Add to collection(s) Add to saved
  1. Business
  2. Finance

Secure mobile payments - Information Security Group

advertisement 
Secure mobile payments
getting the balance right
Royal Holloway University of London
Richard Martin
Payment System Security
Visa Europe
7 September 2013
For Visa Europe Confidential. This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities.
1
Visa Europe
Owned and operated by over 3,745 European member banks
In October 2007 Visa Europe became independent of the new
global Visa Inc. with an exclusive, irrevocable and perpetual
licence in Europe
Almost 466 million Visa cards have been issued in Europe
In the 12 months ending September 2012 point of sale
spending totalled over €1.3 trillion
Fraud continues to decline and has fallen to €40 in every
€10,000 as at September 2012 (0.04%)
Visa Europe
Mobile POS & Acceptance
2
European commerce is changing
€1
in every
€6.75
Consumer spend
on Visa cards
50%
25%
Visa spend
of Visa
transactions
Ecommerce
+200% vs face-to-face
Mobile
by 2020
Visa Europe
1
in every
6
Visa cards in Europe
contactless
Mobile POS & Acceptance
3
Striking the balance
Acquirers
Issuers
Merchants
Cardholder
Visa Europe
Mobile POS & Acceptance
4
The Visa Europe Payment System Risk Strategy
Focus our
protection
efforts on
residual risks
Reinvigorate the
data security
debate
Design solutions
that are secure
from the outset
Provide cost
effective
solutions for all
stakeholders
Understand the
level of
complexity
For data security to be meaningful, it must be applied sensibly
A security and compliance policy that relies on a single solution, a single approach,
and a single correct answer, is not likely to succeed in its objectives
Visa Europe
Mobile POS & Acceptance
5
Manage Evolving Risks
Enhanced
Authentication
Data
Devaluation
Data
protection
•
•
Protect cardholder data
Continue deployment and use of robust authentication platforms -key to
the stability of the payment systems of the future
•
•
Protect cardholder data by limiting its availability
Visa Europe instrumental in defining global practices for complimentary
security technologies
•
Additional protection required for data which can be reused and cannot be
devalued
The Payment Card Industry Data Security Standard (PCI DSS)
has been fundamental in raising awareness and fighting fraud
•
Visa Europe
Mobile POS & Acceptance
6
Visa Europe
Mobile POS & Acceptance
7
Visa’s mobile payment services
Contactless
Visa Paywave for Mobile
Person to Person
Visa Personal Payments
Mobile POS
Use a mobile device to shop
conveniently, quickly and
securely in a face-to-face
environment
Send money from a Visa card
to any Visa card, anywhere in
the world, using mobile phone
number or PAN
Visa Europe
Mobile POS & Acceptance
8
Making payments vs. Accepting payments
Making payments
Accepting payments
A Cardholder uses her phone to:
A Merchant uses his phone to:
• Enter her card details into a web form
• Accept and process payments from
customers
• Store her card details (or a token) in a
wallet
• He will handle many card payments from
many customers
• Store her card details on a secure element
(e.g. contactless)
Visa Europe
Mobile POS & Acceptance
9
Threat Axes and Vulnerabilities
Threat Axes
Vulnerabilities
Over the channel:
• Operating System
• Hidden processes
and applications
• User behaviour
• User interface
• Complexity
• User awareness
• Mobile registration
and ownership
• SMS / USSD
• Voice
• Data: GPRS / Wifi /
Bluetooth…
Embedded
Mobile Network
Provider
The Owner
Visa Europe
Mobile POS & Acceptance
10
Recent news
•
76% of Android malware profit motivated (Q1 2013)
•
HTML5 Framework hacks
•
Android Security Squad and Bluebox Security – “Master Key”
attacks
•
SIM hack, Security Research Labs
Visa Europe
Mobile POS & Acceptance
11
What exactly are we trying to protect?
Basically any data whose theft or modification could cause financial
or reputational harm to Visa, its Members and users
Key assets at risk:
•
Cardholder data (CHD): PAN, Expiry date, CVV, CVV2
•
Sensitive authentication Data: PIN, cryptograms
****
Visa Europe
Mobile POS & Acceptance
12
Q. What can we do to secure the mobile phone?
A.Not a lot
•
Issuers and acquirers need to cater for hundreds of millions of
cardholders and millions of merchants
•
Mobile Device Management?
•
User policies - Enforced AV, restrictive Ts & Cs?
•
Enforce certification of handsets against security standards?
The reality is that card issuers and acquirers will
need to take mobile devices as they come
Our security strategy must take this into account
Visa Europe
Mobile POS & Acceptance
13
Innovation with tradition
Criteria for mobile POS & acceptance
Honour all cards
Security
User experience
Chip & magstripe
Lowering standards
would threaten the
system
Familiar & trustworthy
Benefits for all
Visa Trusted Brand
Visa Europe
Mobile POS & Acceptance
14
Visa Europe’s position on mobile acceptance
devices
Mobile environment
Processor / Point of Decryption
Secure
Hardware
Accessory
Protected in line with Visa’s Encryption & Tokenisation Guidelines
Visa Europe
Mobile POS & Acceptance
15
Mobile solutions not permitted by Visa Europe (1/4)
“App” with manual key entry of card data
on merchant owned mobile device
 Software only solutions with no
hardware accessory
 App downloaded on merchant phone
 Card data keyed on merchant phone
– transactions processed as
e-comm or MOTO
 Entry of data on a merchant mobile
device cannot be PCI certified at this
time
 This also includes PIN entry
Visa Europe
Mobile POS & Acceptance
16
Mobile solutions not permitted by Visa Europe (2/4)
Hardware accessory with a magstripe only reader
(Used with a merchant owned mobile device)
 Solutions with a magstripe
only reader:
– no chip reader
– no PIN pad
– transactions sent as a
magstripe transaction or
as a MOTO or e-comm
transactions
 Europe is a region where chip
is required so this type of
solution is not suitable
Visa Europe
Mobile POS & Acceptance
17
Mobile solutions not permitted by Visa Europe (3/4)
Hardware accessory with a chip reader but no PIN pad
(used with a merchant owned mobile device)
 Solutions with a
chip reader:
– no PIN pad
– with or without magstripe
– transactions sent as chip trs.
 PIN pad required in Europe so this solution is not
suitable
 “Honour All Cards” is a must
– key entry of card data on a merchant phone not
permitted: magstripe support required
Visa Europe
Mobile POS & Acceptance
18
Mobile solutions not permitted by Visa Europe (4/4)
Contactless only acceptance
 An acceptance device must “Honour All
Cards”
 As not all cards support contactless, it is not
possible at this time to allow contactless only
devices
Visa Europe
Mobile POS & Acceptance
19
Two mobile acceptance solutions permitted (1/2)
Hardware accessory with chip, magstripe & PIN pad
(merchant owned mobile device)
 Chip & PIN must be supported
 Magstripe must be supported
 Contactless optional but
recommended
 Key entry of data on secure PED
allowed when no other option
or
 Physical (audio jack, mini USB etc.)
or Bluetooth connection to mobile
device
 Security is ensured by PCI SRED
(Secure Read Exchange Data) and
point-to-point encryption)
For Visa Europe internal use only
20
Visa Europe
Mobile POS & Acceptance
20
Anatomy of mobile card reader security
• Security standards
• PCI PIN Transaction Security (PCI PTS)
SRED
• Secure PIN entry
• Device hardened against physical &
logical hacking
• Encryption – SRED* module
* SRED = Secure Read and Encryption of Data. SRED is a hardware
module for secure key storage & encryption functions
Visa Europe
Mobile POS & Acceptance
21
Encryption on the reader removes the mobile
device from the key areas of risk
Processor/acquirer system
PCI DSS compliant environment
HSM
SRED
Secure
host
Telco / ISP
Visa Europe
Mobile POS & Acceptance
22
Mobile solutions permitted by Visa Europe (2/2)
Software based solution/ M-commerce app
(cardholder mobile device)

