security at pos - etsi
TRANSCRIPT
Security at POS
Arnaud ROY
Solutions Manager & Regional Security Officer
Europe SEPA Region
Agenda
Usage trends at POS
Security at POS: from PED to POI approach
Standardization and certifications
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
1 Usage
trends at
POS
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
4
The consumer jeopardizes traditional sales process…
91% of consumers get goods
information online (food excluded) before buying in store
50% of consumers
already gave up to buy in store due to time at queue
73% of French people
having a smartphone already used to compare prices
59% of consumer think that
« brick & mortar » retailers are providing the best advices
40% - Satisfied mobile
customers report being 40% more likely to buy from other channels at same company
Social Net.
TV
Stores
Online 90% of retailers
have an e-commerce activity
5
…Retailer is then changing completely its way to
interact with consumer and finalize orders, which is
creating new risks for sensitive datas…
Social Net.
TV
Stores
Online xChannel
Click (book/pay online) and collect in store
Refund web transactions in store
Payment upon delivery
Subscribe to a service in-store,
charged periodically on your card
Register in-store for web use (Store
to TV & Store to 1-click)
The 1-click payment process allows real-time
in-store payment & collection
The online store “redirection” when goods not
available in store
WEB to store
Store to web
Web in store
6
But Things are now changing very quickly
QR codes & Mobile
Wallet as a mean of payment
Cross-channel
mandatory to answer consumers’ needs
ECR environments
evolving & sometimes become mobile
CL cards & Mobile
NFC as a mean of payment
Point of Payment
becoming a point of services for merchants benefits
Business
apps
Extra Sales
apps
EPSM meeting - 24/06/2014
7
Approach to design new POS
New features
Plug
& Pay
Appealing Design
High Performance
Friendly User interface
Connected & Multimedia
Mobile
Always more Security
EPSM meeting - 24/06/2014
8
Provide highly secure payment solutions in line with
consumer and usage needs
Technology evolutions and new payment means introduce new threats
From a secure PED … • Protect the integrity of the POS device (hardware and software)
• Protect the acquirer keys and cardholder PIN code
… to a Secure POI • Integrity of the POS all along its life cycle (manufacturing, field, maintenance, destruction)
• Protection of all cardholder sensitive data
> Primary Account Number (PAN) > Cardholder Name
> Service Code > Expiration Date
> CAV2/CVC2/CVV2/CID > PINs/PIN blocks
> Full magnetic stripe data or equivalent
Secure services: IP, SRED, P2PE, …
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
2 From PED
to POI
security
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
10
PED Hardware Security
Tamper Resistance, evidence and responsiveness
Evidence: any attack shall be obvious to the end user
Responsiveness: in case of intrusion detection, immediate and automatic erasure of secrets (keys, data)
Some counter-measures:
Intrusion: prevent an attacker from accessing to sensitive data or adding a bug
Monitoring: power, sound, electro-magnetic. Anti-DPA and side channel attacks counter-measures
Secure cryptographic processor, protected memory,
Protection of payment interfaces
Magnetic card reader
Contact card reader
Contactless card reader
Keyboard and Display
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
11
PED Software Security
Secure implementation and execution
PED integrity and authenticity : Periodic testing of system integrity, operating system, applications, keys, …
Protection against logical anomalies: wrong parameters, unexpected command sequences, buffer overflow, …
Key Management: secret keys protected by crypto-processor, secure implementation of standards, counter-measures on all cryptographic algorithms.
Protection of displayed data and keyboard input.
