Meet The Family. Payment Security Standards

Similar documents
Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Android pay. Frequently asked questions

EMV Migration and Certification in the U.S. UL's View on Optimizing EMV Brand Certification Processes

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

PIN Entry Device Security Requirements: Frequently Asked Questions

PCI PA-DSS Requirements. For hardware vendors

PCI Security Standards Council

What a Processor Needs from a University to Validate Compliance

A Guide to EMV Version 1.0 May 2011

INTRODUCTION AND HISTORY

Payments Transformation - EMV comes to the US

University Policy Accepting Credit Cards to Conduct University Business

Credit Card Processing, Point of Sale, ecommerce

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

PCI Compliance Overview

EMV mobile Point of Sale (mpos) Initial Considerations

Adyen PCI DSS 3.0 Compliance Guide

Transaction Security. Test & Certification and Security Evaluation

Mobile Payment Solutions: Best Practices and Guidelines

PCI and EMV Compliance Checkup

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Visa Inc. PIN Entry Device Requirements

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Payment Card Industry Data Security Standard (PCI DSS)

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

How To Comply With The Pci Ds.S.A.S

Need to be PCI DSS compliant and reduce the risk of fraud?

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

FIME SECURITY OFFER. PCI PTS POI security evaluation process

PCI Security Standards Council

Credit Card Processing Overview

MPOS: RISK AND SECURITY

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Universal Transaction Gateway (UTG ), 4Go, and i4go are covered by

EPC SEPA CARDS STANDARDISATION (SCS) VOLUME

EMV and Small Merchants:

Payment Card Industry (PCI) Payment Application Data Security Standard

Guide to Data Field Encryption

NCR CONNECTED PAYMENTS The vision for payment acceptance in restaurants

A Compliance Overview for the Payment Card Industry (PCI)

CardControl. Credit Card Processing 101. Overview. Contents

Enterprise Payments for

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

PCI DSS COMPLIANCE DATA

How To Protect Your Credit Card Information From Being Stolen

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Prevention Is Better Than Cure EMV and PCI

PCI DSS Compliance Services January 2016

Continuous compliance through good governance

Paving the way for a SEPA wide Payment Solution. The OSCar Project June 2013

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Achieving PCI Compliance for Your Site in Acquia Cloud

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

EMV/NFC/MOBILE PAYMENTS THE TIME IS NOW THE OPPORTUNITY IS HUGE

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

PREVENTING PAYMENT CARD DATA BREACHES

CONTACTLESS INTEROPERABILITY IN TRANSIT

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

A PCI Journey with Wichita State University

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Global Iris Integration Guide ecommerce Remote Integration

EMV : Frequently Asked Questions for Merchants

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

MOBILE NEAR-FIELD COMMUNICATIONS (NFC) PAYMENTS

welcome to liber8:payment

Payment Card Industry (PCI) Terminal Software Security. Best Practices

Josiah Wilkinson Internal Security Assessor. Nationwide

Point-to-Point Encryption

EMV and Restaurants What you need to know! November 19, 2014

ACI TOKEN MANAGER FOR MOBILE: TOKEN SERVICE PROVISION, HCE AND EMBEDDED SECURE ELEMENT IN THE CLOUD

Data Protection and Mobile Payments. Jose Diaz - Business Development & Technical Alliances Ted Heiman Key Account Manager Thales e-security

Transcription:

Meet The Family Payment Security Standards

Meet The Family Payment Security Standards Payment Processing Electronic payments are increasingly becoming part of our everyday lives. For most people, it can be hard to imagine a single day where we do not make a purchase using our payment cards in a physical store, or perform some form of online payment or money transfer. We almost take for granted the fact that these systems work, without consideration for how they work. But consideration of the how is important to understand what protects our electronic payments now, and to properly assess the changes that will be made to the way we perform electronic payments in the near future. Payment processing is most commonly performed using a four corner model, where four separate parties are involved in each transaction; the customer, the merchant, the merchants Acquiring Financial Institution, and the customers Issuing Financial Institution. Different standards apply to each of the corners of the transaction, as illustrated below for a generic card present transaction. Note that for card not present transactions, such as ecommerce, the EMV, PCI PTS and PCI P2PE requirements do not currently apply. This is because EMV L1 and L2 (Level 1 and Level 2) standards relate to the way in which a card present transaction is performed, and the PCI PTS and P2PE requirements to how a card present transaction can be secured. Therefore, we can look at the standardization of payments processing as two broad groups; functional standards which detail how a transaction is processed, and security standards which detail how a transaction is secured. This whitepaper is concerned primarily with the security standards of card present transaction processing. Payment Security Standards The payments industry is fundamentally based on trust. When you use your payment card to purchase goods or services, you trust the merchant to accept that payment method and manage your details in some secure way. The merchant trusts that this method of payment will eventually end up with funds being transferred into their bank accounts if the payment is authorized. The financial institution that issues your payment card trusts that the details they receive from the merchants bank are not fraudulent, page 2

