getting the balance right

darkfryingpanΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

67 εμφανίσεις

For Visa Europe Confidential. This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities.

1

Secure mobile payments
getting the balance right

Richard Martin

Payment System Security

Visa Europe


7 September 2013

Royal Holloway University of London

Visa Europe

2

Mobile POS & Acceptance

Owned and operated by over
3,745

European member banks

In
October 2007

Visa Europe became independent of the new
global Visa Inc. with an exclusive, irrevocable and perpetual
licence in Europe

Almost
466 million

Visa cards have been issued in Europe

In the 12 months ending September 2012 point of sale
spending totalled over

1.3 trillion

Fraud continues to decline and has fallen to

40 in every

10,000
as at September 2012
(0.04%)


Visa Europe


Visa Europe

3

Mobile POS & Acceptance

1

in every

6

50%

of Visa
transactions


European commerce is changing


Consumer spend

on Visa cards

25%

Visa spend


Ecommerce

+200% vs face
-
to
-
face

Mobile

by 2020

Visa cards in Europe

contactless


1

in every


6.75

Visa Europe

4

Mobile POS & Acceptance

4

Striking the balance

Acquirers

Issuers

Cardholder

Merchants

Visa Europe

5

Mobile POS & Acceptance

The Visa Europe Payment System Risk Strategy

Focus our
protection
efforts on
residual risks

Design solutions
that are secure
from the outset

Reinvigorate the
data security
debate

Understand the
level of
complexity

Provide cost
effective
solutions for all
stakeholders

For data security

to be meaningful, it must be
applied sensibly


A security and compliance policy that relies on a single solution, a single approach,
and a single correct answer, is not likely to succeed in its objectives

Visa Europe

6

Mobile POS & Acceptance

Manage Evolving Risks

Enhanced
Authentication

Data

Devaluation

Data

protection


Protect cardholder data


Continue deployment and use of robust authentication platforms
-
key to
the stability of the payment systems of the future


Protect cardholder data by limiting its availability


Visa Europe instrumental in defining global practices for complimentary
security technologies


Additional protection required for data which can be reused and cannot be
devalued


The Payment Card Industry Data Security Standard (PCI DSS)

has been fundamental in raising awareness and fighting fraud

Visa Europe

7

Mobile POS & Acceptance

Visa Europe

8

Mobile POS & Acceptance

Visa’s mobile payment services

Contactless

Visa Paywave for Mobile

Use a mobile device to shop
conveniently, quickly and
securely in a face
-
to
-
face
environment


Person to Person

Visa Personal Payments

Send money from a Visa card
to any Visa card, anywhere in
the world, using mobile phone
number or PAN

Mobile POS

Visa Europe

9

Mobile POS & Acceptance

Making payments vs. Accepting payments

Making payments

A
Cardholder

uses her phone to:


Enter her card details into a web form


Store her card details (or a token) in a
wallet


Store her card details on a secure element
(e.g. contactless)

Accepting payments

A
Merchant

uses his phone to:


Accept and process payments from
customers


He will handle many card payments from
many customers

Visa Europe

10

Mobile POS & Acceptance

Threat Axes

Vulnerabilities

Over the channel:


SMS / USSD


Voice


Data: GPRS / Wifi /
Bluetooth…

Embedded

The Owner


Operating System


Hidden processes
and applications


User behaviour


User interface


Complexity


User awareness


Mobile registration
and ownership


Mobile Network
Provider

Threat Axes and Vulnerabilities

Visa Europe

11

Mobile POS & Acceptance

Recent news


76% of Android malware profit motivated (Q1 2013)


HTML5 Framework hacks


Android Security Squad and Bluebox Security


“Master Key”
attacks


SIM hack, Security Research Labs




Visa Europe

12

Mobile POS & Acceptance

What exactly are we trying to protect?

Basically any data whose theft or modification could cause financial

or reputational harm to Visa, its Members and users


Key assets at risk:


Cardholder data (CHD): PAN, Expiry date, CVV, CVV2


Sensitive authentication Data: PIN, cryptograms

****

Visa Europe

13

Mobile POS & Acceptance

Q.

What can we do to secure the mobile phone?

A.
Not a lot


Issuers and acquirers need to cater for hundreds of millions of
cardholders and millions of merchants


Mobile Device Management?


User policies
-

Enforced AV, restrictive Ts & Cs?


Enforce certification of handsets against security standards?


