Docstoc

Slide 1_19_ - Download Now PowerPoint

Document Sample
Slide 1_19_ - Download Now PowerPoint Powered By Docstoc
					Payment Card Industry
Data Security Standards
    & Cryptography

            DELBRASSINE Charles

          PCI – Qualified Security Assessor
          PCI   – Approved Scanning Vendor
 PCI– Qualified Payment Application Security Assessor




           IT Works S.A. - Rue de Bitbourg 11 L1273 Luxembourg HAMM
                         cdelbrassine@itworks.lu
                Agenda

   Introduction to Payment Card Business


   Fraud & Counterfeit Evolution


   PCI – Data Security Standards


   SEPA Card Framework


   New Challenges for Cryptography


      IT Works S.A.   « Keep Information Technology Business Centric »
Payment Card Industry Actors – “Card Present”


               Issuing Processor                  Acqu. Processor




                                                                       Acquirer
      Issuer                                                        (Merchant Bank)




    CardHolder                                              Merchants




               IT Works S.A.       « Keep Information Technology Business Centric »
Authentication as part of Authorization – Card Present

   A type of transaction in which the card is present and is swiped
    through an electronic device that reads the chip or the contents of
    the magnetic stripe on the back of the card
   Authentication is based on :
        Chip and PIN
        Magnetic stripe and PIN
        Magnetic stripe and signature
        Imprint and signature

   The magnetic stripe contains a cryptographic value to allow
    changes to the magstripe data to be detected.
          • CAV    Card Authentication Value        (JCB)
          • CVC    Card Validation Code             (MasterCard)
          • CVV    Card Verification Value          (Visa & Discover)
          • CSC    Card Security Code               (AmEx)




                   IT Works S.A.          « Keep Information Technology Business Centric »
Payment Card Industry Actors – “Card Not Present”
                                                         Acqu. Processor




                  Payment Gateway


                                                                              Acquirer
                                                                           (Merchant Bank)




        E-Commerce
          Merchant



                                                         Issuing Processor




    CardHolder


                                                                           Issuer


                 IT Works S.A.      « Keep Information Technology Business Centric »
Authentication as part of Authorization – Card Not Present

     A transaction where the credit card is not present at the time of
      purchase (such as mail order, telephone order, e-business order)
     Authentication is based on :
          A 3- or 4-digit value printed on the card or signature strip, but not
           encoded on the magnetic stripe
          AVS - Address verification system
          Verified by Visa (Password based)


       Minimum Information required Name, PAN, (Exp Date).

     The 3 or 4 digit value is called :
            • CID    Card IDentification Number       (Amex & Discover)
            • CAV2   Card Authentication Value 2      (JCB)
            • CVV2   Card Verification Value 2        (Visa)
            • CVC2   Card Validation Code 2           (MasterCard)




                      IT Works S.A.         « Keep Information Technology Business Centric »
                Agenda

   Introduction to Payment Card Business


   Fraud & Counterfeit Evolution


   PCI – Data Security Standards


   SEPA Card Framework


   New Challenges for Cryptography


      IT Works S.A.   « Keep Information Technology Business Centric »
       Payment Card Fraud Evolution
   1983           Re-embossed counterfeit fraud
   1988           Re-encoded counterfeit fraud
   1989           Card not present fraud/ fraud applications
   1991           Never received issued fraud
   1992           Merchant fraud
   1994           Identity Theft
   2000           Skimmed counterfeit
   2002           Communications interception
   Now            Merchant server Hacking
   Now            E-Business Merchant server hacking
   Now            Chip sniffing and card counterfeit
   Now            Fake terminals
   Future         ????


           IT Works S.A.        « Keep Information Technology Business Centric »
Fraud & Counterfeit Statistics




IT Works S.A.   « Keep Information Technology Business Centric »
                    Fraud : Card not present

   CNP authentication is still possible without CVV2


   CNP fraud remains the main fraud concern in Europe:
        2006 a growth of 44.7% compared to FY2005.
          • E-commerce fraud shows a yearly growth in excess of 69%, representing
            54.2% of all CNP Fraud acquired in Europe in 2006.


