Applying Common Criteria to a cloud type payment service

Similar documents
Lecture 26 Enterprise Internet Computing 1. Enterprise computing 2. Enterprise Internet computing 3. Natures of enterprise computing 4.

Mobile Wallet Platform. Next generation mobile wallet solution

MPOS: RISK AND SECURITY

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

PrivyLink Cryptographic Key Server *

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

m Commerce Working Group

Embedded Java & Secure Element for high security in IoT systems

Certification Report

Table of Contents. Introduction. Audience. At Course Completion

Certification Report

The EMV Readiness. Collis America. Guy Berg President, Collis America

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

PrivateServer HSM Integration with Microsoft IIS

Secure your Privacy. jrsys, Inc. All rights reserved.

Certification Report

Visa Inc. PIN Entry Device Requirements

Hardware Security Modules for Protecting Embedded Systems

Entrust IdentityGuard Comprehensive

Certification Report

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

EMV mobile Point of Sale (mpos) Initial Considerations

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Certification Report

Alliance Key Manager Cloud HSM Frequently Asked Questions

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

Chapter 1: Introduction

SSL ACCELERATION DEPLOYMENT STRATEGIES FOR ENTERPRISE SECURITY

CoSign by ARX for PIV Cards

PSN compliant remote access Whitepaper

Implementation Guide

Intel Enhanced Data Security Assessment Form

Certification Report

Certification Report

Secure Mobile POS System

How To Evaluate Watchguard And Fireware V11.5.1

Certification Report

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

White Paper How Noah Mobile uses Microsoft Azure Core Services

Introduction to Cyber Security / Information Security

Store Logistics and Payment with Near Field Communication

Payment Card Industry (PCI) PIN Security. Requirements and Testing Procedures. Version 2.0. December 2014

Thales e-security Key Isolation for Enterprises and Managed Service Providers

Cards and e-commerce payments in Macedonia. Ohrid June 2012

Building Trust in a Digital World. Brian Phelps, BSc CISSP Director of Advanced Solutions Group EMEA Thales UK, Ltd.

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Android pay. Frequently asked questions

White Paper Solutions For Hospitality

The Internet Corporation for Assigned Names and Numbers (ICANN)

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

WE MAKE SECURITY WORK

Meet The Family. Payment Security Standards

RSA Digital Certificate Solution

FIME SECURITY OFFER. PCI PTS POI security evaluation process

SAFE SYSTEM: SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS USING MOBILE PHONES

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

Payment Card Industry (PCI) Point-to-Point Encryption

mpos Secure Mobile Card Acceptance

Mobile Payment Ecosystem ITI

Certification Report

e-authentication guidelines for esign- Online Electronic Signature Service

Encryption Key Management for Microsoft SQL Server 2008/2014

Certification Report

Payment Transactions Security & Enforcement

EFT solution NOMAD. NOMAD (BankservAfrica) INFORMATION

C033 Certification Report

Troux Hosting Options

Certification Report

What is a Smart Card?

Cloud POS Banking. Value Services

INFORMATION TECHNOLOGY SECURITY: PORTFOLIO OVERVIEW

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

bi on Solution white paper

The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities

Key & Data Storage on Mobile Devices

Alliance Key Manager Solution Brief

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

OFFICIAL SECURITY CHARACTERISTIC MOBILE DEVICE MANAGEMENT

Common Criteria Security Target

Data Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

Joint Interpretation Library

EMV-TT. Now available on Android. White Paper by

Integration Guide. CyberArk Microsoft Windows

Overview of Luna High Availability and Load Balancing

Innovation in payments an overview

Advanced Authentication

An Open Source eid Simulator Open Identity Summit 9th -11th September 2013

Secure SSL, Fast SSL

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Transcription:

1 Applying Common Criteria to a cloud type payment service Kenji Yamaya ECSEC Laboratory Inc.

2 Evaluation of a cloud system Tablet internet cloud Newly developed terminal products Mobile POS Smart Phone POS TOE server TOE configuration defined in Security Target A cloud system we evaluated varies dynamically by terminals connected with. The configurable TOE is one reason to the difficulty in evaluating the cloud system.

3 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole cloud system Remaining issue Conclusion

4 Contents Thincacloud and its evaluation Idea of whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole system Remaining issue Conclusion

5 What is Thincacloud Thincacloud is a cloud system based on NFC solution. It is currently available and providing e- commerce payment service in Japan. No evaluation regarding whole cloud system evaluation including many kinds of terminals, so far.

