a company profile tech talk.pdf · manufacturers in the atm, banking, gaming and kiosk industries....
TRANSCRIPT
1
A company profile
Company Profile
ArcaTech SystemsThe Company
ArcaTech Systems is a privately owned, US based company that specializes providing its customers a comprehensive range of products and services for automating cash handling and transactional operations.
Strategically located near North Carolina’s Research Triangle Park, ArcaTech Systems began in 1998 as a distributor of OEM cash dispenser mechanisms to manufacturers in the ATM, banking, gaming and kiosk industries. The company operates from a fully functional, modern 40,000 sq. ft. facility where it is headquartered and houses engineering, design, manufacturing, integration services, sales/marketing, technical and sales training, warehousing. The company also has a sales office in Dundee, Scotland, and a warehouse in Germany.
Today, the company offers a broad range of transactional products, third party options, proprietary software, service/support and consulting.
2
ArcaTech SystemsMulti-dimensional
• Distributors of high end components and parts for the
banking and finance community.• Integrators and providers of innovative
cash handling solutions.
• Providers of OEM (Original Equipment Manufacturer)
transactional products for Self-Service, Kiosk, and point
of sale.• Technical integration specialists.• Consulting and advisory services for
transaction automation• Full Service and support including
technical services.
ArcaTech SystemsVision
• To continuously strive to bring innovative, best-of-breed, transactional solutions that offer efficiency and cost effectiveness to banking, self-service and kiosk market spaces.
• To deliver new ideas and be in the forefront of technological development.
• To provide the best customer experiences in our industry.
• To deliver the best technical support through highly skilled professionals.
3
ArcaTech Systems
Core Markets
• Banking & finance• Self-service• Retail
ArcaTechProduct Overview
OEM ProductsBill DispensersCheck scannersCard readersCard printersMulti-function
productsTriple Des Pin
PadsAccessoriesPower supplies
SystemsCash recyclersCash dispensers
SoftwareDiagnostic tools
PartsCable assembliesSpare partsSafe EnclosuresSecurity fixtures
Desktop ProductsCoin DispensersCheck Scanners
Consulting/advisoryCustom SystemsIntegration SoftwareHardware Selection
4
Sagem Denmark
World Leader in Secure PIN Verification
• Located in Denmark, Copenhagen• 110 Employees• 3 Strategic Business Areas within
Secure Payment Solutions:• Point of Sales Terminals• Encrypting PIN pads for ATM machines• Unattended Payment solutions
• Secure Facility Center for Key Load and Personalisation• ISO9001:2000 Certified Quality Assurance System• Subsidiary of Sagem Defense & Security Division• Appointed SAFRAN Group Competence Center for Secure
Payment Solutions
About Sagem Denmark
5
History
1984 2005
More than 20 years experience inSecure PIN Entry
SAFRAN Group at a glance
• World leading High Technology Group
• 10 billion Euro turnover in 2004*
• 56,200 employees in 30 countries
• Four main business areas:– Propulsion– Communication– Equipment– Defense & Security (Sagem Denmark)
* Pro forma, French accounting standards, non-audited
6
SAFRAN Group in the world
SAFRAN - Security Activities and Products
Multi-biometric identificationsystems(fingerprints, iris and face recognition)
Identity systems
Cards and certification(bank, healthcare, etc…)
Counter-crime
Payment TerminalsEncrypting PIN Pads for ATM Machines
Unattended Payment SolutionLottery Machines
Healthcare card terminals
7
Encrypting PIN pads
OEM PIN pads for: - ATM’s (automatic teller machines)- Unattended Payment Solutions- 3 DES upgrade market
- Visa PED / PCI approved
Unattended Payment Solutions• For:
– Gas Stations– Ticket Vending Machines– Parking systems– Kiosk solutions– Gaming Machines
• PIN pads with or without display
• Secure Card Readers (OEM)
• Generic Payment application
• Universal Controller Module
8
Flexi POS terminal - Key Features
• For integration in the Point-of-Sales environment
• Interactive Merchant Assistance• Focus on user-friendliness • Ideal for High Traffic
Environments• Focus on High Security• Quick EMV Processing
(HW crypto-MPU)• EMV approved
Presentation
Key Issues inSecure Electronic Payment
9
Key Issues in Secure Electronic Payment
• Setting the Scene - Basic Card Transaction
• Risks of Fraud• Adding Online PIN Verification - How
does it work?• Security Requirements for PIN Entry
Devices• The EMV Chip-card Solution (Europe,
Asia)
Electronic Payment - Actors and Flow
Acquirer
Cardholder
Issuer
CardXXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Funds
Goods, services
Merchant
10
Electronic Payment - The Payment Card
Cardholder
Issuer/Bank - Account
The card represents the account
Different card technologies:•Magnetic Stripe•Contactless•EMV Chip (Europe)
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Cardholder VerificationMethods:•None•SignatureNot ideal for self-service!
Risks of Fraud - without PIN
• “Never been there, never done that”– The simplest kind - Technical Solutions may assist in liability delegation– Requiring a signature is not ideal in self-service situations
• Stolen Cards– It is a risk if anybody can use the card
• Copied Cards– This risk is even higher, since the cardholder may not be alarmed
• Forged Cards– Variant of a copy card in the magnetic stripe world– Data readily available, internet etc.– Issuers sets new requirements for data security
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
11
Electronic Payment - Adding PIN Verification
Cardholder
Card
4532PIN
Cardholder Verification Method:•PINWorks well with self-service!
