PCI and EMV Compliance Checkup

Similar documents
EMV and Small Merchants:

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

The Adoption of EMV Technology in the U.S. By Dave Ewald Global Industry Sales Consultant Datacard Group

Payments Transformation - EMV comes to the US

What is EMV? What is different?

Credit Card Processing Overview

What Merchants Need to Know About EMV

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Preparing for EMV chip card acceptance

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Mobile Near-Field Communications (NFC) Payments

CardControl. Credit Card Processing 101. Overview. Contents

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

mobile payment acceptance Solutions Visa security best practices version 3.0

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

Prevention Is Better Than Cure EMV and PCI

Changing Consumer Purchasing Patterns. John Mayleben, CPP SVP, Technology and Product Development Michigan Retailers Association

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

American Express Contactless Payments

OpenEdge Research & Development Group April 2015

Visa Recommended Practices for EMV Chip Implementation in the U.S.

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Frequently asked questions - Visa paywave

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Need to be PCI DSS compliant and reduce the risk of fraud?

Understand the Business Impact of EMV Chip Cards

welcome to liber8:payment

PCI Security Standards Council

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

Credit Card Processing, Point of Sale, ecommerce

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

PCI DSS Compliance Services January 2016

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

EMV in Hotels Observations and Considerations

How to Prepare. Point of sale requirements are changing. Get ready now.

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

U.S. Bank. U.S. Bank Chip Card FAQs for Program Administrators. In this guide you will find: Explaining Chip Card Technology (EMV)

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

EMV and Restaurants What you need to know! November 19, 2014

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

EMV EMV TABLE OF CONTENTS

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Table of Contents. Overview. What is payment processing? Who s Who. Types of Payment Solutions. Online Transactions. Interchange Process

EMV Acquiring at the ATM: Early Planning for Credit Unions

Sage 100 ERP I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

PCI PA-DSS Requirements. For hardware vendors

Securing the Payments System. The facts about fraud prevention

A Guide to EMV Version 1.0 May 2011

The EMV Readiness. Collis America. Guy Berg President, Collis America

Data Security Basics for Small Merchants

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

EMV: A to Z (Terms and Definitions)

Information about this New Guide

Wayne EMV Solutions. Protect your business with a complete EMV Solution inside and out.

Visa Inc. PIN Entry Device Requirements

The Canadian Migration to EMV. Prepared By:

PCI Security Standards Council

How Secure are Contactless Payment Systems?

How To Protect Your Credit Card Information From Being Stolen

PCI Compliance Overview

Project Title slide Project: PCI. Are You At Risk?

Chip Card (EMV ) CAL-Card FAQs

PREVENTING PAYMENT CARD DATA BREACHES

Payment Card Industry Compliance Overview

Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof

EMV mobile Point of Sale (mpos) Initial Considerations

Visa global Compromised Account

Frequently Asked Questions

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Payments Fraud: It's Not Fun & Games

Transcription:

PCI and EMV Compliance Checkup ATM Security Jim Pettitt Director, ATM Security Diebold Incorporated

Agenda ATM threats today Top of mind risk PCI Impact on Security U.S. EMV Migration Conclusions / recommendations

A Changing Landscape The U.S. Secret Service reports magnetic stripe skimming cases have risen by 10% during the past three years and estimates that losses from ATM card fraud are over USD 1 billion per year or $350,000 a day Nilson Report research indicated U.S. card fraud losses are more than twice as much as global fraud losses 9 cents compared with 4.5 cents for every $100 in transactions In 2009, the FBI stated that each ATM skimming device typically costs banks about $33,000 in losses. In 2012, reports estimate that it is now at $50,000 per ATM

With Global Consequences Bank Info Security, reports that even after an uptick in skimming incidents in 2010, the U.S. will see more ATM skimming Increase in attacks being reported at smaller financial institutions Increase in skimming attacks on lobby type and drive up ATMs Card reader theft and internal skimming on the rise Latest European ATM Security Team (EAST) report indicates recent rise in skimming in at least seven countries Resurgence of card and currency trapping/fishing remains strong in Europe, according to EAST In 2011, EAST reported 7,722 incidents of ATM skimming and 1,559 incidents of card trapping

and Investment in New Criminal Tactics The total number of ATM attacks is up 63 percent in European markets primarily due to cash trapping EAST, 2012 In the first half of 2012, bank robberies and ATM attacks soared 50 percent in Brazil from 838 incidents reported between January and June of 2011 to 1,261 for the same period in 2012 Cash trapping incidents up from 240 incidents in 2010 to 10,808 incidents in 2011. Verizon Business, 2012, reported that organized criminal groups targeting payment card information from Internet-facing POS systems or physically-exposed ATMs and gas pumps can launch a sting against hundreds of victims during the same operation

New Skimming Technology Recent skimming innovations : Wafer thin skimming devices inserted into card readers (as reported by EAST). Drilling a hole to attach a skimmer read head to a third-party acrylic anti-skimming extension in Europe. In Ecuador, a black strip with a read head molded to fit over just a portion of the black part of the dip card reader.

