Add to collection(s) Add to saved
  1. No category
Uploaded by Alireza Rakhsh

PTS - SIX Financial Information (1)

advertisement 
PCI PTS
Nick Heape
Zurich
September 2010
Visa Europe Public
This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation
of an offer to purchase, any securities
Agenda
-The Evolution of PTS
-Payment Security Risk: getting the simple things right
-Reducing the effort to be secure
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
2
Presentation Identifier.2
The evolution of fraud
Visa Europe Public
This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation
of an offer to purchase, any securities
The evolution of bank card fraud
1980
1990
2000
Today
Fraudster
Individuals
Teams
Local crime rings
International
crime rings
Target
Consumers
Small retailers
Larger retailers
Banks
Processors
Leading
fraud types
Lost/stolen
Intercepted
Domestic
counterfeiting/
skimming
Identity theft
Phishing
Rudimentary data
compromise
Cross-border data
compromise
CNP fraud
ATM fraud
Type of
cards
targeted
T&E cards
Premium credit
cards
Mass market
credit cards
All types of credit cards
Debit cards
Prepaid cards
Necessary
resources
Opportunism
Rudimentary
knowledge
Technical
knowhow
Audacity
Technical expertise
Insider information
Global connections
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
4
Presentation Identifier.4
Device Usage Evolution
Sunset-date non-approved devices: 30.06.2010
Sunset-date Pre-PCI PED: 31.12.2012
Sunset-date PCI PED v1.x: approval until 30.04.2014
Sunset-date PCI PED v2.x: approval until 30.04.2017
Sunset-date PCI PED v3.x: new standard
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
5
Presentation Identifier.5
Examples of Terminal Fraud
You can’t see a hidden rogue
device!
SIM card cover plate hides
skimming device
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
6
Presentation Identifier.6
Examples of Terminal Fraud
Rogue device has invalid serial
number
Verify printed s/n to electronic s/n
Check label – it may be hiding a
skimmer
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
7
Presentation Identifier.7
Examples of Terminal Fraud
Rogue device hidden inside
terminal
Note label on new terminal
Periodically check security sticker
- it may hide a tampered screw or
seams
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
8
Presentation Identifier.8
Examples of Terminal Fraud
Key loggers are tiny
Look like part of normal
cabling
Pay attention to detail upon
inspection!
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
9
Presentation Identifier.9
Examples of Terminal Fraud
Overlays can be quickly applied to
unattended payment terminals
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
10
Presentation Identifier.10
Prevention Guidelines & Best
Practices
See Information Supplement:
Skimming Prevention – Best
Practices for Merchants
Get it on the PCI SCC website
www.pcisecuritystandards.org
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
11
Presentation Identifier.11
.
A growing threat¹
-More than the previous four years combined
-91% of records compromised by organized criminal groups
-99.6% of records compromised from servers and applications
-69% were discovered by a 3rd party
-67% were aided by significant errors
-32% implicated business partners (e.g. service providers)
1 Source: Verizon 2009
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
12
Presentation Identifier.12
Data Breaches – Some Truths
Source: Verizon business 2009
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
13
Presentation Identifier.13
PCI Standards
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
14
14
Presentation Identifier.14
PCI PTS Development Lifecycle
The PCI PTS working group works to a three year lifecycle
• First year: Discuss and develop new requirements
• Second year: Update, review & release PTS POI documents
• Third year: Implement new requirements for all new terminals
The PCI PTS working group actively support suggestions,
reviews and comments on improving security standards
PCI PTS Working group release the new document to all
Participating Organizations for comment and review ahead of
formal release
Once completed the new version is released one year in
advance of effective date to allow vendors the opportunity to
design new terminals against the new requirements
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
15
15
Presentation Identifier.15
Categories of PCI PTS Products
POS PIN Entry
Terminal
PTS Explained | September 2010
OEM Components:
EPP,PED,SCR
Visa Europe Public
Information Classification
as Needed
Integrated POS PIN entry
Terminals
16
Presentation Identifier.16
PTS Program Overview
Version 3.0 represents a significant change to the layout, format
and scope of what was the PCI POS PED Security Program:
• Widening the scope of the evaluation to include:
– POS PED devices
– Encrypting PIN Pads
– Unattended payment Terminals
• Introduction of Modular Approach
• New Modules added
– Open Protocols
– Integration
– Secure Read and Exchange of Data (SRED)
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
17
Presentation Identifier.17
What is the Modular Approach?
In order to streamline documentation and integrate all options
into a single set of requirements, PCI SSC has moved to a
modular approach
Requirements are now grouped into the following modules
• Core PIN Security Physical
• Core PIN security Logical
• Open Protocols (remote logical attacks, addressing Open
protocols Software)
• Integration (where individual components are brought
together into a single product)
• Device management
• Secure Read and Exchange of Data ( method of securing the
cardholder data when entered into the POI)
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
18
Presentation Identifier.18
Open Protocols Module
Open Protocols
• A set of requirements that ensures
PIN entry devices using open
security protocols and open
communication protocols to access
public networks and services do not
have public domain vulnerabilities
• Covers IP connectivity (internet),
GPRS, Wifi
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
19
Presentation Identifier.19
PTS – SRED (1)
- Secure Read & Exchange of Data is a new module for V3.0 of the PTS
Standard that enables the protection of data at the source. The module enables
clear consistent evaluation and approval of the encryption techniques used.
- Enabling infrastructure at PTS
– Secure HW resources already in the device
– Evaluation at the PTS framework readily available
– Utilising evaluation laboratory skills to evaluate solution
- Architectures supported
– Encrypting magnetic stripe read head
– Standard magnetic stripe read head
– Chip reader
– Key management structure
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
20
Presentation Identifier.20
PTS – SRED (2)
- Provides a secure method for data encryption
within the terminal
- Depending upon the solution part of the PAN
may remain in clear text for routing or
chargeback issues.
