1

Security in Payment Systems

“The Marriage of Kiosk and Payment Processing”

Bud Waller, EVP VeriFone, Inc.

KioskCom 2006 Las Vegas, NV April 2006

2

First: Who We Are

VeriFone Holdings, Inc. (“VeriFone”), (NYSE: PAY) with more than $500M in annual revenue is a leading global provider of technology that enables electronic payment transactions.

To strengthen and expand our position as the trusted worldwide leader of the electronic payment industry, VeriFone will provide proven, high-quality solutions and expertise that drive increased value for our customers.

OUR MISSION

Over 12,000,000 VeriFone secure payment devices are installed worldwide in over 110 countries processing more than 100 secured payments every second.

2

3

VeriFone Global Solutions

Gov’t/Healthcare

Fast FoodIndoor & Outdoor

PetroleumC-Store Hospitality

Retail Mobile

Transportation

4

Electronic Payments - Growth Industry

New Verticals

Payment Card Innovations

Value-Added Applications

Enhanced Security Standards

New Communication Technologies

Emerging Markets

Mar

ket O

ppor

tuni

tyM

arke

t Opp

ortu

nity

But with growth.. Comes risk..

3

5

Self-Service or Consumer Facing Solutions Need To Be Secure

Payment is the “next frontier”

Touch screens are typically not secure!

The Consumer is the Cashier!

6

Security Is The #1 Focus of the Payments Industry Today

Consumers Must Trust Using Their Cards

Industry Focus is on Fraud

Significant Penalties for Jeopardizing Security

Fines from card associations

Restitution for losses

Damage to “Customer Good Will”

As Payment Comes To Self-Service and Kiosk – Security is a Must!

4

7

Shifting Focus of Payment Security

Shifting Responsibility and Focus

Network StoreKiosk

Card Processor / Authorizer

Merchant Host System

Store POS System Cashier

Attended

Consumer Point of Self-

Service

Chain

Store Kiosk

Much More Consumer Awareness of Payment FraudThieves Are Always Getting More CleverEntire “Trusted Transaction Chain” Must Be SecureFocus is to Stop Fraud Where Transaction Starts

8

Fraud Alert

Skimming & cloning

Device and line tapping or “spoofing”

Transaction logs and database hacks

Sources of Point of Sale Fraud (rank order)

5

9

Fraud Types: Skimming

A device is used to capture the magnetic stripe information which is used to create duplicate cards

10

Device or Line Tapping or “Spoofing”

Wireless device transmitting data

over a range of 200m

Surface mount assembly, with removable storage media

A device is inserted into a payment device orattached to the line and card information is collected and either later retrieved or immediately transmitted

Tapping Device Found in non-Certified Payment Device

6

11

Transaction Logs or Database Hack

POS software can contain mag-stripe data – in the clear!"01/01/05 18:26:04",">> ATV1Q0<CR>""01/01/05 18:26:04","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:05",">> ATE0V1<CR>""01/01/05 18:26:05","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:52",">>

<STX>D4.99999599999999991100119911QR840840314193262007055999Y103954@D5473500000000014=05121019999888877776<FS><FS><FS>100<FS><FS><FS>Phantom Auto Parts Huntsville AL<FS><FS><FS>000<ETX>N <CR><LF>Content-Type: x-VISA-II/x-auth<CR><LF>"

"01/01/05 18:26:53",">> Connected ssl.pgs.wcom.net 443""01/01/05 18:26:54","<<

<STX>E4.A001199115103900VITAL8051705182654APPROVAL 862445 0513722502322 0000123456789 <FS> <FS>000<ETX>;"

12

Fraud - How Big of an Issue?

MalaysiaLine Tapping

• Card data sent in clear intercepted and recorded on MP3 player

New York Skimming

• Two Servers in NY skimmed $300K

• 70% of Skimming occurs in restaurants and bars

FloridaSkimming

• Devices placed in gas pumps

Within 12 hours a hacker can get the file, check the accounts, sell the

accounts and fraudulent transactions

can be posted in the $100,000s

7

13

Security Touches Everything…

Credit Mag StripeVerification

Receipt Formatting

and Account Truncation

Debit PIN Entry and Handling

Journal or database

Storage and retrieval

Secure transaction

deliveryto processor

or host

Your Kiosk Payment

Application

Typically Hardware

Typically Software

Physical and Logical Security

Elements Must BeIn Place

14

Security Compliance – Two Major Initiatives

PCI – Payment Card Industry security

PABP – Payment Application Best Practices

These are in addition to network security like SSL

8

15

PCI — The Security Standard

PCI is the standard which resulted from a collaboration between individual card brands data security programs

PCI establishes a unified standard for security associated with the storage, transmission, and processing of card data

PCI covers systems, policies and procedures

16

PCI Non-Compliance Implications

“Safe Harbor” is available for merchants that have been compromised but found to be compliant at the time of the security breach.

If a merchant does not comply with data security requirements card brands may:

Impose restrictions on card acceptancePermanently prohibit card acceptanceImpose fines depending on the severity of the incidentFines can be significant – In 2005 one major card issuer had a significant breach and the resulting fines and bad press caused bankruptcy.

