Turn Kiosk Glide Kiosk Classic Kiosk Custom/Mini Kiosk Delivery & Installation Service
Security in Payment Systems - JD Events Tech Talk.pdfMarket: 7 Things You Should Know… 1. Payment...
Transcript of Security in Payment Systems - JD Events Tech Talk.pdfMarket: 7 Things You Should Know… 1. Payment...
1
Security in Payment Systems
“The Marriage of Kiosk and Payment Processing”
Bud Waller, EVP VeriFone, Inc.
KioskCom 2006 Las Vegas, NV April 2006
2
First: Who We Are
VeriFone Holdings, Inc. (“VeriFone”), (NYSE: PAY) with more than $500M in annual revenue is a leading global provider of technology that enables electronic payment transactions.
To strengthen and expand our position as the trusted worldwide leader of the electronic payment industry, VeriFone will provide proven, high-quality solutions and expertise that drive increased value for our customers.
OUR MISSION
Over 12,000,000 VeriFone secure payment devices are installed worldwide in over 110 countries processing more than 100 secured payments every second.
2
3
VeriFone Global Solutions
Gov’t/Healthcare
Fast FoodIndoor & Outdoor
PetroleumC-Store Hospitality
Retail Mobile
Transportation
4
Electronic Payments - Growth Industry
New Verticals
Payment Card Innovations
Value-Added Applications
Enhanced Security Standards
New Communication Technologies
Emerging Markets
Mar
ket O
ppor
tuni
tyM
arke
t Opp
ortu
nity
But with growth.. Comes risk..
3
5
Self-Service or Consumer Facing Solutions Need To Be Secure
Payment is the “next frontier”
Touch screens are typically not secure!
The Consumer is the Cashier!
6
Security Is The #1 Focus of the Payments Industry Today
Consumers Must Trust Using Their Cards
Industry Focus is on Fraud
Significant Penalties for Jeopardizing Security
Fines from card associations
Restitution for losses
Damage to “Customer Good Will”
As Payment Comes To Self-Service and Kiosk – Security is a Must!
4
7
Shifting Focus of Payment Security
Shifting Responsibility and Focus
Network StoreKiosk
Card Processor / Authorizer
Merchant Host System
Store POS System Cashier
Attended
Consumer Point of Self-
Service
Chain
Store Kiosk
Much More Consumer Awareness of Payment FraudThieves Are Always Getting More CleverEntire “Trusted Transaction Chain” Must Be SecureFocus is to Stop Fraud Where Transaction Starts
8
Fraud Alert
Skimming & cloning
Device and line tapping or “spoofing”
Transaction logs and database hacks
Sources of Point of Sale Fraud (rank order)
5
9
Fraud Types: Skimming
A device is used to capture the magnetic stripe information which is used to create duplicate cards
10
Device or Line Tapping or “Spoofing”
Wireless device transmitting data
over a range of 200m
Surface mount assembly, with removable storage media
A device is inserted into a payment device orattached to the line and card information is collected and either later retrieved or immediately transmitted
Tapping Device Found in non-Certified Payment Device
6
11
Transaction Logs or Database Hack
POS software can contain mag-stripe data – in the clear!"01/01/05 18:26:04",">> ATV1Q0<CR>""01/01/05 18:26:04","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:05",">> ATE0V1<CR>""01/01/05 18:26:05","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:52",">>
<STX>D4.99999599999999991100119911QR840840314193262007055999Y103954@D5473500000000014=05121019999888877776<FS><FS><FS>100<FS><FS><FS>Phantom Auto Parts Huntsville AL<FS><FS><FS>000<ETX>N <CR><LF>Content-Type: x-VISA-II/x-auth<CR><LF>"
"01/01/05 18:26:53",">> Connected ssl.pgs.wcom.net 443""01/01/05 18:26:54","<<
<STX>E4.A001199115103900VITAL8051705182654APPROVAL 862445 0513722502322 0000123456789 <FS> <FS>000<ETX>;"
12
Fraud - How Big of an Issue?
MalaysiaLine Tapping
• Card data sent in clear intercepted and recorded on MP3 player
New York Skimming
• Two Servers in NY skimmed $300K
• 70% of Skimming occurs in restaurants and bars
FloridaSkimming
• Devices placed in gas pumps
Within 12 hours a hacker can get the file, check the accounts, sell the
accounts and fraudulent transactions
can be posted in the $100,000s
7
13
Security Touches Everything…
Credit Mag StripeVerification
Receipt Formatting
and Account Truncation
Debit PIN Entry and Handling
Journal or database
Storage and retrieval
Secure transaction
deliveryto processor
or host
Your Kiosk Payment
Application
Typically Hardware
Typically Software
Physical and Logical Security
Elements Must BeIn Place
14
Security Compliance – Two Major Initiatives
PCI – Payment Card Industry security
PABP – Payment Application Best Practices
These are in addition to network security like SSL
8
15
PCI — The Security Standard
PCI is the standard which resulted from a collaboration between individual card brands data security programs
PCI establishes a unified standard for security associated with the storage, transmission, and processing of card data
PCI covers systems, policies and procedures
16
PCI Non-Compliance Implications
“Safe Harbor” is available for merchants that have been compromised but found to be compliant at the time of the security breach.
If a merchant does not comply with data security requirements card brands may:
Impose restrictions on card acceptancePermanently prohibit card acceptanceImpose fines depending on the severity of the incidentFines can be significant – In 2005 one major card issuer had a significant breach and the resulting fines and bad press caused bankruptcy.
