Data Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

Similar documents
MPOS: RISK AND SECURITY

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Building Trust in a Digital World. Brian Phelps, BSc CISSP Director of Advanced Solutions Group EMEA Thales UK, Ltd.

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Creating a trust infrastructure to support mobile payments

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

INFORMATION TECHNOLOGY SECURITY: PORTFOLIO OVERVIEW

White Paper PCI-Validated Point-to-Point Encryption

The Relationship Between PCI, Encryption and Tokenization: What you need to know

IS YOUR CUSTOMERS PAYMENT DATA REALLY THAT SAFE? A Chase Paymentech Paper

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

Meet The Family. Payment Security Standards

Visa Inc. PIN Entry Device Requirements

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

ACI TOKEN MANAGER FOR MOBILE: TOKEN SERVICE PROVISION, HCE AND EMBEDDED SECURE ELEMENT IN THE CLOUD

Becoming PCI Compliant

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

Complying with PCI Data Security

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

White Paper Solutions For Hospitality

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

EMV and Small Merchants:

Android pay. Frequently asked questions

Simplifying Payment Card Industry Compliance

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Thoughts on PCI DSS 3.0. September, 2014

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Data Security Basics for Small Merchants

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

PCI Data Security Standards (DSS)

mpos Secure Mobile Card Acceptance

mobile payment acceptance Solutions Visa security best practices version 3.0

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

PCI Compliance Overview

PCI PA-DSS Requirements. For hardware vendors

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Protect A Web Application From Attack From A Trusted Environment

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Data-Centric security and HP NonStop-centric ecosystems. Andrew Price, XYPRO Technology Corporation Mark Bower, Voltage Security

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

EMV Delivery of Mobile, Parking and Unattended Payments. Elavon

Point-to-Point Encryption

SELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS

EMV-TT. Now available on Android. White Paper by

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Accelerating PCI Compliance

PCI Compliance: How to ensure customer cardholder data is handled with care

Credit Card Processing Overview

Coalfire Systems Inc.

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Continuous compliance through good governance

Payment Card Industry Data Security Standard (PCI DSS)

NFC Application Mobile Payments

Secure SSL, Fast SSL

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

White Paper: Are there Payment Threats Lurking in Your Hospital?

PREVENTING PAYMENT CARD DATA BREACHES

rguest Pay Gateway: A Solution Review

PCI Compliance. Top 10 Questions & Answers

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI v2.0 Compliance for Wireless LAN

Thales e-security Key Isolation for Enterprises and Managed Service Providers

SafeNet DataSecure vs. Native Oracle Encryption

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

CardControl. Credit Card Processing 101. Overview. Contents

PCI and EMV Compliance Checkup

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

The future of contactless mobile payment: with or without Secure Element?

PCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015

Payment Card Industry Data Security Standards

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Adyen PCI DSS 3.0 Compliance Guide

Version 7.4 & higher is Critical for all Customers Processing Credit Cards!

Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"

Is the PCI Data Security Standard Enough?

Transcription:

Data Protection and Mobile Payments Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

2 Today s reality It s a data-centric world. And the data is getting More valuable... More regulated More accessible More vulnerable. The IT security landscape is changing - Your data is getting More valuable... More regulated More accessible More vulnerable.

3 These vulnerabilities are being exploited by all sides

4 Verizon Data Breach Report

5 Victim industry Source: Verizon 2013 Data Breach Investigations Report

6 Compromised data Source: Verizon 2013 Data Breach Investigations Report

7 Mobile threats global overview 5.6 million potentially malicious files reported on Android, of which 1.3 million are confirmed malicious by multiple AV vendors Source: APWG White Paper: Mobile Fraud, May 2013

8 Does anybody care? Source: Advanced Payments Report 2013 Edgar, Dunn & Company, Sponsored by First Data

9 Overview of PCI DSS What? Measures to protect card data Mandatory Created by card schemes Enforced via contract Why? Manage risk Reduce likelihood Reduce impact Reduce fraud Who? All entities which: Store cardholder data Process cardholder data Transmit cardholder data

PCI Point-to-Point Encryption

11 Scope reduction using P2PE PCI Point-to-Point Encryption Solution Requirements Defines requirements for P2PE solutions, with goal of reducing scope of PCI DSS assessment for merchants using such solutions Encrypted data is out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it.