and the merchants bank trusts that the Issuer is going to follow through on their commitments if they approve the transaction. The standards for security in payments are written and enforced with the intent of ensuring the required levels of trust to all parties involved. Although there are many localized standards, this paper focuses solely on the International standards, their scope and application. Standards Bodies When discussing International payment security standards, there are four main actors that need to be discussed, these being PCI SSC, ISO, ANSI, and EMV. Both PCI SSC (the Payment Card Industry Security Standards Council), and EMV (named after its founding payment brands of EuroPay, MasterCard, and Visa) are Industry bodies that have been established by the payment brands specifically to manage standards for their industry. In contrast ISO (the International Standards Organization), and ANSI (American National Standards Institute manage standards covering many different areas, some of which include security and specific items for the payment industry. The FIPS (Federal Information Processing Standards) standards interact with payments only tangentially, being used as references or benchmarks for other, payment specific, standards. In addition to these standards bodies, there is also the Common Criteria approval methodology which is sometimes applied in the evaluation of payments systems. Common Criteria is different from the previously mentioned standards bodies in that it is not a single approval or standards body, and devices or systems must be tested against a specific Protection Profile, or Security Target which is often be created bespoke for each device to be evaluated. Common Criteria evaluations are favored in the European region, and this methodology has been chosen for use with the Common Approval Scheme (CAS) which is to form part of the approval of devices to be used within the Single European Payments Arena (SEPA). Payment Card Security Card present payments start with the customer card, so it is fitting perhaps to start with these as we examine the standards for payment security. Historically, payment cards have not been very secure. They have contained static information that is easily read and copied, and once copied it is very difficult to differentiate the original from the clone. For this reason, the EMV standards were created to outline a whole new methodology for performing payments, using a secure card that could provide cryptographic authentication of itself and the transaction. The EMV standards themselves are separated into three broad groups; ones that outline the security of the processing element, or chip on the customer card; ones that detail the physical and electrical interface of the customer card and payment terminal; and finally standards that outline how the transaction is to be performed. The security of customer cards, or more specifically the security of the chips used in EMV cards, is covered by EMV Security page 3

Guidelines, currently published as v4. This standard addresses both the physical security of the chip itself, as well as the security of the applications and cryptographic operations performed by the chips. Much of the other EMV requirements are much more focused on the how of the transaction, rather than the security of the transaction. However, as part of this how the standards do allow for the customer card to provide authentication data to the payment terminal; preventing the cloning of payment cards. Additionally, an EMV card can also provide authentication data relating to the transaction itself, allowing for a card Issuer to validate that the transaction that the customer authorized is the same as that communicated from the payment terminal. EMV cards provide this authentication using cryptographic keys that are stored on their processing elements and using profiles, or scripts, that outline how these keys are to be used. The loading of these profiles and cryptographic keys is referred to as the personalization (or perso ) process, and understandably is highly security sensitive. The security of this perso process is covered under the PCI Card Production standard, which is an audit standard that is designed to ensure that Issuing Financial Institutions and their agents ensure that there is sufficient security in their handling of customer cards and the process of loading cryptographic keys and profile data. Payment Device Security Standards addressing the security of devices accepting or authenticating our payment transactions have been written to address both the physical and logical security aspects of payment devices, but it is perhaps true to say that these standards have started to show their hardware bias. The rapid changes in software and the importance of software within hardware security modules is something that is difficult to address within hardware security standards. Hardware does not change once shipped, but often it is important to have update methodologies for addressing new vulnerabilities in software even after shipping. Given this, it is reasonable to expect that software security will become an increasing focus for all aspects of security and security standards into the future. The seminal standard for hardware security is ISO13491, which covers the security of Secure Cryptographic Modules (SCM) which includes PIN Entry Devices, Hardware Security Modules, Automatic Teller Machines, amongst others. Although ISO13491 is still used by many local payment schemes as a basis for device testing and approval, both PCI PTS and Common Criteria standards and methodologies have overtaken this standard as the most common evaluation method. The PCI PTS (PIN Transaction Security) standards address the security of devices used by customers to perform card present transactions, as well as the Hardware Security Modules (HSMs) that are used to generate/verify customer PINs, and manage the cryptographic keys used to secure customer PINs and card data whilst they are transmitted from the Point of Interaction through to the Issuing Financial Institution. PCI PTS was formed by the collaboration of MasterCard and Visa in 2004, even prior to the creation of the PCI SSC, and along with the PCI PIN standard (discussed later) were the first documents to carry the PCI name. The PCI PTS standards are updated every three years, with the current version being v4 of this standard. Initially these standards took their inspiration from page 4

