POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval...
POS/ATM Protection Profile for a Common European Banking Industry
Approval Scheme
Common Approval Scheme POI Working Group
SRC Security Research & Consulting GmbH
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
ContentAffected payment systems components
Domestic evaluation schemes and Payment Card Industry (PCI)
Single European Area requirements (SEPA)
Common Approval Scheme (CAS) for banking IC cards
CAS for POS/ATMs (POI) POI PP Security Requirements
Experiences in the creation of the POI PP
Foresight
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Affected Payment System Components
Banking IC cards
Point of Sale Terminal (POS) IC card based electronic payment
Includes PIN Entry Device (PED) and other components (e.g. card reader)
Automated Teller Machine (ATM) IC card based electronic money withdrawal
Includes Encrypting PIN Pad (EPP) and other components
ATM and POS both are defined as Point of Interactions (POIs)
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Cardholder
Acquirer
Merchant
POI
Issuer
Card
10. Issuer payment
8. Ask for payment with payment transaction data
1. Payment Transaction data
1. Payment Transaction data
6. Merchant receipt
11. Acquirer payment
3. PIN request4. PIN (if offline PIN verification)
6. Cardholder receipt
5. Transaction Certificate
2. to 5. Payment transaction data and managment data
9. Payment notification 9. Cardholder payment
7. Payment transaction data including Transaction certificate and Merchant parameters
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Domestic Evaluation schemes
Throughout many European countries the banking
industry Has set security requirements
To manage risks within payment systems effectively
Compliance of payment systems components with
these security requirements has to be proved by
security evaluations
Different security levels and requirements Obstacle for mutual recognition of security evaluations
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Examples for Domestic Evaluation Schemes
APACS (United Kingdom) Common Criteria (without formal certification)
Based on APACS PED Protection Profile
ZKA (Germany) Domestic high level security requirements
Informal scheme
Currence (Netherlands) PCI+
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Payment Card Industry Evaluations
Global Scheme with security requirements aligned by MasterCard and VISA Evaluator performs steps based on test and security
requirements defined by PCI
Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED)
Comparison to Common Criteria Design evaluation based on vendor questionnaire, no code
review (ADV_IMP)
Predefined test cases, no ALC, ACM, ADO
Requirements of resistance against high attack potential
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
SEPA Standardisation for Card Payments
Use of international standards for cross-border and domestic transactions Technical requirements for payment system components
are becoming closely aligned throughout Europe
The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF) Defines certification principles as interoperability principles
to be worked out
Security requirements and mutual recognition are explicitly stated
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
„In order for the objectives of this Framework to be achieved, SEPA-level
interoperability must be ensured in the following 4 domains:
cardholder to terminal interface,
cards to terminal (EMV),
terminal to acquirer interface (protocols or minimum requirements),
acquirer to issuer interface, including network protocols (authorization
and clearing).“
„A common process for the certification of terminals, cards, and network
interfaces will be defined in line with the principle described in Chapter 2.3.2.“
„Card schemes will engage in mutual recognition for type approval. Any terminal
certified for SEPA transactions by a certification body in one SEPA country can be
deployed in any SEPA country for acceptance of SEPA cards across all SCF
compliant schemes.“
SEPA Standardisation for Card Payments
EPC SEPA Cards Framework SCF:
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Common Approval Scheme Initiative
Common Approval Scheme (CAS) initiative has been
originated to agree on common security requirements harmonising the
existing requirements
to agree on common evaluation methodology
using the Payment Card Industry (PCI) security
requirements for POS/ATM as the basis for technical req.