6 What is Thincacloud Real payment Virtual payment By TV By Smart Phones In offices By Tablets

7 Thincacloud architecture IC Cards Certified Contactless Smart Card Terminals POS Server Thincacloud server program and HSM Secure Channel Secure transaction: Confidentiality and Integrity Certified Built-in IC chip Tablet Smart Phone TOE Authentication: card - terminal - server

8 Merit of Thincacloud architecture Main security functionality is the secure session. The developer forces the secure session on the just High-EAL IC and the server. Terminals only support the secure session. The developer decides that TOE in terminals is a program, and configurable parts (OS and hardware) are IT environments. Therefore, assurance will be continued regardless of terminals until the program is updated.

9 Evaluated Thincacloud TOE internet cloud TOE and HSM This TOE we have already evaluated is a small program in terminals and a program, and a HSM in a server. Merit : Assurance will be continued regardless of terminals until the program is updated.

10 How about a whole system? Tablet internet cloud SSL Mobile POS Smart Phone POS Security of Whole system? TOE server E-commerce sites Is my tablet secure to use Thincacloud payment? some users may think. Is my POS terminal secure? some shop owners may think. Is Thincacloud server secure? e-commerce site owners may think.

11 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole system Remaining issue Conclusion

12 Evaluation of terminals How does the stakeholders obtain security assurance of the entire terminal, instead of a program? Is the Point of interaction protection profile (POI-PP) available for evaluation of the entire terminal?

13 What is POI-PP POI-PP is a protection profile for the payment terminals, Version 2.0 certified by ANSSI on 2011. The target products are payment terminals with the smart card based transaction capability. POI-OPTION configuration: TOE provides protection for smart card based transaction, payment transaction data management and external communication facilities.

14 POI-OPTION configuration Application Application Application Application Application Acquirer System Communication Services POI Application Logic (PAL) Security Services Application Separation Terminal Management VPN Network IC Card R/W CHV Device PIN Mag-Stripe R/W TOE of POI-OPTION

15 NFC configuration Application Application Application Application Application Acquirer System Communication Services VPN Network POI Application Logic (PAL) Security Services Application Separation Terminal Management IC Card R/W TOE on NFC system CHV Device TOE of POI-OPTION Mag-Stripe R/W TOE on NFC system is similar to one of POI-OPTION, which indicates that POI-PP could be applied to cloud system based on NFC.

16 TSF structures POI-OPTION NFC terminal Middle TSF PED control PED Middle TSF PIN Entry PIN Encrypted Key PIN Entry Function Middle TSF Terminal Management and Payment transaction POI Management Payment transaction Middle TSF TSF based on NFC could be covered with POI-OPTION without PIN entry.

17 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole system Remaining issue Conclusion

18 Evaluation of a server How the stakeholders obtain security assurance of total server instead of component only. E-commerce sites TOE E-money1 Server SSL HSM SSL SSL APL logic Log Secure environment

19 Evaluation of a server How the stakeholders obtain security assurance of total server scheme instead of component only. Physical scope of the server-side TOE is total server including databases, HSMs, SSL accelerators, Web servers and so on. Assurance continuity can be applied to the total server scheme, even when components are upgraded.

20 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole system Remaining issue Conclusion

21 Evaluation of a whole system internet Tablet New terminal products Mobile POS Smart Phone POS TOE server TOE Fixed configuration defined Security target The client TOE runs well on the newly-developed terminals. Rapid assurance continuity is useful for whole system evaluation.

22 Evaluation of a whole system Security target describes the newly-developed terminal as a part of TOE. Evaluation of the newly-developed terminal is required. From whole system point of view, evaluation of terminal means partial evaluation. Then assurance continuity for the TOE is maintained and available for evaluation.

23 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of server Evaluation of whole system Remaining issue Conclusion

24 Remaining issue The e-commerce site is out of the scope of TOE. It is regarded as a user for the TOE. However, the card holder may require it is secure. We need to consider how we assure the e- commerce site is secure enough.

25 Contents Thincacloud and its evaluation Idea for whole cloud evaluation Evaluation of terminals Evaluation of a server Evaluation of a whole system Remaining issue Conclusion

26 Conclusion Idea of assurance for the whole cloud system including terminals. Terminals: terminals are evaluated and applied for assurance continuity. Developing subset of POI-PP TOE might be applicable. Server: Total server scheme as TOE is suitable for evaluation, NOT component base. Whole system: Rapid assurance continuity could be useful depends on component's life cycle.

27 Thank you ECSEC Laboratory Inc. 3-21, Kanda-Nishikicho, Chiyoda-ku Tokyo, Japan 101-0054 TEL: +81-3-5259-8061 FAX: +81-3-5259-8070 E-mail: labinquiry@ecsec.jp Evaluation of software / hardware IT Products by ISO/IEC15408 Testing of cryptographic module and algorithm implementation by FIPS 140-2 and JIS X 19790 (ISO/IEC 19790)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information