hardware security standards such as ISO13491 and FIPS140-2, however their comparatively rapid update cycle and industry acceptance has meant that they have increasingly become a source of inspiration themselves: The SEPA CAS POI Protection Profile is currently based upon the PCI PTS v3 requirements, and the latest version of ISO13491 borrows concepts previously only found in the PCI PTS criteria. At the time of writing testing against the CAS POI PP has just completed its trial stages, and the Protection Profile is expected to be update to reflect learnings from the initial evaluations and to reflect the changes made in v4 of the PCI PTS standard. Devices used for the acceptance of customer card information and/or customer PINs in a card present environment are referred to as Point of Interaction (POI) devices within the PCI PTS standard and wider industry. These devices are assessed under the PCI PTS POI standard, covering both attended and unattended payment devices of all types with one exception. At the time of writing, Automatic Teller Machines (ATMs) are not covered by the PCI PTS POI standard, and cannot be approved by PCI. Currently, the PCI Payment Brands only mandate the approval of devices which are used to accept customer PINs. Key Management The standards that address hardware security, discussed above, have a single common element in that in every case the hardware system being assessed is intended to prevent the disclosure of some secret data. Most often this secret is a cryptographic key, and that key is used by the hardware system to secure other data customer card information, customer PINs, authentication information as it is sent between systems that are disparate from both a physical and security point of view. The management of cryptographic keys is a particularly complex problem, due to the fact that it by necessity involves human interaction and therefore is prone to mistakes. Such mistakes are especially concerning as they can involve the secret cryptographic keys that protect all customer PINs and cardholder data. Therefore, the standardization of secure management of cryptographic keys is very important and this topic is covered by all of the payment standards bodies. The main, generic, references for management of cryptographic keys used in payments are ISO11568 and ANSI X9.24. These two documents are largely similar, covering basic principles such as dual control and split knowledge, acceptable forms for keys and key components, and methodologies for the generation of keys. However, ANSI X9.24 goes a step further and defines an entire key management protocol known as Derived Unique Keys Per Transaction (or DUKPT). This has become the most common and widely used key management method in the payment industry. As key management is a human driven process, the standards covering this must also include method for auditing or validating the correct implementation of any secure methods. Such audit standards are provided in the PCI PIN, and ANSI TR 39 standards. Additionally, standards such as the PCI Card Production requirements, PCI Point to Point Encryption (P2PE), and PCI DSS standards have sections that cover the management of cryptographic keys. page 5

