Get documents about "Slide 1_19_ - Download Now PowerPoint
Document Sample
Payment Card Industry
Data Security Standards
& Cryptography
DELBRASSINE Charles
PCI – Qualified Security Assessor
PCI – Approved Scanning Vendor
PCI– Qualified Payment Application Security Assessor
IT Works S.A. - Rue de Bitbourg 11 L1273 Luxembourg HAMM
cdelbrassine@itworks.lu
Agenda
Introduction to Payment Card Business
Fraud & Counterfeit Evolution
PCI – Data Security Standards
SEPA Card Framework
New Challenges for Cryptography
IT Works S.A. « Keep Information Technology Business Centric »
Payment Card Industry Actors – “Card Present”
Issuing Processor Acqu. Processor
Acquirer
Issuer (Merchant Bank)
CardHolder Merchants
IT Works S.A. « Keep Information Technology Business Centric »
Authentication as part of Authorization – Card Present
A type of transaction in which the card is present and is swiped
through an electronic device that reads the chip or the contents of
the magnetic stripe on the back of the card
Authentication is based on :
Chip and PIN
Magnetic stripe and PIN
Magnetic stripe and signature
Imprint and signature
The magnetic stripe contains a cryptographic value to allow
changes to the magstripe data to be detected.
• CAV Card Authentication Value (JCB)
• CVC Card Validation Code (MasterCard)
• CVV Card Verification Value (Visa & Discover)
• CSC Card Security Code (AmEx)
IT Works S.A. « Keep Information Technology Business Centric »
Payment Card Industry Actors – “Card Not Present”
Acqu. Processor
Payment Gateway
Acquirer
(Merchant Bank)
E-Commerce
Merchant
Issuing Processor
CardHolder
Issuer
IT Works S.A. « Keep Information Technology Business Centric »
Authentication as part of Authorization – Card Not Present
A transaction where the credit card is not present at the time of
purchase (such as mail order, telephone order, e-business order)
Authentication is based on :
A 3- or 4-digit value printed on the card or signature strip, but not
encoded on the magnetic stripe
AVS - Address verification system
Verified by Visa (Password based)
Minimum Information required Name, PAN, (Exp Date).
The 3 or 4 digit value is called :
• CID Card IDentification Number (Amex & Discover)
• CAV2 Card Authentication Value 2 (JCB)
• CVV2 Card Verification Value 2 (Visa)
• CVC2 Card Validation Code 2 (MasterCard)
IT Works S.A. « Keep Information Technology Business Centric »
Agenda
Introduction to Payment Card Business
Fraud & Counterfeit Evolution
PCI – Data Security Standards
SEPA Card Framework
New Challenges for Cryptography
IT Works S.A. « Keep Information Technology Business Centric »
Payment Card Fraud Evolution
1983 Re-embossed counterfeit fraud
1988 Re-encoded counterfeit fraud
1989 Card not present fraud/ fraud applications
1991 Never received issued fraud
1992 Merchant fraud
1994 Identity Theft
2000 Skimmed counterfeit
2002 Communications interception
Now Merchant server Hacking
Now E-Business Merchant server hacking
Now Chip sniffing and card counterfeit
Now Fake terminals
Future ????
IT Works S.A. « Keep Information Technology Business Centric »
Fraud & Counterfeit Statistics
IT Works S.A. « Keep Information Technology Business Centric »
Fraud : Card not present
CNP authentication is still possible without CVV2
CNP fraud remains the main fraud concern in Europe:
2006 a growth of 44.7% compared to FY2005.
• E-commerce fraud shows a yearly growth in excess of 69%, representing
54.2% of all CNP Fraud acquired in Europe in 2006.
Top 5 countries are the UK (57.2% of tot CNP) , France (7.3% of the
total CNP fraud), Germany (7.2 %), Italy (6.1 %) and Spain (4.4 %).
The most significant CNP fraud growths were in Israel (214%), Italy
(90%) and Denmark (121%).
Gaming and Airlines/Travel Agencies shows the most significant
growths.
IT Works S.A. « Keep Information Technology Business Centric »
Fraud : Card not present
A solution exists “ Called 3D Secure Issuing” based on :
PAN
PIN
Chip Authentication Program (OTP)
BUT……
IT Works S.A. « Keep Information Technology Business Centric »
Fraud : EMV Fallback
Chip Fallback to Magstripe
Increased by more than 63.4% in 2006 (vs 2005)
71.3% of the European “Chip Fallback to Magnetic Stripe” Fraud was
acquired on European ATMs.
The fallback Fraud on ATM has grown by more than 163% in 2006 vs
2005.
