January 14, 2014 Bank Technology News January 21, 2014

14 14 Costs of breach, what is known so far Card Reissue US banks have re-issued 17.2 million cards following Target data breach Cost to US banks? Over $172 million according to figures from the Consumer Bankers' Association Includes: the card itself, informing consumers of a card reissuement, shipping and activating the card, supplemental communication via call centres and the internet Could also be liable for up to $3.6 billion in fines $90 fine for each cardholder s data compromised Finextra - Feb 7, 2014 TechCrunch Dec 23, 2013

15 15 Fact or fiction? EMV Cards would have prevented the breach The EMV-chip card is not really pertinent to how the breach occurred. The attacker's malware would have penetrated the payment system regardless of what type of cards the consumers were using The use of EMV chip cards would have helped from the standpoint of making it difficult for fraudsters to make duplicate cards Bank Technology News Jan 21, 2014

16 16 The merchant (Target) environment Merchant Acquirer / Store Switch Card Issuer Swipe or Swipe and Sign CVV/CVC EMV Cryptogram Data Decryption (PCI P2PE)

17 Tokenization in Data Protection

18 19 What is tokenization? Replaces original data with a Token Not necessarily mathematically related to the data Enable look-up of the PAN in a mapping system Token Database stores original data in encrypted form Segregate environment Protect the mapping system Systems handling tokens alone are out of scope Original Data Token Database Encrypted Original Data Encrypted Original Data Token Token Tokenized Data Encrypted Original Data Token Token mapping via a lookup table

19 20 Tokenization across an Enterprise CRM Global Credit Bank Global Credit Bank Global Credit Bank EXP 07/14 Tape Backups EXP 07/14 EXP 07/14 Global Credit Bank Customer Payments Loyalty Records EXP 07/14 DR Sites Global Credit Bank EXP 07/14 Global Credit Bank EXP 07/14 Global Credit Bank EXP 07/14 Dev & QA Environments Credit Card Data Warehouse Global Credit Bank Bookings Transaction Database Global Credit Bank EXP 07/14 Logs & Reports Global Credit Bank EXP 07/14 EXP 07/14 Token Database

20 21 Card scheme s press release on tokenization MasterCard, Visa and American Express Propose New Global Standard to Make Online and Mobile Shopping Simpler and Safer October 1, 2013 PURCHASE, N.Y., FOSTER CITY, Calif. and NEW YORK October 1, 2013 Visa (NYSE: V), MasterCard (NYSE: MA) and American Express (NYSE: AXP) today introduced a proposed framework for a new global standard to enhance the security of digital payments and simplify the purchasing experience when shopping on a mobile phone, tablet, personal computer or other smart device. Aligned with these initiatives, the proposed standard would meet this consumer demand and allow the traditional account number to be replaced with a digital payment token for online and mobile transactions. With a token, consumers will no longer be required to enter an actual account number when shopping online or on a smart device. Tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers.

21 22

22 23

23 24 Fun fact First 6 digits of a credit card number are known as: Issuer Identification Number (IIN) More commonly known as bank identification number (BIN) Issued under the ISO/IEC 7812 standard American Express : Card numbers beginning with 34 or 37. Japan Credit Bureau (JCB): Card numbers begin with 35. Diners Club: Card numbers begin with 36 or 38. Visa: Card numbers start with a 4. MasterCard: Card numbers start with the numbers 51 through 55. Discover: Card numbers begin with 6011 or 65.

24 26

25 27

26 Mobile Payments

27 30 Mobile banking Mobile Banking Mobile Payments It is a direct relationship between you and your bank You can view your account balances You can pay bills but: Mostly, these are only to accounts you registered to pay directly (electric, phone, etc.) You can transfer money between your accounts You may be able to make a deposit by taking a picture of a check you want to deposit You cannot walk into a store and pay for purchases with a mobile banking application

28 31 The future trend for payments Source: RSR research, March 2013

29 32 Who is leading the way? retailers are taking their leads from innovators PayPal and Google, whose success is driven not by service providers, but by consumers themselves Source: RSR research, March 2013

30 35 Mobile acceptance (mpos) Traditional POS Merchant Payment Service Provider Trusted devices, applications and networks Mobile POS Payment Gateway Untrusted devices, applications and networks

31 37 PCI s view on mobile payments

32 38 What about mobile acceptance (mpos) and P2PE? Smart Phone Or Tablet Acquirer Domain Payments network PCI-approved Secure Card Reader POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Enables transaction data security for mpos Eliminates card data from mobile device and merchant environment P2PE used to protect the data An important component for mpos transactions!