9

17

PCI Data Security Standard-Highlights

Install and maintain a firewall configuration to protect dataDo not use vendor-supplied defaults for system passwordsand other security parametersProtect stored dataEncrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus softwareDevelop and maintain secure systems and applicationsRestrict access to data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder dataRegularly test security systems and processesMaintain a policy that addresses information security

18

Compliance Validation Requirements

Level 1 Merchants—>6M Card transactions/yrMerchants that have had data fraudMerchants deemed “higher risk”by the card association

RequirementsAnnual On-SiteSecurity AuditQuarterly Network ScanIndependent Security Assessor or Internal Audit if signed by Officer of the companyCompliance date 9/30/04

Level 2 & 3 Merchants—20K-6M Transactions/Yr

RequirementsAnnual Self-Assessment Questionnaire Quarterly Network ScanCompliance date 6/30/05

Focus of Most Kiosk and Self-Service Solutions

10

19

PCI Elements

PCI-DSS• Data Security Standard

– Intended to protect cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard

– Merchants are required to seek 3rd party approval of their infrastructure

PCI-PED• PIN Entry Device, ATM, Encrypting PIN Pad

– Replaces– Visa PIN Entry Device (PED) program– MasterCard PIN Entry Device (PED) program

– Verifies physical and logical security of devices intended to accept PIN entry from Consumers

– Vendors are required to seek 3rd party approval of their products

Self-Service

20

Device Classifications

Currently there are three types of PED Devices in use• Approved Devices

– 1) PCI-PED Approved Terminal (2005 onwards)– 2) Visa-PED Approved Terminal ( 2002 – 2004)

• Unapproved Devices (Pre 2002)– 3) Any PED that was never approved under the Visa-PED testing

program

From 1st July 2010 All devices must have been Visa PED or PCI POS PED approved –IF NOT, MUST BE REMOVED FROM SERVICE

11

21

VISA-PED Approvals Extension

In establishing the PCI POS PED Program MasterCard and JCB agreed to grandfather all Visa PED approved devices and have agreed to extend the approval period for Visa PED approved products until 31st Dec 2007• This ensures a smooth transition to the new aligned process• After this date, the product must be PCI POS PED approved

There is no sunset date for Visa PED approved product in the field – MAY BE USED INDEFINITELY

22

PCI-PED Device - Key Highlights

New PCI specifications released ~ every 3 years• Need to stay ahead of crooks

Device certification is granted to 6 years beyond next spec release

• Example: 1.0 compliant devices installed today are still compliant for 6 years after 2.0 spec is released in 2007

• Longest a device will be compliant is 9.5 years.Merchant is responsible to ensure devices are current and approved on the network

• Merchant typically forces that compliance to POS supplier

While compliance for PED is debit with PIN focused, other PCI elements apply to all card transactions –credit, debit, gift, check card, etc.

12

23

Payment Application Best Practices

Visa has developed a Payment Application Best Practices compliance program to address security and the risks associated when full magnetic stripe data or CVV2 values are stored after authorization by payment applications.

What is PABP?

Provides guidelines for application developersAcquirers are responsible for ensuring that their merchants and service providers confirm the security of their payment applications using the Payment Application Best Practices.

24

PABP Guidelines-Highlights

Do not retain full magnetic stripe or CVV2 dataProtect stored dataProvide secure password featuresLog application activity Develop secure applicationsProtect wireless transmissionsTest applications to address vulnerabilitiesFacilitate secure network implementationCardholder data must never be stored on a server connected to the InternetFacilitate secure remote software updatesFacilitate secure remote access to applicationEncrypt sensitive traffic over public networksEncrypt all non-console administrative access

13

25

How do you know which peripherals or software are certified?

http://partnernetwork.visa.com/st/main.jspGoogle: “VISA PCI SECURITY”

https://sdp.mastercardintl.comGoogle: “MASTERCARD PCI SECURITY”

Other Resources:EMV – www.emvco.comPABP: - www.ambiron.com/vital/pabp

26

Integrating Payment in the Self-Serve Market: 7 Things You Should Know…

1. Payment is already here for self-service and kiosk

Customers expect itIt drives ROIIt’s not just credit – debit as well

2. Fraud is real – and self-service devices are a prime target

ATMs have been compromisedPay-at-pump has been compromisedData transfer from storage has been comprised

3. The industry is actively working on reducing fraud – and is aggressive in ensuring compliance to standards

Fines for poor oversight (CardServices, Inc)Higher fees for non-compliance

14

27

Integrating Payment in the Self-Serve Market: 7 Things You Should Know…

4. Security has a number of components –one weak link makes a entire solution not secure

Debit PIN – PCI-PEDA typical touch screen kiosk is not a secure PIN pad!

Transactions – 3DES encryption, SSLApplications – PABP

5. Network certification doesn’t guarantee PABP validation

Certification is processor specificProcessors make changes – even to “standards” like ISO8583Keeping up with changes to every processor can be time consuming and expensivePABP is additional to network compliance

28

Integrating Payment in the Self-Serve Market: 7 Things You Should Know…

6. Planning for security is not an afterthoughtStandards change – be on top of it!

Expect changes every ~24-36 monthsThe added effort of security is significant, but less costly when it is designed in at the beginning versus after the fact! – or after a fine!Payment security can be a competitive differentiator for your solution, but it needs to be trusted.VeriFone, and others, have secure hardware and software payment solutions that are easy to integrate into your existing applications

7. Resources are readily available if you are not a payment expert

VISA/MasterCard WebsitesANSI/ISO StandardsEMVCOVeriFone

15

Thank You.