The UK and Spain acquired 76% of European ATM fallback fraud in
2006.
Solution :
The decision to ban ATM fallback in Europe should solve this threat.
IT Works S.A. « Keep Information Technology Business Centric »
Last important issues….
Card Systems (USA) – 2005
A massive data breach by CardSystems, which reportedly exposed
credit card transaction records of approximately 40 millions people
because they stored these transaction records in contravention of
rules established for VISA and MasterCard processors.
ELEMENT 5 (D) – 2005
More than one million credit cards.
TJX (USA) – Announced in 2007
More than 45 millions of cards compromised
While the company previously believed that the intrusion took place
only from May 2006 to January 2007, TJX now believes its computer
systems was also intruded upon in July 2005 and on various
subsequent dates in 2005. TJX continues to believe there was no
compromise of customer data after-mid December 2006."
IT Works S.A. « Keep Information Technology Business Centric »
Skimming Tools – Magnetic Stripe Capture
IT Works S.A. « Keep Information Technology Business Centric »
Skimming Workshop – Card Creation
Counterfeit holograms confiscated in Sidney
IT Works S.A. « Keep Information Technology Business Centric »
Counterfeit Workshop seizure in Taiwan
110.000 Cards
IT Works S.A. « Keep Information Technology Business Centric »
What about ATM Skimming ?
IT Works S.A. « Keep Information Technology Business Centric »
What about PIN Capture ?
IT Works S.A. « Keep Information Technology Business Centric »
ATM Skimming : Full Kit.
IT Works S.A. « Keep Information Technology Business Centric »
Skimming Tool available on Internet
Autonomous mini skimmer with PC
Connectivity + Software + 50 white cards
150 €
Autonomous wireless mini cam 20g + Video
recorder connectivity : 35 €
IT Works S.A. « Keep Information Technology Business Centric »
Chip Cloning/Skimming Kit on Internet
IT Works S.A. « Keep Information Technology Business Centric »
The Last Trend…. “Fake Terminals”
Formal terminals are replaced by fake terminals that does not realize
any transaction but look and react like formal one.
Hackers are not interested in the transaction but want to
Sniff the dialog between the chip and the terminal
Intercept the PIN introduction on the Pin Pad.
Some solutions exists :
Dynamic Data Encryption DDA-Cards
Combined Data Encryption CDA-Cards
Terminal and/or application authentication
but….
IT Works S.A. « Keep Information Technology Business Centric »
Agenda
Introduction to Payment Card Business
Fraud & Counterfeit Evolution
PCI – Data Security Standards
SEPA Card Framework
New Challenges for Cryptography
IT Works S.A. « Keep Information Technology Business Centric »
The PCI Security Standards Council
Who are the founders of the PCI Security Standards Council?
Founders of the PCI Security Standards Council are American Express,
Discover Financial Services, JCB, MasterCard Worldwide and Visa
International
What is the mission of the PCI Security Standards Council?
The mission of the PCI Security Standards Council is to enhance
payment account security by fostering broad adoption of the PCI
Security Standard
IT Works S.A. « Keep Information Technology Business Centric »
The PCI Security Standards
What is the Payment Card Industry (PCI) Data Security Standard
(DSS)?
The PCI Data Security Standard represents a common set of industry
tools and measurements to help ensure the safe handling of sensitive
information.
The standard provides an actionable framework for developing a
robust account data security process - including preventing, detecting
and reacting to security incidents.
Who does it apply to ?
Any entity that stores, processes, and/or transmits cardholder data.
• Merchants
• Acquirers / Issuers Service Providers
• Service providers
• Etc…
IT Works S.A. « Keep Information Technology Business Centric »
PCI – DSS : Penalties & Fines – Case Study
Data Volume
Little restaurant
250-300 transactions a month
Card Data storage of the last 3 years : 10.000 compromised cards
Cost and penalties… (Does not include reputation)
Incident Fee : € 50.000
Issuer Recovery Fee : € 50.000(5-15€ per reissued card)
Fraud : € 20.000.000(~ 2.000€ per card)
Other costs : € ??