        Top 5 countries are the UK (57.2% of tot CNP) , France (7.3% of the
         total CNP fraud), Germany (7.2 %), Italy (6.1 %) and Spain (4.4 %).


        The most significant CNP fraud growths were in Israel (214%), Italy
         (90%) and Denmark (121%).


        Gaming and Airlines/Travel Agencies shows the most significant
         growths.


                 IT Works S.A.          « Keep Information Technology Business Centric »
                   Fraud : Card not present

   A solution exists “ Called 3D Secure Issuing” based on :
        PAN
        PIN
        Chip Authentication Program (OTP)




               BUT……


                IT Works S.A.       « Keep Information Technology Business Centric »
                      Fraud : EMV Fallback

   Chip Fallback to Magstripe
        Increased by more than 63.4% in 2006 (vs 2005)
        71.3% of the European “Chip Fallback to Magnetic Stripe” Fraud was
         acquired on European ATMs.
        The fallback Fraud on ATM has grown by more than 163% in 2006 vs
         2005.
        The UK and Spain acquired 76% of European ATM fallback fraud in
         2006.



   Solution :
        The decision to ban ATM fallback in Europe should solve this threat.




                 IT Works S.A.        « Keep Information Technology Business Centric »
                  Last important issues….

   Card Systems (USA) – 2005
        A massive data breach by CardSystems, which reportedly exposed
         credit card transaction records of approximately 40 millions people
         because they stored these transaction records in contravention of
         rules established for VISA and MasterCard processors.


   ELEMENT 5 (D) – 2005
        More than one million credit cards.


   TJX (USA) – Announced in 2007
        More than 45 millions of cards compromised
        While the company previously believed that the intrusion took place
         only from May 2006 to January 2007, TJX now believes its computer
         systems was also intruded upon in July 2005 and on various
         subsequent dates in 2005. TJX continues to believe there was no
         compromise of customer data after-mid December 2006."


               IT Works S.A.         « Keep Information Technology Business Centric »
Skimming Tools – Magnetic Stripe Capture




      IT Works S.A.   « Keep Information Technology Business Centric »
   Skimming Workshop – Card Creation




Counterfeit holograms confiscated in Sidney

           IT Works S.A.                « Keep Information Technology Business Centric »
Counterfeit Workshop seizure in Taiwan




                     110.000 Cards




     IT Works S.A.    « Keep Information Technology Business Centric »
What about ATM Skimming ?




IT Works S.A.   « Keep Information Technology Business Centric »
 What about PIN Capture ?




IT Works S.A.   « Keep Information Technology Business Centric »
  ATM Skimming : Full Kit.




IT Works S.A.   « Keep Information Technology Business Centric »
Skimming Tool available on Internet




                   Autonomous mini skimmer with PC
                   Connectivity + Software + 50 white cards
                   150 €



                   Autonomous wireless mini cam 20g + Video
                   recorder connectivity : 35       €




   IT Works S.A.      « Keep Information Technology Business Centric »
Chip Cloning/Skimming Kit on Internet




    IT Works S.A.   « Keep Information Technology Business Centric »
              The Last Trend…. “Fake Terminals”

   Formal terminals are replaced by fake terminals that does not realize
    any transaction but look and react like formal one.
   Hackers are not interested in the transaction but want to

        Sniff the dialog between the chip and the terminal
        Intercept the PIN introduction on the Pin Pad.


   Some solutions exists :
        Dynamic Data Encryption DDA-Cards
        Combined Data Encryption CDA-Cards
        Terminal and/or application authentication

    but….



