MPOS: RISK AND SECURITY
2 Evolution of Payment Acceptance Consumers want to get the best deal with the minimum pain Sellers want to ensure they never turn down a sale and maximise consumer loyalty
3 Evolution of Payment Acceptance Old Fashioned What s next Complex Smart Phone Acceptance Expensive Modern Flexible Affordable
4 A simple card reader is not enough Mobile Card Reader Malware / Vulnerable Devices Open Network Payment Gateway/ PSP Merchant/ Acquirer Open Network vulnerable to hacking Expensive Certification & connections
5 High Scale Attacks
6 Enter mpos Customer accepts amount and enters PIN Merchant s Mobile or tablet PSP / Payment Facilitators Encrypted Card holder Data and PIN Encrypted Card holder Data and PIN Acquirer & Payments Network HSM Customer Merchant Open Network Point to Point Encryption (P2PE) Zone Payment Gateway/ POS Gateway mpos = POS terminal that makes use of a smart mobile device
7 Mitigations Point to Point Encryption P2PE Use of Existing Standards and Technology Hardware Security
8 Point to Point Encryption Point of Sale Payment Gateway Merchant/Acquirer P2PE Zone Secure Card Reader riu1h52t ñ&>ú³ [þïíÿr["ð3b â;: ÎCbbC < øí œæ vã#ñt=f = Á æa SRED PCI PTS POI v 3.1 Certified Encrypted Cardholder Data Hardware Security Modules PCI HSM Certified PIN Translation Decryption of Card Holder Data
9 Practical and Secure with Hardware and Standards PCI P2PE 1.1 Point To Point Encryption PCI PTS POI v 3.1 Point Of Interaction Secure Reading and Exchange of Data (SRED) PCI HSM HSM requirement after FIPS 140-2 level 3 PCI PA-DSS Payment Application Data Security Standard ANSI X9.24 part 1 2009 Symmetric key management PCI DSS 2.0 delivers into this environment PCI PIN Security Requirements v1.0 Standard for encrypting PIN - classic PIN strong security
10 The use of Hardware Security Modules Small protected area inside where keys are used with algorithms on sensitive data Certified to PCI Standard: PCI PTS HSM HSM is tampered (keys deleted) when attacked, to protect keys Cryptographically strong random number generation Approved algorithms Unique key type per usage No unencrypted PINs Dual Control - collusion Split knowledge for loading of keys Enables: People + Processes + Technology = Security Strong security through Secure Cryptographic Devices Simplifies audits so saves cost, required for PCI P2PE
11 Consumer Confidence Consumers are wary of new payment technology A single major breach could have devastating effects We need to assure consumers that this is a secure trusted mechanism for payment
12 Thales and our mpos experience Developing HSMs since 1985 to current payshield 9000 Global presence, Securing 80% of all ATM/EFTPoS transactions. Working on mpos since April 2011 Partners including Miura, Magtek, Spire Used by key mpos PSPs ROYALGATE, CreditCall + 24 others so far mpos case studies, whitepaper and demo available pm our website
13 Summary. mpos: made secure by hardware Practical and Secure with Hardware and Standards Straightforward to add card acceptance using proven software and certified hardware PCI P2PE solutions will make the solutions cheaper to implement PCI P2PE roadmap is required to validate by Visa Europe. HSMs are required for P2PE: key management, PIN translation and transaction data protection and reduce cost of compliance.
14 Why Thales e-security? Our track record. Over 40 years of leadership delivering data protection solutions around the world Our commitment. Hundreds of R&D staff dedicated to excellence in applied cryptography Our certifications. All our offerings are independently security certified - more than anyone else! Our support services. Our Advanced Solutions Group (ASG) provides world-class consulting, training, and deployment assistance Our customers. We secure some of the world s most valuable information and > 80% of payment transactions Hardware Security Modules Key management systems Network encryption Signing and time stamping Banking Government Utilities High Tech Mobile
15 Questions