Reducing the number of security evaluations to be
performed by manufacturers and reducing the costs
of security certification
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Countries BelgiumBelgium Atos Wordline, Banksys Atos Wordline, Banksys
FranceFrance Cartes BancairesCartes Bancaires
GermanyGermany ZKAZKA
ItalyItaly Progetto MicrocircuitoProgetto Microcircuito
LuxemburgLuxemburg CETRELCETREL
NetherlandsNetherlands Currence, EquensCurrence, Equens
NorwayNorway BSKBSK
PortugalPortugal SIBSSIBS
SpainSpain Servired, Sistema 4BServired, Sistema 4B
SwedenSweden PNCPNC
United KingdomUnited Kingdom APACS APACS
... (open to additional participants)... (open to additional participants)
CC experts involved:Trusted Labs (France)SiVenture (United Kingdom)SRC (Germany)
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
CAS Cards Working Group
Harmonisation of security requirements and methodology accomplished
Result is a finalised Generic Security Target for CC evaluations of banking IC cards
Thus no Protection Profile for banking IC cards Generic Security Target is a guideline
Co-ordination with ISCI/JHAS
Preparation of pilot evaluations
Open question: Who will verify whether Security Target meets Generic Security Target?
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
CAS Terminal Working Group
Work in progress: Evaluation according to PCI or
CC? Harmonisation of security requirements (in progress)
Including PCI POS PED security requirements
Harmonisation of evaluation methodology (in progress)
For CC approach results in POI Protection Profile Within a feasibility study it will be examined whether CC
evaluations conformant to the developed PP(s) pave the
way for SCF compliant certification criteria and mutual
recognition of security certificates
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Generic POI Architecture
Application 1
Application 2
Application n
Application/Acquirer System
Terminal Management System
Local Devices
Card Readers:IC Card Reader
and/or Magnetic Stripe Reader and/or
Barcode Reader
CHV Devices:
and may include a Card Reader)
and/or Biometric Device
Other SecurityModules:
HSM
and/or SAM
User I/O Devices(excluding CHV):
Keypad, Display, Printer,
Acoustic Signal
IC Card Other Media(e.g. Magstripe Card)
POI Application Logic
Point of Interaction (POI)
PIN Entry Device (includes a keypad, a display,
Security Module data flow
Administration byTerminal Mamangement
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Security Problem and Security Objectives
Assets PIN, POI management and payment transaction data,
software, cryptographic keys
Threats Perform unauthorised payment transactions by disclosure
of PIN or keys or manipulation of software or data
Security Objectives Confidential PIN Entry and PIN Processing
Authentic and integer payment transaction
Authentic and integer usage of software and related hardware / application separation
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
CAS POI Security Requirements (subset)
PCI Physical and logical security requirements
Tamper-responsive hardware, …
Self-test, logical anomalies, …
PCI + Extension to message integrity for ATM/POS Extension of requirements for Life Cycle Code analysis
PCI – Plaintext PIN protection at level less than high Magnetic stripe security
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Challenges to create a PP for a complex product
Define the Target of Evaluation Different implementation architectures shall be allowed
Different payment system components (ATM, EPP, POS, PED) shall be considered
Application separation
Two Evaluation Assurance Level High attack potential as objective for PIN Entry and
Enciphered PIN processing but low costs
Protection level for Plaintext PIN and POI management and transaction data processing below high
Different hardware security requirements
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Minimum POI
Payment Application
Application/Acquirer Host
Terminal Management Host
Local Devices
IC Card Reader
PIN Entry Device including
a keypad, a display and theSecurity Module
IC Card
data flow
Administration byTerminal Mamangement
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
POI components connected via an open network
Application 1Server
Application 2
Application n
Application/Acquirer HostTerminal Management Host
Local Devices
IC Card Reader
PIN Entry Device including
a keypad, a display and theSecurity Module
IC Card
Open Network
Administration byTerminal Mamangement
data flow
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Core TSFPIN Entry
and processing of PIN until PIN is enciphered
(includes PED keypad)
PED Middle TSF
Middle TSF
Plaintext PIN Processing
Processing of POI management andpayment transaction data
PED
Level of protectionbelow high
High level of protection
POI Protection Profile
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
Foresight
Finalising POI PP
Pilot evaluation based on POI PP
Mutual recognition and certification scheme Discussion already started with BSI, DCSSI, CESG
Founding a group like ISCI/JHAS for IC cards
Decision for PCI methodology or Common Criteria
based on PCI functional security requirements
Any questions?
CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE
FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE
SRC Security Research & Consulting GmbHGraurheindorfer Str. 149a53117 Bonn
Tel. +49-(0)228-2806-0Fax: +49-(0)228-2806-199E-mail: [email protected]: www.src-gmbh.de
Contact