9
17
PCI Data Security Standard-Highlights
Install and maintain a firewall configuration to protect dataDo not use vendor-supplied defaults for system passwordsand other security parametersProtect stored dataEncrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus softwareDevelop and maintain secure systems and applicationsRestrict access to data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder dataRegularly test security systems and processesMaintain a policy that addresses information security
18
Compliance Validation Requirements
Level 1 Merchants—>6M Card transactions/yrMerchants that have had data fraudMerchants deemed “higher risk”by the card association
RequirementsAnnual On-SiteSecurity AuditQuarterly Network ScanIndependent Security Assessor or Internal Audit if signed by Officer of the companyCompliance date 9/30/04
Level 2 & 3 Merchants—20K-6M Transactions/Yr
RequirementsAnnual Self-Assessment Questionnaire Quarterly Network ScanCompliance date 6/30/05
Focus of Most Kiosk and Self-Service Solutions
10
19
PCI Elements
PCI-DSS• Data Security Standard
– Intended to protect cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard
– Merchants are required to seek 3rd party approval of their infrastructure
PCI-PED• PIN Entry Device, ATM, Encrypting PIN Pad
– Replaces– Visa PIN Entry Device (PED) program– MasterCard PIN Entry Device (PED) program
– Verifies physical and logical security of devices intended to accept PIN entry from Consumers
– Vendors are required to seek 3rd party approval of their products
Self-Service
20
Device Classifications
Currently there are three types of PED Devices in use• Approved Devices
– 1) PCI-PED Approved Terminal (2005 onwards)– 2) Visa-PED Approved Terminal ( 2002 – 2004)
• Unapproved Devices (Pre 2002)– 3) Any PED that was never approved under the Visa-PED testing
program
From 1st July 2010 All devices must have been Visa PED or PCI POS PED approved –IF NOT, MUST BE REMOVED FROM SERVICE
11
21
VISA-PED Approvals Extension
In establishing the PCI POS PED Program MasterCard and JCB agreed to grandfather all Visa PED approved devices and have agreed to extend the approval period for Visa PED approved products until 31st Dec 2007• This ensures a smooth transition to the new aligned process• After this date, the product must be PCI POS PED approved
There is no sunset date for Visa PED approved product in the field – MAY BE USED INDEFINITELY
22
PCI-PED Device - Key Highlights
New PCI specifications released ~ every 3 years• Need to stay ahead of crooks
Device certification is granted to 6 years beyond next spec release
• Example: 1.0 compliant devices installed today are still compliant for 6 years after 2.0 spec is released in 2007
• Longest a device will be compliant is 9.5 years.Merchant is responsible to ensure devices are current and approved on the network
• Merchant typically forces that compliance to POS supplier
While compliance for PED is debit with PIN focused, other PCI elements apply to all card transactions –credit, debit, gift, check card, etc.
12
23
Payment Application Best Practices
Visa has developed a Payment Application Best Practices compliance program to address security and the risks associated when full magnetic stripe data or CVV2 values are stored after authorization by payment applications.
What is PABP?
Provides guidelines for application developersAcquirers are responsible for ensuring that their merchants and service providers confirm the security of their payment applications using the Payment Application Best Practices.
24
PABP Guidelines-Highlights
Do not retain full magnetic stripe or CVV2 dataProtect stored dataProvide secure password featuresLog application activity Develop secure applicationsProtect wireless transmissionsTest applications to address vulnerabilitiesFacilitate secure network implementationCardholder data must never be stored on a server connected to the InternetFacilitate secure remote software updatesFacilitate secure remote access to applicationEncrypt sensitive traffic over public networksEncrypt all non-console administrative access
13
25
How do you know which peripherals or software are certified?
http://partnernetwork.visa.com/st/main.jspGoogle: “VISA PCI SECURITY”
https://sdp.mastercardintl.comGoogle: “MASTERCARD PCI SECURITY”
Other Resources:EMV – www.emvco.comPABP: - www.ambiron.com/vital/pabp
26
Integrating Payment in the Self-Serve Market: 7 Things You Should Know…
1. Payment is already here for self-service and kiosk
Customers expect itIt drives ROIIt’s not just credit – debit as well
2. Fraud is real – and self-service devices are a prime target
ATMs have been compromisedPay-at-pump has been compromisedData transfer from storage has been comprised
3. The industry is actively working on reducing fraud – and is aggressive in ensuring compliance to standards
Fines for poor oversight (CardServices, Inc)Higher fees for non-compliance
14
27
Integrating Payment in the Self-Serve Market: 7 Things You Should Know…
4. Security has a number of components –one weak link makes a entire solution not secure
Debit PIN – PCI-PEDA typical touch screen kiosk is not a secure PIN pad!
Transactions – 3DES encryption, SSLApplications – PABP
5. Network certification doesn’t guarantee PABP validation
Certification is processor specificProcessors make changes – even to “standards” like ISO8583Keeping up with changes to every processor can be time consuming and expensivePABP is additional to network compliance
28
Integrating Payment in the Self-Serve Market: 7 Things You Should Know…
6. Planning for security is not an afterthoughtStandards change – be on top of it!
Expect changes every ~24-36 monthsThe added effort of security is significant, but less costly when it is designed in at the beginning versus after the fact! – or after a fine!Payment security can be a competitive differentiator for your solution, but it needs to be trusted.VeriFone, and others, have secure hardware and software payment solutions that are easy to integrate into your existing applications
7. Resources are readily available if you are not a payment expert
VISA/MasterCard WebsitesANSI/ISO StandardsEMVCOVeriFone