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Electronic Payment - PIN Verification Characteristics
4532PIN
• Advantages– It can be handled securely - in encrypted form– It can be checked securely - even in self-service– The verification is precise and unambiguous
• Disadvantages– If disclosed it is very easy to copy, pass on and misuse– The required security issues adds cost to equipment– The requirements and approval adds complexity
12
Electronic Payment - Elements of Security
4532PIN
• On-site Physical Security– Tamper protection– Privacy Screen
• Production, Personalization and Maintenance– Approved Hardware and Software– Secure Loading of Encryption Keys
• Logical Security– Approved Encryption Algorithm (3DES)– Approved Security Scheme and Key Hierarchy
BOTH are equally important!Neither will work without the other
Cardholder
Online PIN Verification -Physical Security
Encrypted PIN is
transferred to bank for verification
PIN-pad
Cardholder enters PIN
Tamper Responsive Enclosure
PIN is encrypted using a designated key and encryption algorithm (3DES)Important:
Privacy during PIN entry has to be protected!
Acquirer
13
Online PIN Verification -Personalization
Master Encryption key is loaded in a secure manner
Typically as two key halves
PIN-pad
Cardholder enters PIN
Tamper Responsive EnclosureAcquirer/Bank provides Master keys for PIN-pads
Important:Privacy during PIN entry has to be protected!
Acquirer
Online PIN Verification - Key Hierarchy
The key hierarchy and implemented algorithms ensure that keys can be exchanged and shared
between PIN pad and host
PIN-pad
Tamper Responsive Enclosure
Important:PIN Encryption Key for the session is derived or exchanged when needed
The PIN encryption key is used only once
Acquirer
14
Electronic Payment - Principle of Online PIN
Acquirer
Cardholder
Issuer
CardFunds
KioskCardholder enters PIN
PIN is Encrypted
Encrypted PIN is sent to issuer for verification
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Risks of Fraud - Benefits of PIN Verification
• Stolen Cards• Copied Cards• Forged Cards
– For all of these the risk is reduced, since the PIN has to be obtained• “Never been there, never done that”
– Depending on legislation, the PIN may help settle the liability– No system is flawless - misuse is still a possibility
• Attempts of PIN Disclosure– This is now the main issue! Security is needed!– Card Issuers sets Requirements (PCI PED)
4532PIN
15
Security Requirements for PIN Entry Device
Two sets of PCI PED requirements exist:• Online PIN
– Involves acquirer encryption key requirements– Keys and operations need to be kept safe
• Offline PIN (Currently not applicable in the US)– Chip card reader is part of the security– Devices for unattended use need removal detection and a procedure for
authorised activation of the device after installationPCI = Payment Card Industry PED = PIN Entry Device
MasterCard and Visa have set common requirements for security in the PCI PED documents (previously Visa PED)
Visa/PCI PED Compliance -Found on Visa Web-site
16
Presentation
Secure Electronic Paymentoutside US
EMV Chip Cards
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
EMV Chip cards (the Card used in Europe etc.)
• EMV is Europay, MasterCard and Visa– (Originally, now others have joined)
• In order to reduce the very high fraud level in Europe and introduce chip card technology in electronic payment these issuers introduced the EMV chip card specification
• Role-out has started in Europe and is planned in Asia, South America and Africa.
• Controlling body is EMVCo• All cards and payment devices have to be approved by
EMVCo in order to ensure global acceptance of cards.
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
17
Traditional Card TransactionsMagnetic Strip Card
Information is read FROM the card•“Magnetic Track 2” is read •Contains 40 characters•Primary Account Number (PAN)
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Contactless
Contactless Card
EMV Chip cards - Card Interface
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Card
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
EMV CardIssuers
EMV Cards communicatein both directions!
18
Security Benefits of EMV
• Card Authentication– Aims to prevent false and copied cards– Two methods available: Static or Dynamic Data
Authentication• Secure Transaction Signing
– Keys in the card can “sign” the transaction• Risk Management (using parameters in card and terminal)
– Methods to reduce and detect fraud• Cardholder Verification (if PIN is used)
– PIN checking verifies that the card belongs to the customer and that the customer has “signed” the purchase (even offline)
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Offline PIN Verification - An EMV Card Benefit
PIN is transferred
PIN-pad EMV Card Reader
Result:OK / Failed
Cardholder enters PIN
EMV Payment Card
For cards using SDA PIN is in clear text !
RISK !
Tamper Protected Enclosure
One important issue!
19
Chipcard Interface Module (IFM)Payment Chipcard (EMV)
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
Cardreader
•Chip can store lots of data, many KBytes•Chip may hold one or more applications•Data can be read AND written•Data are organised in files•Communicates through serial command protocol
EMV Level 1 Approved!
EMV Payment ApplicationsPayment Chipcard (EMV)
XXXX XXXX XXXX XXXX XXXX
XXXXXX XXXXXXXXXXXX
EMV Payment Application (software)
Tasks handled:•Application Selection•Read Application Data•Data Authentication•Processing Restrictions•Cardholder Verification•Terminal Risk Management•Terminal Action Analysis•Card Action Analysis•Script Processing•Transaction Completion
EMV Level 2 Approved!
20
EMV Compliance - Found on EMVCo Web-site Level
1
Level 2
www.emvco.com
Thank you for your attention!
Questions, please?