Card details never entered on merchant
mobile device
– Secure if back end, registration
process and permission to use
protected
– Refer to Visa Security Best
Practices for Mobile Payment
Acceptance Solutions, Version
2.0 – published in Sept. 2012
http://www.visaeurope.com/ais
For Visa Europe internal use only
23
Visa Europe
Mobile POS & Acceptance
23
Benefits
•
Consistent and familiar experience for cardholders and merchants
•
Increased likelihood that cardholders and merchants will use
mPOS
•
Maintains and reinforces the trust in the brand
•
Maintains Visa’s security profile
•
Ensures that an exciting new method of payment starts secure
•
Bringing new players to market
•
Innovative new ideas and concepts
•
Reduced costs
Visa Europe
Mobile POS & Acceptance
24
mPOS solutions
Mobile devices
allowing low cost
and easy access
payments
Balancing security
and integrity
with ease of
deployment
Working with
industry providers
7
200k+
merchants by
2014
live
implementations
10
European
markets
Visa Europe
Mobile POS & Acceptance
25
Thank you
For Visa Europe Confidential. This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities.
26
Related documents
Chapter 12: Labor Forces
Chapter 12: Labor Forces
Immigration Proposals and Foreign Investment
Immigration Proposals and Foreign Investment
but this does not prevent us to prepare visa to Germany for our clients!
but this does not prevent us to prepare visa to Germany for our clients!
拿到CIE成绩之后下一步该做什么?
拿到CIE成绩之后下一步该做什么?
An overseas perspective
An overseas perspective
Paying with plastic - Ulster Bank MoneySense at Home
Paying with plastic - Ulster Bank MoneySense at Home
Download
advertisement