Troy Leach April 2012 The PCI Security Standards Council.
-
Upload
adolfo-sartwell -
Category
Documents
-
view
218 -
download
1
Transcript of Troy Leach April 2012 The PCI Security Standards Council.
Troy LeachApril 2012
The PCI Security Standards Council
About the Council
Open, global forumFounded 2006
Responsible for PCI Security Standards
• Development
• Management
• Education• Awareness
Manufacturers
PCI PTSPin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS
Payment Applications
PCI Security
MOBILE PAYMENTS
Merchants & Service
Providers
PCI DSSSecure
Environments
PCI Security StandardsProtection of Cardholder Payment Data
Technology Updates: Mobile
Questions & Answers
Agenda
Industry Engagement
Environmental Considerations at a Glance
• Market• Increased interest in adoption of a variety of mobile
technologies• Absence of both traditional controls and standards
• PCI SSC Activity• Create efficient mechanisms for broader engagement• Evaluate need to develop standards• Facilitate, when applicable, easier compliance mechanisms
Areas of Focus for Mobile
Devices
Tamper-resistance,
Secure Card Readers, POI &
P2PE
Applications
Requirements and/or Best Practices for authorization
and settlement
Service Providers
Service provider protection of
cardholder data and validation
“MOBILE”
Peripheral Device Encryption
The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data.New PTS approval class for Secure (Encrypting) Card Readers (SCR)
SCR and other POI
Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.
Audio connector plugs into
the phone’s
headphone
QSA must determin
e data NOT
decrypted on phone
No PIN entry
Also works on computer
s – any device with an audio
input jack
Mobile Phone Plug-in SCR
Plug-in MSR
encrypts data on
the reader even
before it reaches
the phone
2011 Guidance
.
Focused on identifying and clarifying the risks
associated with accepting payments via mobile solutions
and validating mobile payment acceptance
applications to version 2.0 of the PA-DSS.
Mobile Update – Announcement and FAQ
Mobile Application Categories
Applications for category 1 and 2
devices are eligible for PA-DSS
Applications for category 3 devices
pending development of further guidance and/or standards
Category 2:Purpose Built POS Devices
Category 3:General Purpose
Smart Device
Category 1:PTS Approved PED Devices
Current Environmental Concerns
• Rapid development of applications• Lack of “traditional” controls• Too Many Privileges• Malicious Apps• Wi-Fi Sniffing / Blackjacking• Radiation of keys and side channel attacks• Distribution and persistent connectivity• Ownership and use policy
PTS PED Vendor Solutions
Phone is designed and
purpose built as a secure device
Because secure tamper
protected device, may use either SCR or a
data key managed similar
to PIN key
By definition does not use off the shelf mobile
phones
PTS PED Vendor Solutions
Phone Compartme
nt
Cradle for phone
May employ encrypting card reader or use
data key managed similar
to PIN key
Card readers integrated to
PED
The mobile device has access to cleartext cardholder data.
Mobile Task Force to provide guidance and/or best practices
Exposure of CHD within device
Cardholder data is input using a non-encrypted solution (e.g. manual key
entry, non-encrypted card reader, etc.) and transmitted through a mobile device.
Application Security within Smart Devices
2012 Guidance Calendar
• Mobile SCR & P2PE Guidance for Merchants
• Mobile Acceptance Best Practices
• Mobile SCR & P2PE Guidance for Assessors and Vendors
• Roadmap for Category 3 Applications
15
Three Year Outlook: Mobile
• Devices and Peripherals:• Publish guidance on use of attached PTS POI to mobile with
P2PE • Applications:
• Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation
• Create AQM checklist for PA-DSS qualification• If necessary, develop mobile standard(s) for applications and
devices that transfer cardholder data • Service Providers:
• Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data
Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require
Council to address
Technology Updates: Mobile
Questions & Answers
Agenda
Industry Engagement
Mobile Task Force
• PCI Council Members and staff, volunteer participating organizations and subject matter experts
• Subject matter experts especially important when examining Scenario 2
• Examples of subject matter experts: • Security Assessors • OS Platform Vendors• Financial Processors• Device Manufactures
Mobile Task Force
The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance
implementations and determine whether the inherent risk of card data exposure can be
addressed by existing PCI requirements or whether additional guidance or requirements must be
developed.
Questions?
Any Questions?
Please visit our website at www.pcisecuritystandards.org