                   IT Works S.A.         « Keep Information Technology Business Centric »
                Agenda

   Introduction to Payment Card Business


   Fraud & Counterfeit Evolution


   PCI – Data Security Standards


   SEPA Card Framework


   New Challenges for Cryptography


      IT Works S.A.   « Keep Information Technology Business Centric »
             The PCI Security Standards Council


   Who are the founders of the PCI Security Standards Council?
        Founders of the PCI Security Standards Council are American Express,
         Discover Financial Services, JCB, MasterCard Worldwide and Visa
         International


   What is the mission of the PCI Security Standards Council?
        The mission of the PCI Security Standards Council is to enhance
         payment account security by fostering broad adoption of the PCI
         Security Standard




                 IT Works S.A.        « Keep Information Technology Business Centric »
                 The PCI Security Standards

   What is the Payment Card Industry (PCI) Data Security Standard
    (DSS)?
        The PCI Data Security Standard represents a common set of industry
         tools and measurements to help ensure the safe handling of sensitive
         information.
        The standard provides an actionable framework for developing a
         robust account data security process - including preventing, detecting
         and reacting to security incidents.


   Who does it apply to ?
        Any entity that stores, processes, and/or transmits cardholder data.
          • Merchants
          • Acquirers / Issuers Service Providers
          • Service providers
          • Etc…




                IT Works S.A.            « Keep Information Technology Business Centric »
    PCI – DSS : Penalties & Fines – Case Study

   Data Volume
        Little restaurant
        250-300 transactions a month
        Card Data storage of the last 3 years : 10.000 compromised cards




   Cost and penalties… (Does not include reputation)
        Incident Fee :            € 50.000
        Issuer Recovery Fee :     € 50.000(5-15€ per reissued card)
        Fraud :                   € 20.000.000(~ 2.000€ per card)
        Other costs :             € ??




                   IT Works S.A.     « Keep Information Technology Business Centric »
The PCI Security Standards - Cryptography
   Build & Maintain a Secure Network
        Requirement 1: Install & maintain a firewall configuration to protect cardholder data
        Requirement 2: Do not use vendor-supplied defaults for system passwords & other
         security parameters

   Protect Cardholder Data
        Requirement 3: Protect stored cardholder data
        Requirement 4: Encrypt transmission of cardholder data across open, public networks

   Maintain a Vulnerability Management Program
        Requirement 5: Use & regularly update anti-virus software
        Requirement 6: Develop & maintain secure systems & applications

   Implement Strong Access Control Measures
        Requirement 7: Restrict access to cardholder data by business need-to-know
        Requirement 8: Assign a unique ID to each person with computer access
        Requirement 9: Restrict physical access to cardholder data

   Regularly Monitor & Test Networks
        Requirement 10: Track & monitor all access to network resources & cardholder data
        Requirement 11: Regularly test security systems & processes

   Maintain an Information Security Policy
        Requirement 12: Maintain a policy that addresses information security


              IT Works S.A.                « Keep Information Technology Business Centric »
         The PCI Security Standards - Cryptography

                                                                           Storage         Protection
                                            Data Element
                                                                          Permitted        Required


Cardholder Data                 Primary Account Number
                                (PAN)
                                                                             YES               YES



                                Cardholder Name
                                                                             YES               YES


                                Service Code
                                                                             YES               YES


                                Expiration Date
                                                                             YES               YES


Sensitive Authentication        Full Magnetic Stripe
Data                                                                         NO                N/A


                                CVC2/CVV2/
                                CID                                          NO                N/A


                                PIN/PIN Block
                                                                             NO                N/A




                     IT Works S.A.              « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography

   Requirement 3.4
    Render PAN, at minimum, unreadable anywhere it is stored (including data
    on portable digital media, backup media, in logs, and data received from or
    stored by wireless networks) by using any of the following approaches:


        Strong one-way hash functions (hashed indexes)


        Truncation


        Index tokens and pads (pads must be securely stored)


        Strong cryptography with associated key management processes and
         procedures.




