Seccuris is Canada s premier Information Assurance integrator. We enable organizations to achieve business goals through effective management of information risk. We are agile, innovative, flexible, and responsive. We assist your organization in managing all aspects of information risk. We specialize in end-to-end services, comprehensive solutions, and tailored programs.
Mobile Device Payment Card Processing: How Secure is It? Richard Poworski CISSP, ISP, ITCP, SCF, PCI QSA, PCIP Managing Consultant
About Seccuris Established in 1999 Dedicated to information assurance consulting, services, and solutions Headquartered in Canada (with offices across Canada) USA headquarters in Dallas, TX; office in Austin, TX Approximately 100 staff and growing Unsurpassed depth in information assurance including security, privacy, and risk management with broad industry expertise 4
Research & Development Education & Training Managed Security Services Information Security Consulting
Mobile Device Payment Card Processing: How Secure is It? The standard, preliminary PCI QSA answer: It all depends. 6
Agenda 1. Differences between current and mobile processing 2. Challenges of using mobile devices for payment cards 3. Meeting the challenges 4. Resources available 5. Q&A 7
Current Processing vs. Mobile Processing 8
Current versus Mobile What are the Differences? Current: POS devices/pin pads Custom applications Payment Application Data Security Standard (PA-DSS) applications Web interfaces Usually within the confines of a business 9
Current versus Mobile Mobile: PIN pads Smartphones Tablets Reader attached to customer PC Can be anywhere! 10
Mobile Payment Devices 11
Mobile Device Payment Challenges 12
Mobile Device Payment Challenges Some of the Challenges in using Mobile Payment Card Industry Data Security Standard (PCI DSS) requirements Multiple options and form factors Maturity Attacker focus 13
Payment Card Industry Data Security Standard Requirements 14
PCI DSS What is the PCI DSS? One worldwide standard, introduced in 2005 All companies are now required to be compliant to do business PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements 6 goals and 12 high level requirements 15
Ecosystem, Roles, and Responsibilities PCI QSA PCI PA QSA PCI ASV PCI ISA 16
PCI DSS Where do the Requirements Apply? Requirements apply to wherever the primary account number (PAN) is stored, processed, or transmitted The Cardholder Data Environment Comprises people, processes, and technology that store, process, or transmit cardholder or sensitive authentication data The PCI DSS security requirements apply to all system components In the context of PCI DSS, system components are any network component, server, or application including in, or connected to, the cardholder data environment 17
PCI DSS Why Comply? Security threats are rising PCI compliance helps to protect: Cardholder data Your network Your customers Your business Merchants and service providers that do not comply with PCI face penalties in the event of a breach, along with non-compliance fees that could affect their bottom line 18
PCI DSS Merchants and service providers that do not comply with PCI face penalties in the event of a breach and non-compliance fees that could affect their bottom line Fines of up to $500,000 per incident Restrictions imposed on the merchant or service provider Monthly fines Higher processing fees Remediation costs (estimated at $90-$302 per record) Potential customer lawsuits Damage to company reputation and brand Forensic investigation costs can be up to $600/hour Forensic teams from each of the payment brands Breached company pays the tab 19
PCI DSS Benefits of Compliance Protect cardholder/sensitive data Prevent (reduce) identity theft Gain competitive advantage through validated compliance; increased revenues Streamline business processes Maintain positive consumer image Ensure confidence in the payment card industry Limit or reduce risk 20
Various Options and Form Factors 21
Mobile Device Options Categories App on PTS-approved mobile device Bundled Consumer handheld device 22
Mobile Device Options Category One App on PTS-approved mobile device 23
Mobile Device Options Category Two Bundled 24
Mobile Device Options Category Three Consumer handheld devices 25
Maturity 26
Mobile Device Challenges Maturity New application space Multiple platforms to support Lack of focus on security on devices 27
How to Prove Compliance 1. Determine scope of Cardholder Data Environment 2. Assess environment according to applicable PCI DSS requirements: Self-Assessment Questionnaire (SAQ); self-guided and/or Qualified Security Assessor assisted Report on Compliance (ROC); Level 1 Merchant or Service Provider 3. Repeat 28
Attacker Focus 29
Mobile Device Challenges Attacker Focus Attackers go where there is the most opportunity Greatest volume of transactions Greatest number of vulnerabilities Greatest exposure of victims 30
Meeting the Challenges 31
Mobile Device Challenges Some Challenges of Using Mobile PCI DSS requirements Multiple options and form factors Maturity Attacker focus 32
Meeting the PCI DSS Requirements Challenge Determine PCI Status Understand the current payment card processing environment. Are you currently compliant with the PCI DSS? What are your current payment channels? How will they change? Understand the PAN usage. Are the current applications being used also available for mobile devices? Use the PCI Security Standards Council s website for approved applications and devices. Talk to your acquirer/bank. Engage a QSA company. 33
Meeting the Multiple Options/Form Factor Challenge Understand what is currently approved for use in the company Get involved with the changes from the start Ask the tough questions Review what others in your industry are doing Determine the level of control required Determine whether the devices will be personal or corporate Work with IT 34
Meeting the Maturity Challenge Determine the risk that the company is willing to accept Acquirer(s)/bank(s) recommendations Due diligence for options Develop detailed requirements to access options 35
Meeting the Attacker Focus Challenge Work with solution vendors to identify associated risks Work with IT people to get their input from the start Acknowledge that attacks can come from internal and external sources Keep current with global events Keep current with industry events Continue networking Think like an attacker Don t forget about the non-mobile environment 36
Available Resources 37
Resources Acquirers/Banks PCI Security Standards Council website FAQs Qualified Security Assessors Approved payment applications and devices Qualified Security Assessor companies 38
Mobile Device Payment Card Processing: How Secure is It? Answer 39
It All Depends. on the following: Due diligence Enterprise fit Effort of nefarious individuals 40
Thank You. Any Questions? Richard Poworski, CISSP, ISP, ITCP, SCF, PCI QSA, PCIP (512) 987-9888 / rpoworski@seccuris.com