Focus on Risk Management Compliance/Legal Risks Threat: ADA Lawsuits Transaction/Operation Risks Threat: System Disruptions / Fraud Financial Risk Threat: Skimming / Logical Attacks / Acquirer Responsibility / Loss of ADA Lawsuits Reputational Risk Threat: Loss of Trust / Failure to Deliver on Marketing Claims / Inability to solve Customer Problems / Confusion between services Strategic Risk Early Adopters = Higher Costs and complexity Late Adopters = Miss customer demand Resources to monitor and maintain

Compliance is a Driver EXPECTED COST OF A BREACH The Security GAP SECURITY SPENDING Perceived Financial Optimum Compliance Minimum Today LEVEL OF SECURITY

Loss Perspective at the ATM

Cardholder Data Chain of Trust

PCI Security Standards Council Payment Card Industry Every entity around the world involved in payment card transactions including hardware/device manufacturers and software developers, as well as banks, service providers and merchants must continually focus on safeguarding payment card data.

What Comprises PCI? Learn more at www.pcisecuritystandards.org

PCI PTS and EPP PCI v1.0 compliant Triple data encryption standard protection (Triple DES) enforced Secure key entry / loading via EPP only Tamper-resistant security module Certificate validation between ATM & host Compliance requirements ATM installations after January 1, 2008 (all) ATM installations prior to January 1, 2008 ATMs moved EPP replaced

PCI PA-DSS The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. Agilis 91x, 2.4 SP5 Agilis 91x, 3.0 SP1 Agilis NDx, 3.0 SP3

PCI DSS Requirements

Why Comply with PCI PA-DSS? Compliance can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences Compliance means that your systems are secure and customers can trust you with their sensitive payment card information Trust means your customers have confidence in doing business with you Confident customers are more likely to be repeat customers and to recommend you to others Compliance improves your reputation with acquirers and payment brands -- the partners you need in order to do business

PCI ATM Security Guidelines Currently an Information Supplement under development Version 0.2 Draft is in the review cycle Objective is to identify security guidelines for ATMs Primary focus is on mitigation of magnetic stripe skimming and PIN stealing attacks at ATMs, which are most prevalent during the transition of the payment systems to EMV chip technology Considering protection that can be provided by hardware and software

PCI ATM Security Guidelines ATM Security Overview Vulnerabilities, security requirements, services, and technical standards Integration of Hardware Components EPP, readers, cabinet, anti-skimming, encryption, and third party monitoring Security of Basic Software OS, XFS, XV, open protocols, devices Device Management / Operation Key management, life cycle management, configuration, environment Application Management security functions, patching, access control New technology support EMV, NFC

Coming to a Card Reader Near You Global Defense EMV Chip Cards Europay, MasterCard and Visa - EMV Organized to define a global standard for chip cards and security applications Ensures mutual acceptance of EMV cards between financial Institutions (FIs) and card associations EMV chip greatly reduces the fraudulent redemption of cash using a cloned magnetic stripe card EMVCo has a plan for the future

Source: EAST, 2011 EMV Impact on Card Fraud

Overview of EMV The card s chip communicates with card-accepting devices (POS and ATM terminals) through direct contact with the reader by way of a contact plate The chip contains info needed to use the card for payment and is protected by various security features Facilitates robust authentication, which can significantly reduce fraud at the POS or ATM Chip Cards or Smart Cards

The Security of Chip Cards Using EMV-compliant chip card technology improves security by adding functionality in three areas: 1. Card authentication, protecting against counterfeit cards 2. Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards being used for fraudulent transactions 3. Transaction authorization, using issuer-defined rules to authorize transaction

Overview of Contactless Technology Contactless devices use radio wave technology to transfer account information from the user device to a terminal reader An embedded chip and antenna enable consumers to wave their card or fob over a reader at the terminal Solution requires change/investment in the card/token, reader, ATM application and host authorization Examples include: PayWave: Visa (May 2009) PayPass : MasterCard (August 2007)

Near Field Communication (NFC) NFC technology is a standards-based wireless communication technology that allows data to be exchanged between devices in close proximity NFC-enabled mobile phones incorporate smart chips that allow the phones to securely store the payment application and account information NFC-enabled mobile phones will be able to carry one or more payment applications and accounts from different issuers

EMV ATM Transaction

Visa and MasterCard Announcements August 9 April 1 2011 2012 2013 2014 2015 Visa issues Acquirer Processor Mandate Merchant acquirers must be certified to accept EMV chip transactions Liability shift for merchants October 2015 September April 19 2011 2012 2013 2014 2015 MC issues EMV Mandate USA participation in the Global Liability Shift program begins for Maestro interregional ATM Transactions Liability shift for merchants October 2015

Chip Liability Shift Goes Global How does chip liability shift work? When both parties to a transaction are in participating countries: Issuers assume counterfeit fraud-related liability if a non-emv chip card is used at a hybrid terminal (a payment device that can accept transactions using both contact chip and magnetic stripe technologies) Acquirers assume counterfeit fraud-related liability if an EMV chip card is used at a magnetic stripe-reading-only terminal

Liability Shift for Global EMV

Diebold Recommendations Utilize various sources and training to raise your knowledge level of PCI and EMV and the impact on security Initiate internal discussions regarding the U.S. migration to EMV and why it is important Discuss the move to EMV with ATM processing entities to understand their roadmaps Develop strategies associated with issuing of chip cards and the future contactless technology Assess your ATM needs for EMV for hardware and software Establish and execute on a plan to move to EMV

ATM Security Alert Diebold Subscription Created whenever an ATM attack trend is detected Attack details and pictures Recommendations for how to protect from this type of attack Diebold free service sent to over 3,000 global subscribers

Diebold ATM Security Websites For more information, please visit: http://www.diebold.com/atmsecurity http://www.diebold.com/playingitsafe

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information