- SRED enables the terminal to be authenticated
to the merchant location.
In Scope
- NOTE: This only applies to PIN Entry Point of
Interaction devices.
Out of Scope
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
21
Presentation Identifier.21
Agenda
-The risk to the payment environment
-Payment Security Risk: getting the simple things right
-Reducing the effort to be secure
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
22
Presentation Identifier.22
The Current Environment
-Knowledge of cardholder and account data is (largely) considered
proof of ownership. Consequently, cardholder data is inherently
valuable to a criminal.
=
-Many retailers believe that there is a disproportionate onus on
them to protect data.
-What if we could make data less valuable such that it needs less
protection?
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
23
Presentation Identifier.23
Basic Principles
Eliminate
Protect
Devalue
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
24
Presentation Identifier.24
Storing cardholder data
Basic principles:
– If you don’t need it don’t store it
– Delete sensitive authentication data after authorisation
– If you store cardholder data you must do one or more of the
following:
– Truncate
– Hash
– Encrypt
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
25
Presentation Identifier.25
Default Passwords
• Possibly the largest root cause of data breaches globally.
• Over 30 years worth of attacks.
• Very easy to fix!
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
26
Presentation Identifier.26
SQL Injection
-SQL Injection attacks are the number one threat to e-commerce.
-Too much trust is placed in user input.
Username : admin
Password:
'0 OR 1=1'
Access Granted!
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
27
Presentation Identifier.27
Agenda
-The risk to the payment environment
-Payment Security Risk: getting the simple things right
-Reducing the effort to be secure
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
28
Presentation Identifier.28
Basic Principles
Eliminate
Protect
Devalue
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
29
Presentation Identifier.29
Securing the environment – it’s
complicated !!!
Internet
X.25 cloud / leased lines
DMZ
Internal facing
services e.g. NTP,
AV servers
SMTP Mail servers
USER & SUPPORT
PCs
WIRELESS
ACCESS
POINT
Mail
Servers
PAYMENT
SWITCH &
DATABASE
Tape Backup
Backup
Server
CENTRAL
SERVERS
MIS, Finance,
Sales Data
LOG
SERVER
HEAD OFFICE / DATA CENTRE LAN / MAN
WAN (MPLS / Internet / etc. )
STORE 1
STORE
ROUTER
STORE 2
STORE
ROUTER
MANAGEMENT PC
MANAGEMENT PC
WIRELESS
ACCESS
POINT
WIRELESS POS
WIRELESS POS
STORE LAN
STORE LAN
STORE
SERVER
STORE SERVER
SELF SERVICE
TILL
PTS Explained | September 2010
WIRELESS
ACCESS
POINT
SELF SERVICE
TILL
Lane Till
Visa Europe Public
Information Classification
as Needed
Lane Till
30
Presentation Identifier.30
Data field encryption
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
31
Presentation Identifier.31
Data Field Encryption – Best Practices
Security Goals
1.Limit cleartext availability of cardholder data and sensitive authentication data
to the point of encryption and the point of decryption.
2.Use robust key management solutions consistent with international and/or
regional standards.
3.Use key-lengths, cryptographic algorithms, padding and modes of operation
consistent with international and/or regional standards.
4.Protect devices used to perform cryptographic operations against
physical/logical compromises.
5.Use an alternate account or transaction identifier for business processes that
requires the primary account number to be utilized after authorization, such as
processing of recurring payments, customer loyalty programs or fraud
management.
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
32
Presentation Identifier.32
The industry’s first specification for Data
Field Encryption
• A compressive guidance document
describing the key management
practices that would be necessary to
support encryption solutions
• Based on 5 key security objectives
• Aimed at consolidating industry best
practice
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
33
Presentation Identifier.33
Data field encryption
Treating Account Data like PIN data
PCI DSS
Device
Requirements
PTS
PCI PIN
(Equivalent)
PA-DSS
Key Management
Requirements
Software
Requirements
Fully validated End-to-End Encryption Solution
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
34
Presentation Identifier.34
Summary
• The way criminals commit fraud has evolved and is more organised
and innovative
• Wholesale thefts of cardholder data means that data compromise is
high on the risk agenda
• There are more touch points in the flow of transactions, each one of
them representing a potential risk
• Security is everyone's responsibility - but there are standards and
guidelines to help consolidate the industry
• Emerging technologies such as data field encryption provide new ways
to comply with PCI DSS
• Visa is working alongside others in the payment industry to support
retailers in reducing losses through fraud
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
35
Presentation Identifier.35
Where to find information
Visit the Visa Europe website at:
http://www.visaeurope.com/ais
Contact Visa Europe
Email: datasecuritystandards@visa.com
Visit the PCI SSC website at:
http://www.pcisecuritystandards.org
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
36
Presentation Identifier.36
Thank You
PTS Explained | September 2010
Visa Europe Public
Information Classification
as Needed
37
Presentation Identifier.37
Thank you
Visa Europe Public
This information is not intended, and should not be
construed, as an offer to sell, or as a solicitation
of an offer to purchase, any securities
Related documents
SENIOR PRESENTATION SCORING RUBRIC ... Name:____________________________ ...
SENIOR PRESENTATION SCORING RUBRIC ... Name:____________________________ ...
JUNIOR PRESENTATION SCORING RUBRIC
JUNIOR PRESENTATION SCORING RUBRIC
SOPHOMORE PRESENTATION SCORING RUBRIC Name:____________________________ Date:______
SOPHOMORE PRESENTATION SCORING RUBRIC Name:____________________________ Date:______
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
Quiz 5
Quiz 5
Download
advertisement