The PCI Security Standards Council
Troy Leach
April 2012
About the Council
Open, global forum
Founded 2006
Responsible for PCI Security Standards
• Development
• Management
• Education
• Awareness
PCI Security Standards
Protection of Cardholder Payment Data
Manufacturers
PCI PTS
Pin Entry
Devices
Software
Developers
Merchants &
Service Providers
PCI PA-DSS
PCI DSS
Payment
Applications
Secure
Environments
PCI Security
MOBILE PAYMENTS
Ecosystem of payment devices, applications, infrastructure and users
Agenda
Technology Updates: Mobile
Industry Engagement
Questions & Answers
Environmental Considerations at a Glance
• Market
• Increased interest in adoption of a variety of mobile technologies
• Absence of both traditional controls and standards
• PCI SSC Activity
• Create efficient mechanisms for broader engagement
• Evaluate need to develop standards
• Facilitate, when applicable, easier compliance mechanisms
Areas of Focus for Mobile
“MOBILE”
Devices
Applications
Service Providers
Tamper-resistance,
Secure Card
Readers, POI &
P2PE
Requirements
and/or Best
Practices for
authorization and
settlement
Service provider
protection of
cardholder data
and validation
Peripheral Device Encryption
SCR and
other POI
Cardholder data is only input using an
encrypted solution and transmitted encrypted
through a mobile device.
The mobile device is just a conduit. It has no
ability to decrypt the encrypted data and
therefore will never have access to clear-text
account data.
New PTS approval class for Secure
(Encrypting) Card Readers (SCR)
Mobile Phone Plug-in SCR
Audio
connector
plugs into
the
phone’s
headphone
Also works
on
computers
– any
device with
an audio
input jack
Plug-in
MSR
encrypts
data on the
reader
even
before it
reaches the
phone
QSA must
determine
data NOT
decrypted
on phone
No PIN
entry
2011 Guidance
Mobile Update – Announcement and FAQ
Focused on identifying
and clarifying the risks
associated with accepting
payments via mobile
. validating
solutions and
mobile payment
acceptance applications to
version 2.0 of the PA-DSS.
Mobile Application Categories
Applications for category
1 and 2 devices are
eligible for PA-DSS
Category 1:
PTS Approved PED
Devices
Applications for category
3 devices pending
development of further
guidance and/or
standards
Category 2:
Purpose Built POS
Devices
Category 3:
General Purpose
Smart Device
Current Environmental Concerns
•
•
•
•
•
•
•
•
Rapid development of applications
Lack of “traditional” controls
Too Many Privileges
Malicious Apps
Wi-Fi Sniffing / Blackjacking
Radiation of keys and side channel attacks
Distribution and persistent connectivity
Ownership and use policy
PTS PED Vendor Solutions
Phone is designed
and purpose built
as a secure device
By definition does
not use off the
shelf mobile
phones
Because secure
tamper protected
device, may use
either SCR or a
data key managed
similar to PIN key
PTS PED Vendor Solutions
Cradle for phone
Phone
Compartment
Card readers
integrated to PED
May employ
encrypting card
reader or use
data key managed
similar to PIN key
Application Security within Smart Devices
Exposure of
CHD within
device
Cardholder data is input using a non-encrypted
solution (e.g. manual key entry, non-encrypted
card reader, etc.) and transmitted through a
mobile device.
The mobile device has access to cleartext
cardholder data.
Mobile Task Force to provide guidance
and/or best practices
2012 Guidance Calendar
• Mobile SCR & P2PE Guidance for Merchants
• Mobile Acceptance Best Practices
• Mobile SCR & P2PE Guidance for Assessors and Vendors
• Roadmap for Category 3 Applications
15
Three Year Outlook: Mobile
• Devices and Peripherals:
• Publish guidance on use of attached PTS POI to mobile with P2PE
• Applications:
• Develop guidance for mobile device environments and relative security
requirements to meet PA-DSS or similar validation
• Create AQM checklist for PA-DSS qualification
• If necessary, develop mobile standard(s) for applications and devices
that transfer cardholder data
• Service Providers:
• Evaluate for potential guidance and/or security requirements for thirdparties with access to cardholder data
Council will liaise with all relevant bodies in the development of a
standard in this area and identify which variants require Council to
address
Agenda
Technology Updates: Mobile
Industry Engagement
Questions & Answers
Mobile Task Force
• PCI Council Members and staff, volunteer participating
organizations and subject matter experts
• Subject matter experts especially important when
examining Scenario 2
• Examples of subject matter experts:
• Security Assessors
• OS Platform Vendors
• Financial Processors
• Device Manufactures
Mobile Task Force
The purpose of the Mobile Task Force is to evaluate various
mobile payment acceptance implementations and
determine whether the inherent risk of card data exposure
can be addressed by existing PCI requirements or whether
additional guidance or requirements must be developed.
Questions?
Any Questions?
Please visit our website at www.pcisecuritystandards.org