Application Security Software security is a vital aspect of the overall security of a payment system. It is of no benefit to have a physically secure device if the software that runs on that device is vulnerable. However, the rapid evolution of software vulnerability analysis has caused an increased focus on software security within payments, and standards to address this are not as prevalent as those addressing hardware security. Currently, PCI is the only standards body that has a specific payment software security standard (PA DSS), although software is addressed to a lesser extent in traditional hardware standards such as ISO13491, PCI PTS, and the CAS POI PP. At the time of writing, new payment application security standards are in development and it can be expected that this will be an area of great focus over the coming years. System Security The PCI Data Security Standard (PCI DSS) is an audit standard that focuses on the security of environments that are used to store, process and/or transmit cardholder data. Although this standard does cover technical aspects of security, such as network security and encryption, it also has a large focus on procedures and validating the correct, on-going implementation of security measures to protect card data. PCI DSS is deliberately wide in scope. Many of the other standards discussed so far focus on one specific aspect of payments security, but PCI DSS by its nature must address the entire payment process all aspects that are involved in the storage, processing, and/or transmission of cardholder data. The standard applies equally to Acquiring banks as it does corner shops, although the methods of validating compliance to the standard, of proving that a certain system or company is compliant, changes to reflect the reality of the size and risk posed by the organization under consideration. However, even with differences in validation requirements, there is a recognition that many store operators are not necessarily in the business of payment security they are in the business of conducting business, and accept payments to facilitate this business. Payments is a means to an end for them, not an end of itself, and therefore the burden posed by securing payment systems can be seen as overly harsh in some contexts. To address this there is an increasing focus on methods to secure card data from the point of acceptance to effectively shift the scope and burden of payment security from the merchant to the payment service provider. End to End Security Usually this security for the card data is provided with encryption within the card acceptance device, and therefore these standards often represent an amalgam of all of the previous standards discussed in this paper. Both ANSI and ISO standards bodies are working on standards to this effect, but at the time of writing the PCI Point to Point Encryption (P2PE) standard is the only standard released in this area. The PCI P2PE essentially wraps up the PCI standards into a single audit standard that allows for the validation of solutions that protect customer card data through encryption within the Point of Interaction. Merchants using a P2PE approved solution for the acceptance of card present transactions essentially automatically meet all of the PCI DSS requirements for their environment, alleviating them of the burden and cost of on-going compliance and validation of that compliance. End to end security is likely a vital part of securing payments into the future, and can greatly assist with the overall security posture of an organization when well implemented. Future of Payment Standards In this year of 2014, the payment industry stands at a cross-roads. Change in payments is being driven from many different directions EMV adoption in the US is picking up, the security of software is increasingly under attack, mobile payments are presenting a challenge to the existing status quo, and methodologies for enhancing card data protection are under active development. Payment systems security is founded through the payment industry and standards setting bodies both of which are not traditionally recognized for their rapid evolution and ability to adapt to change. This is causing a disconnect as new actors in the payments market drive page 6

change at a pace that is hitherto unknown in this industry. It is fair to expect more change within the payment industry within the next 5 years than we have seen over the last 30, and the question of how payment security will be addressed by these new systems is an open question. With the growth of mobile Issuing (where a customer card may be managed within a customer s mobile phone), and Host Card Emulation (where the details of a customer s card may be stored within a cloud based service) the concept of transactions where the card is not present is potentially becoming redundant. If my mobile phone can connect to the Internet, and at the same time act as my customer card, why should ecommerce transactions be processed as card not present? If my card can always be considered present for a transaction, and can provide cryptographic authentication verifying this fact, do I still care about the security of my card details? To be fair, any such change will take a considerable time even if run at Internet speed! Therefore, standards such as PCI DSS remain important even in the face of a complete worldwide EMV deployment. The computer industry has a long history of swinging from thick-to-thin-back-tothick client methodologies, and it appears likely that we are witnessing such a change in payments at this point with an increase in cloud based payment kernels and thin-client mobile systems. Payment security standards must rapidly adapt to this changing environment, where the security of the software performing the payments is more important than the security of the hardware that is used to accept the card data, as vulnerabilities can be exploited remotely and instantly. Fortunately, the industry seems to be recognizing this fact, and creating new standards to address this issue. For those of us working and servicing the payment industry, we live in interesting times. ABOUT US For more than a century, UL has been one of the most recognized and trusted resources for advancing safety. Its Transaction Security division guides companies within the mobile, payments and transit domains through the complex world of electronic transactions. UL is the global leader in safeguarding security, compliance and global interoperability. Offering advice, test and certification services, security evaluations and test tools, during the full life cycle of your product development process or the implementation of new technologies. UL s people pro-actively collaborate with industry players to define robust standards and policies. Bringing global expertise to your local needs. UL has accreditations from industry bodies including Visa, MasterCard, Discover, JCB, American Express, EMVCo, PCI, GCF, ETSI, GSMA, GlobalPlatform, NFC Forum and many others. page 7

Meet The Family: Payment Security Standards Glossary page 8

page 9 Meet The Family: Payment Security Standards

Contact details UL Transaction Security Division info@ul-ts.com www.ul-ts.com www.linkedin.com/company/ul-transaction-security www.twitter.com/ultsnews

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information