IT Works S.A. « Keep Information Technology Business Centric »
The PCI Security Standards - Cryptography
Build & Maintain a Secure Network
Requirement 1: Install & maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords & other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use & regularly update anti-virus software
Requirement 6: Develop & maintain secure systems & applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor & Test Networks
Requirement 10: Track & monitor all access to network resources & cardholder data
Requirement 11: Regularly test security systems & processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
IT Works S.A. « Keep Information Technology Business Centric »
The PCI Security Standards - Cryptography
Storage Protection
Data Element
Permitted Required
Cardholder Data Primary Account Number
(PAN)
YES YES
Cardholder Name
YES YES
Service Code
YES YES
Expiration Date
YES YES
Sensitive Authentication Full Magnetic Stripe
Data NO N/A
CVC2/CVV2/
CID NO N/A
PIN/PIN Block
NO N/A
IT Works S.A. « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography
Requirement 3.4
Render PAN, at minimum, unreadable anywhere it is stored (including data
on portable digital media, backup media, in logs, and data received from or
stored by wireless networks) by using any of the following approaches:
Strong one-way hash functions (hashed indexes)
Truncation
Index tokens and pads (pads must be securely stored)
Strong cryptography with associated key management processes and
procedures.
IT Works S.A. « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography
Requirement 3.6
Fully document and implement all key management processes and
procedures for keys used for encryption of cardholder data, including the
following:
3.6.1 Generation of strong keys
3.6.2 Secure key distribution
3.6.3 Secure key storage
3.6.4 Periodic changing of keys
3.6.5 Destruction of old keys
…
3.6.7 Prevention of unauthorized substitution of keys
3.6.8 Replacement of known or suspected compromised keys
3.6.9 Revocation of old or invalid keys
3.6.10 Requirement for key custodians to sign a form stating that they
understand and accept their key-custodian responsibilities.
IT Works S.A. « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography
Requirement 4:
Encrypt transmission of cardholder data across open, public networks
Sensitive information must be encrypted during transmission over networks
that are easy and common for a hacker to intercept, modify, and divert data
while in transit.
4.1 Use strong cryptography and security protocols such as secure sockets layer
(SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to
safeguard sensitive cardholder data during transmission over open, public
networks.
• ¨Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi
(IEEE 802.11x), global system for mobile communications (GSM), and general packet radio
service (GPRS).
Etc….
IT Works S.A. « Keep Information Technology Business Centric »
Agenda
Introduction to Payment Card Business
Fraud & Counterfeit Evolution
PCI – Data Security Standards
SEPA Card Framework
New Challenges for Cryptography
IT Works S.A. « Keep Information Technology Business Centric »
SEPA Card Framework
What is the SEPA ?
The Single Euro Payments Area (SEPA) is a European Commission (EC)
and European Payments Council (EPC) initiative that plans to remove
the barriers to movement of cross-border electronic Euro payments.
What is the SEPA Card Framework ?
This SEPA Cards Framework spells out some principles and rules
which when implemented by banks, schemes, and other stakeholders,
will enable European customers to use general purpose cards to make
payments and cash withdrawals in € throughout the SEPA area with the
same ease and convenience than they do in their home country.
• There should be no differences whether they use their card in their home
country or somewhere else within SEPA.
• No general purpose card scheme designed exclusively for use in a single
country, as well as no card scheme designed exclusively for cross-border use
within SEPA, should exist any longer.
IT Works S.A. « Keep Information Technology Business Centric »
SEPA Card Framework
What are the deadlines ?
The above options may evolve further between now and end 2010, the
date by which all payment card products and brands falling within the
scope of this Framework will have become SCF compliant
In order to deliver on the scope of this Framework, and to meet
cardholders’ and merchants’ expectations across SEPA, each bank
needs to decide which option it will implement from 1 January 2008
onwards.
After end 2010 no card scheme designed exclusively for use in a single
country should operate anymore for POS and ATM transactions
IT Works S.A. « Keep Information Technology Business Centric »
How does SEPA CF requirements impact cryptography usage ?
Current infrastructure is usually acquirer-specific, brand-specific &
country-specific. This new approach will require :
Common Security Standards at the point of sale level
Cryptographic interoperability
Complex and standardized key management
Common approval & certification
. Etc…
IT Works S.A. « Keep Information Technology Business Centric »
Agenda
Introduction to Payment Card Business
Fraud & Counterfeit Evolution
PCI – Data Security Standards
SEPA Card Framework
New Challenges for Cryptography
IT Works S.A. « Keep Information Technology Business Centric »
What are the challenges ?
Cryptographic science is currently able to support roughly all needs
conjured during this presentation but they are some specific
requirements :
Payment Card Industry is a real “on-line” business and transaction time
has financial & business impacts.
Merchants affected by this measure are usually not well up on
cryptography.
Cost is a very important factor.
Point of Sales and terminals have limited capabilities.
Merchants want to use standard telecommunication media.
IT Works S.A. « Keep Information Technology Business Centric »
THANK YOU FOR YOUR ATTENTION.
IT Works S.A. « Keep Information Technology Business Centric »
Related docs
Other docs by niusheng11