12 Implementing P2PE Acquirer Domain Payments network POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Reduces pain of audit compliance for merchant Eliminates card data from merchant environment Protects data from POS device to Gateway or Acquirer

13 Data breach the latest one Massive data breach exposed personal and financial information on more than 110 million customers 40 million cards, 70 million customer contact records Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores In the wake of breach, Steinhafel has urged retailers and banks to deploy EMV chip-based cards to thwart data breaches at the point of sale This time around, Target is not alone. Visa, MasterCard, American Express and Discover have all set timelines for most merchants to accept EMV cards by October 2015 Target announced a $5 million investment in a new cybersecurity coalition to help educate consumers and organizations about digital crimes and how to protect payment and personal data Krebson Security January 14, 2014 Bank Technology News January 21, 2014

14 Costs of breach, what is known so far Card Reissue US banks have re-issued 17.2 million cards following Target data breach Cost to US banks? Over $172 million according to figures from the Consumer Bankers' Association Includes: the card itself, informing consumers of a card reissuement, shipping and activating the card, supplemental communication via call centres and the internet Could also be liable for up to $3.6 billion in fines $90 fine for each cardholder s data compromised Finextra - Feb 7, 2014 TechCrunch Dec 23, 2013

15 Fact or fiction? EMV Cards would have prevented the breach The EMV-chip card is not really pertinent to how the breach occurred. The attacker's malware would have penetrated the payment system regardless of what type of cards the consumers were using The use of EMV chip cards would have helped from the standpoint of making it difficult for fraudsters to make duplicate cards Bank Technology News Jan 21, 2014

16 The merchant (Target) environment Merchant Acquirer / Store Switch Card Issuer Swipe or Swipe and Sign CVV/CVC EMV Cryptogram Data Decryption (PCI P2PE)

Tokenization in Data Protection

19 What is tokenization? Replaces original data with a Token Not necessarily mathematically related to the data Enable look-up of the PAN in a mapping system Token Database stores original data in encrypted form Segregate environment Protect the mapping system Systems handling tokens alone are out of scope Original Data Token Database Encrypted Original Data Encrypted Original Data Token Token Tokenized Data Encrypted Original Data Token Token mapping via a lookup table

20 Tokenization across an Enterprise CRM Global Credit Bank Global Credit Bank Global Credit Bank EXP 07/14 Tape Backups EXP 07/14 EXP 07/14 Global Credit Bank Customer Payments Loyalty Records EXP 07/14 DR Sites Global Credit Bank EXP 07/14 Global Credit Bank EXP 07/14 Global Credit Bank EXP 07/14 Dev & QA Environments Credit Card Data Warehouse Global Credit Bank Bookings Transaction Database Global Credit Bank EXP 07/14 Logs & Reports Global Credit Bank EXP 07/14 EXP 07/14 Token Database

21 Card scheme s press release on tokenization MasterCard, Visa and American Express Propose New Global Standard to Make Online and Mobile Shopping Simpler and Safer October 1, 2013 PURCHASE, N.Y., FOSTER CITY, Calif. and NEW YORK October 1, 2013 Visa (NYSE: V), MasterCard (NYSE: MA) and American Express (NYSE: AXP) today introduced a proposed framework for a new global standard to enhance the security of digital payments and simplify the purchasing experience when shopping on a mobile phone, tablet, personal computer or other smart device. Aligned with these initiatives, the proposed standard would meet this consumer demand and allow the traditional account number to be replaced with a digital payment token for online and mobile transactions. With a token, consumers will no longer be required to enter an actual account number when shopping online or on a smart device. Tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers.

22

23

24 Fun fact First 6 digits of a credit card number are known as: Issuer Identification Number (IIN) More commonly known as bank identification number (BIN) Issued under the ISO/IEC 7812 standard American Express : Card numbers beginning with 34 or 37. Japan Credit Bureau (JCB): Card numbers begin with 35. Diners Club: Card numbers begin with 36 or 38. Visa: Card numbers start with a 4. MasterCard: Card numbers start with the numbers 51 through 55. Discover: Card numbers begin with 6011 or 65.