The reality is that card issuers and acquirers will
need to take mobile devices as they come


Our security strategy must take this into account

Visa Europe

14

Mobile POS & Acceptance

Innovation with tradition

Criteria for mobile POS & acceptance

Benefits for all

Visa Trusted Brand

Familiar & trustworthy


User experience

Honour all cards

Chip & magstripe





Security

Lowering standards
would threaten the
system

Visa Europe

15

Mobile POS & Acceptance

Visa Europe’s position on mobile acceptance
devices

Mobile environment

Processor / Point of Decryption

Secure

Hardware

Accessory

Protected in line with Visa’s Encryption & Tokenisation Guidelines

Visa Europe

16

Mobile POS & Acceptance

Mobile solutions
not

permitted by Visa Europe (1/4)




Software only solutions with no
hardware accessory


App downloaded on merchant phone


Card data keyed on merchant phone


transactions processed as
e
-
comm or MOTO


“App” with manual key entry of card data

on merchant owned mobile device




Entry of data on a merchant mobile
device cannot be PCI certified at this
time


This also includes PIN entry

Visa Europe

17

Mobile POS & Acceptance

Mobile solutions
not

permitted by Visa Europe (2/4)



Hardware accessory with a magstripe only reader

(Used with a merchant owned mobile device)


Solutions with a magstripe
only reader:


no chip reader


no PIN pad


transactions sent as a
magstripe transaction or
as a MOTO or e
-
comm
transactions


Europe is a region where chip
is required so this type of
solution is not suitable



Visa Europe

18

Mobile POS & Acceptance

Mobile solutions
not

permitted by Visa Europe (3/4)



Hardware accessory with a chip reader but no PIN pad
(used with a merchant owned mobile device)


PIN pad required in Europe so this solution is not
suitable



“Honour All Cards” is a must


key entry of card data on a merchant phone not
permitted: magstripe support required


Solutions with a
chip reader:



no PIN pad


with or without magstripe


transactions sent as chip trs.

Visa Europe

19

Mobile POS & Acceptance

Mobile solutions
not

permitted by Visa Europe (4/4)



Contactless only acceptance


An acceptance device must “Honour All
Cards”


As not all cards support contactless, it is not
possible at this time to allow contactless only
devices

Visa Europe

20

Mobile POS & Acceptance

Two mobile acceptance solutions
permitted

(1/2)

20

For Visa Europe internal use only

Hardware accessory with chip, magstripe & PIN pad
(merchant owned mobile device)


Chip & PIN must be supported


Magstripe must be supported


Contactless optional but
recommended


Key entry of data on secure PED
allowed when no other option



Physical (audio jack, mini USB etc.)
or Bluetooth connection to mobile
device



Security is ensured by PCI SRED
(Secure Read Exchange Data) and
point
-
to
-
point encryption)

or

Visa Europe

21

Mobile POS & Acceptance

Anatomy of mobile card reader security


Security standards


PCI PIN Transaction Security (PCI PTS)


Secure PIN entry


Device hardened against physical &
logical hacking


Encryption


SRED* module

SRED

* SRED = Secure Read and Encryption of Data. SRED is a hardware
module for secure key storage & encryption functions

Visa Europe

22

Mobile POS & Acceptance

Processor/acquirer system

PCI DSS compliant environment









Encryption on the reader removes the mobile
device from the key areas of risk

Telco / ISP

SRED

HSM

Secure
host

Visa Europe

23

Mobile POS & Acceptance

Mobile solutions
permitted

by Visa Europe (2/2)

23

For Visa Europe internal use only

Software based solution/ M
-
commerce app

(cardholder mobile device)


Card details never entered on merchant
mobile device


Secure if back end, registration
process and permission to use
protected


Refer to
Visa Security Best
Practices for Mobile Payment
Acceptance Solutions, Version
2.0



published in Sept. 2012


http://www.visaeurope.com/ais


Visa Europe

24

Mobile POS & Acceptance

Benefits


Consistent and familiar experience for cardholders and merchants


Increased likelihood that cardholders and merchants will use
mPOS


Maintains and reinforces the trust in the brand


Maintains Visa’s security profile


Ensures that an exciting new method of payment starts secure


Bringing new players to market


Innovative new ideas and concepts


Reduced costs

Visa Europe

25

Mobile POS & Acceptance

Working with

industry providers

mPOS solutions

10


European
markets

7


live
implementations

Mobile devices
allowing low cost

and easy access
payments

Balancing security
and integrity

with ease of
deployment


200k+

merchants by
2014

For Visa Europe Confidential. This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities.

26

Thank you