                      IT Works S.A.        « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography

   Requirement 3.6
    Fully document and implement all key management processes and
    procedures for keys used for encryption of cardholder data, including the
    following:
        3.6.1 Generation of strong keys
        3.6.2 Secure key distribution
        3.6.3 Secure key storage
        3.6.4 Periodic changing of keys
        3.6.5 Destruction of old keys
        …
        3.6.7 Prevention of unauthorized substitution of keys
        3.6.8 Replacement of known or suspected compromised keys
        3.6.9 Revocation of old or invalid keys
        3.6.10 Requirement for key custodians to sign a form stating that they
         understand and accept their key-custodian responsibilities.



                   IT Works S.A.           « Keep Information Technology Business Centric »
The PCI DSS – Requirements linked to Cryptography

   Requirement 4:
    Encrypt transmission of cardholder data across open, public networks

    Sensitive information must be encrypted during transmission over networks
    that are easy and common for a hacker to intercept, modify, and divert data
    while in transit.


        4.1 Use strong cryptography and security protocols such as secure sockets layer
         (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to
         safeguard sensitive cardholder data during transmission over open, public
         networks.

          • ¨Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi
            (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio
            service (GPRS).
        Etc….




                     IT Works S.A.               « Keep Information Technology Business Centric »
                Agenda

   Introduction to Payment Card Business


   Fraud & Counterfeit Evolution


   PCI – Data Security Standards


   SEPA Card Framework


   New Challenges for Cryptography


      IT Works S.A.   « Keep Information Technology Business Centric »
                       SEPA Card Framework

   What is the SEPA ?
        The Single Euro Payments Area (SEPA) is a European Commission (EC)
         and European Payments Council (EPC) initiative that plans to remove
         the barriers to movement of cross-border electronic Euro payments.

   What is the SEPA Card Framework ?
        This SEPA Cards Framework spells out some principles and rules
         which when implemented by banks, schemes, and other stakeholders,
         will enable European customers to use general purpose cards to make
         payments and cash withdrawals in € throughout the SEPA area with the
         same ease and convenience than they do in their home country.

          • There should be no differences whether they use their card in their home
            country or somewhere else within SEPA.

          • No general purpose card scheme designed exclusively for use in a single
            country, as well as no card scheme designed exclusively for cross-border use
            within SEPA, should exist any longer.




                   IT Works S.A.           « Keep Information Technology Business Centric »
                      SEPA Card Framework

   What are the deadlines ?
        The above options may evolve further between now and end 2010, the
         date by which all payment card products and brands falling within the
         scope of this Framework will have become SCF compliant

        In order to deliver on the scope of this Framework, and to meet
         cardholders’ and merchants’ expectations across SEPA, each bank
         needs to decide which option it will implement from 1 January 2008
         onwards.

        After end 2010 no card scheme designed exclusively for use in a single
         country should operate anymore for POS and ATM transactions




                   IT Works S.A.        « Keep Information Technology Business Centric »
How does SEPA CF requirements impact cryptography usage ?


       Current infrastructure is usually acquirer-specific, brand-specific &
        country-specific. This new approach will require :

            Common Security Standards at the point of sale level


            Cryptographic interoperability


            Complex and standardized key management


            Common approval & certification


         . Etc…




                       IT Works S.A.          « Keep Information Technology Business Centric »
                Agenda

   Introduction to Payment Card Business


   Fraud & Counterfeit Evolution


   PCI – Data Security Standards


   SEPA Card Framework


   New Challenges for Cryptography


      IT Works S.A.   « Keep Information Technology Business Centric »
                     What are the challenges ?

   Cryptographic science is currently able to support roughly all needs
    conjured during this presentation but they are some specific
    requirements :

        Payment Card Industry is a real “on-line” business and transaction time
         has financial & business impacts.

        Merchants affected by this measure are usually not well up on
         cryptography.


        Cost is a very important factor.


        Point of Sales and terminals have limited capabilities.


        Merchants want to use standard telecommunication media.



                   IT Works S.A.            « Keep Information Technology Business Centric »
THANK YOU FOR YOUR ATTENTION.




   IT Works S.A.   « Keep Information Technology Business Centric »

				
DOCUMENT INFO