26

27

Mobile Payments

30 Mobile banking Mobile Banking Mobile Payments It is a direct relationship between you and your bank You can view your account balances You can pay bills but: Mostly, these are only to accounts you registered to pay directly (electric, phone, etc.) You can transfer money between your accounts You may be able to make a deposit by taking a picture of a check you want to deposit You cannot walk into a store and pay for purchases with a mobile banking application

31 The future trend for payments Source: RSR research, March 2013

32 Who is leading the way? retailers are taking their leads from innovators PayPal and Google, whose success is driven not by service providers, but by consumers themselves Source: RSR research, March 2013

35 Mobile acceptance (mpos) Traditional POS Merchant Payment Service Provider Trusted devices, applications and networks Mobile POS Payment Gateway Untrusted devices, applications and networks

37 PCI s view on mobile payments

38 What about mobile acceptance (mpos) and P2PE? Smart Phone Or Tablet Acquirer Domain Payments network PCI-approved Secure Card Reader POI (at the Merchant) Payment Gateway / P2PE Solution Provider Acquirer Switch Issuer P2PE Secure Link Data protected by payments network Enables transaction data security for mpos Eliminates card data from mobile device and merchant environment P2PE used to protect the data An important component for mpos transactions!

39 Paying with mobile brings new challenges Traditional Four Corner Model defines a tightly controlled ecosystem Consumer s Cards Merchant s Systems Everything stays the same - but Phones are insecure They are consumer controlled Network They can t be read in stores Consumer s Bank Merchant s Bank

40 Expanded ecosystem several cooks in the kitchen Trusted Service Managers Mobile Wallet (TSM) Providers Mobile App Developers Handset Manufacturers Mobile Network Operators (MNO) The payments industry is no longer a private club Merchant s Systems Mobile Technology Providers Network Consumer s Bank Merchant s Bank

41 Secure element in the cloud - Host Card Emulation (HCE) 1. Realtime and/or batchfile import of card and personalization data 2. EMV command and cryptogram generation (key management / HSM) 3. Secure connection 4. Connection to client API with integrated cloud secure element support Courtesy of Bell ID

46 Introducing Thales

47 Thales Group GROUND AEROSPACE SPACE TRANSPORTATION DEFENSE SECURITY TRUSTED PARTNER FOR A SAFER WORLD Wherever safety and security are critical, Thales delivers. Together, we innovate with our customers to build smarter solutions. Everywhere.

48 Global leadership # 1 worldwide Payloads for telecom satellites Air Traffic Management Sonars Security for payment transactions # 2 worldwide 14 bn Revenues Rail signalling systems In-flight entertainment Military tactical radio 63,000 Employees # 3 worldwide 56 Countries Avionics Civil satellites Surface radars

49 Thales Hardware Security Modules Hardware Security Modules Tamper resistant, certified security Secure cryptographic operations High assurance key management nshield Multi-purpose HSM family payshield Payments HSM family

50 HSMs: trust platform for application security What are HSMs? What do HSMs do? Hardware Security Module Secure cryptographic operations Hardened, tamper-resistant devices isolated from host environment Protect critical cryptographic key material Alternative to software crypto libraries Enforce policy over use of key material Business Application Application Data HSM security boundary Data to be signed, encrypted/decrypted Encrypted/decrypted or signed data HSM Application Keys inside security boundary Secure crypto processing engine

51 Strongest protection for keys and critical applications Security Controls Strong isolation of key material and crypto processes from host environment Anti-tamper techniques for physical protection Typical Application Platforms HSM Based Trust Platforms Strong authentication for administrators Strongly segregated administration domains Strongly enforced dual controls for mutual supervision High integrity random number generation Processing offload to boost capacity

52 keyauthority centralized key management What does it do? Centralized control and automated lifecycle management for cryptographic keys Secure key generation, key vaulting and delivery Robust segregation of keys, users and applications Scalability to support millions of keys, thousands of devices Security hardening, tamperresistance - FIPS 140-2 level 3 certification keyauthority What can it manage? Any KMIP compliant application or device Pre-validated interoperability with leading storage encryption products - IBM, HDS, Quantum, Sepaton, Brocade and more Cloud encryption solutions KMIP = Key Management Interoperability Protocol

53 Why Thales e-security? Our track record. Over 40 years of leadership delivering data protection solutions around the world Our customers. We secure some of the world s most valuable information and > 80% of payment transactions Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography Our certifications. All our offerings are independently security certified - more than anyone else! Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance Hardware Security Modules Key management systems Network encryption Signing and time stamping Banking Government Utilities High Tech Mobile

54 Any Questions?

54 Contact Information Ted Heiman Key Account Manager Thales e-security 2365 Bering Drive San Jose, California 95131 ted.heiman@thalesesec.com 408-666-1626 (cell) 954-302-6517 (office) Jose Diaz Business Development & Technical Alliances Thales e-security 900 South Pine Island Road, Suite 710 Plantation, Florida 33324 jose.diaz@thalesesec.com 954-888-6210 (office) www.thales-esecurity.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information