Best code development practices
Documented and auditable development process
Dual control to access to sensitive PED services
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
12
Point of Interaction
Security protection of IP Communications (open protocol)
Secure implementation of IP protocols, vulnerability assessment
Secure Reading and Exchange of Data (SRED)
Provide low level features in order to protect cardholder data (encryption of magnetic, contact and contactless data)
Secure Life Cycle
Secure personalization of the POI (software loading, initial key loading), repair
New services for Terminal Estate Management : software loading and update monitoring, remote key downloading, asset tracking at all stages of the life cycle (factory, deployment, field, repair, destruction)
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
13
Cardholder data protection
P2PE: Point-to-Point-Encryption
Cardholder data are handled by complex systems Transmission through open networks
Storage (if permitted) at various locations
Data exchanges take place between several parties
Numerous actors are involved in any single solution
More and more value added services
Solutions may offer different levels of security
Each system that can access to plaintext data are subject to certification
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
Payment Server AcquirerBack-office ServerPOSPINPad
Encryption Decryption
Key Management
PTSPTS
CardHolder Data Env. for merchants
CardHolder Data Env. for gateway
Payment Server AcquirerBack-office ServerPOSPINPad
Encryption Decryption
Key Management
PTSPTS
CardHolder Data Env. for merchants
CardHolder Data Env. for gateway
3 Security
Standards and
Certifications
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
15
International Security Standards
International standardization initiative
ANSI X9: key management, key exchange …
NIST: Cryptographic algorithms, security recommendations …
ISO: PIN block format, key management …
PKCS: RSA padding, key wrapping …
FIPS: HSM security level, security library …
RFC: Communication protocols, messages format …
Up to date, pragmatic, worldwide acceptance
Not dedicated to payment industry (except ANSI X9)
Not unified around few solutions but open toward various industry needs
A lot of different mechanisms, algorithms, protocols to assess
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
16
Payment Card Industry – Security Standards Council
PCI SSC
Dedicated to payment industry
Based on other standards but adapted to payment industry constraints
Founded by the five major global payment brands
Provide a coherent reference set of security requirements
PCI security requirements do not supersede local regulations: APACS (UK), DK (D), APCA (AU), ABECS (BR), …
PCI PTS : Focused on terminal security features
Core Requirements (physical and logical security)
POS Terminal Integration Security Requirements
Open Protocols
Secure Reading and Exchange of Data (account Data Protection)
Device Management Security Requirements
Certified PCI PTS devices offer strong security guarantees
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
17
SEPA standardization
Standardized Implementation Specification of Security Requirements
“Compliant” to EPC Volume / Book of Requirements
Standardized Evaluation Methodology
ISO 15 408 Common Criteria CC
CC Certification Scheme
http://www.sogisportal.eu/
CPS independent, established certification scheme of eligible certification bodies
and accredited laboratories
linked to governmental instances : ANSSI, BSI, CESG, NLNCSA, (OCSI, CCN….)
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
20
PCI P2PE Standard
PCI DSS applies to all entities involved in payment card processing
Merchants, processors, acquirers, issuers, service providers,
Other entities that store, process or transmit cardholder data
P2PE – Standard for end-to-end protection to reduce merchant PCI DSS scope
Encryption device management
Application security
encryption and decryption environment
key management
Extensively based on other PCI standards
Key-management practices are derived from the PCI PIN Security
POI devices must meet PIN Transaction Security
Applications on POI devices meet requirements derived from PA-DSS
The decryption environment is PCI DSS compliant
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
4 Conclusion
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
22
Conclusion
Security is not a constraint but a key feature to guarantee the confidence into the payment ecosystem.
POS vendors provide a trusted and secure payment platform
Strong protection of the hardware interfaces: msr, scr, ctls, display and keyboard
Strong security mechanisms and services to protect assets
Secure life cycle: manufacturing, app & key loading, field, repair
P2PE standard provides a end-to-end solution in order to protect the cardholder data
POS are independently certified and meet the international security standards including EMV contact and contactless.
The main impact of security in regards to innovation is time to market. Our challenge is to provide a safe environment while accompanying innovation.
Beside time to market, most of today’s security rules can also be turned into new business services
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
23
Thank
You Questions ?
ETSI – Sophia Antipolis - Security at POS – July 2nd, 2014
Contact: [email protected]