33 39 Paying with mobile brings new challenges Traditional Four Corner Model defines a tightly controlled ecosystem Consumer s Cards Merchant s Systems Everything stays the same - but Phones are insecure They are consumer controlled Network They can t be read in stores Consumer s Bank Merchant s Bank

34 40 Expanded ecosystem several cooks in the kitchen Trusted Service Managers Mobile Wallet (TSM) Providers Mobile App Developers Handset Manufacturers Mobile Network Operators (MNO) The payments industry is no longer a private club Merchant s Systems Mobile Technology Providers Network Consumer s Bank Merchant s Bank

35 41 Secure element in the cloud - Host Card Emulation (HCE) 1. Realtime and/or batchfile import of card and personalization data 2. EMV command and cryptogram generation (key management / HSM) 3. Secure connection 4. Connection to client API with integrated cloud secure element support Courtesy of Bell ID

36 46 Introducing Thales

37 47 Thales Group GROUND AEROSPACE SPACE TRANSPORTATION DEFENSE SECURITY TRUSTED PARTNER FOR A SAFER WORLD Wherever safety and security are critical, Thales delivers. Together, we innovate with our customers to build smarter solutions. Everywhere.

38 48 Global leadership # 1 worldwide Payloads for telecom satellites Air Traffic Management Sonars Security for payment transactions # 2 worldwide 14 bn Revenues Rail signalling systems In-flight entertainment Military tactical radio 63,000 Employees # 3 worldwide 56 Countries Avionics Civil satellites Surface radars

39 49 Thales Hardware Security Modules Hardware Security Modules Tamper resistant, certified security Secure cryptographic operations High assurance key management nshield Multi-purpose HSM family payshield Payments HSM family

40 50 HSMs: trust platform for application security What are HSMs? What do HSMs do? Hardware Security Module Secure cryptographic operations Hardened, tamper-resistant devices isolated from host environment Protect critical cryptographic key material Alternative to software crypto libraries Enforce policy over use of key material Business Application Application Data HSM security boundary Data to be signed, encrypted/decrypted Encrypted/decrypted or signed data HSM Application Keys inside security boundary Secure crypto processing engine

41 51 Strongest protection for keys and critical applications Security Controls Strong isolation of key material and crypto processes from host environment Anti-tamper techniques for physical protection Typical Application Platforms HSM Based Trust Platforms Strong authentication for administrators Strongly segregated administration domains Strongly enforced dual controls for mutual supervision High integrity random number generation Processing offload to boost capacity

42 52 keyauthority centralized key management What does it do? Centralized control and automated lifecycle management for cryptographic keys Secure key generation, key vaulting and delivery Robust segregation of keys, users and applications Scalability to support millions of keys, thousands of devices Security hardening, tamperresistance - FIPS level 3 certification keyauthority What can it manage? Any KMIP compliant application or device Pre-validated interoperability with leading storage encryption products - IBM, HDS, Quantum, Sepaton, Brocade and more Cloud encryption solutions KMIP = Key Management Interoperability Protocol

43 53 Why Thales e-security? Our track record. Over 40 years of leadership delivering data protection solutions around the world Our customers. We secure some of the world s most valuable information and > 80% of payment transactions Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography Our certifications. All our offerings are independently security certified - more than anyone else! Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance Hardware Security Modules Key management systems Network encryption Signing and time stamping Banking Government Utilities High Tech Mobile

44 54 Any Questions?

45 54 Contact Information Ted Heiman Key Account Manager Thales e-security 2365 Bering Drive San Jose, California (cell) (office) Jose Diaz Business Development & Technical Alliances Thales e-security 900 South Pine Island Road, Suite 710 Plantation, Florida (office)