POS/ATM Protection Profile for a Common European Banking

advertisement
POS/ATM Protection Profile for a
Common European Banking Industry
Approval Scheme
Common Approval Scheme POI Working Group
SRC Security Research & Consulting GmbH
Content
Affected payment systems components
Domestic evaluation schemes and Payment Card
Industry (PCI)
Single European Area requirements (SEPA)
Common Approval Scheme (CAS) for banking IC
cards
CAS for POS/ATMs (POI)

POI PP Security Requirements

Experiences in the creation of the POI PP

Foresight
Affected Payment System Components
Banking IC cards
Point of Sale Terminal (POS)

IC card based electronic payment

Includes PIN Entry Device (PED) and other components (e.g.
card reader)
Automated Teller Machine (ATM)

IC card based electronic money withdrawal

Includes Encrypting PIN Pad (EPP) and other components
ATM and POS both are defined as Point of
Interactions (POIs)
10. Issuer payment
Acquirer
Issuer
8. Ask for payment with payment
transaction data
11. Acquirer payment
Merchant
6. Merchant receipt
7. Payment transaction data
including Transaction
certificate and Merchant
parameters
9. Payment notification
1. Payment Transaction data
1. Payment
Transaction data
9. Cardholder payment
Cardholder
3. PIN request
4. PIN (if offline PIN
verification)
2. to 5. Payment transaction data and
managment data
POI
5. Transaction Certificate
6. Cardholder receipt
Card
Domestic Evaluation schemes
Throughout many European countries the banking
industry

Has set security requirements

To manage risks within payment systems effectively
Compliance of payment systems components with
these security requirements has to be proved by
security evaluations
Different security levels and requirements

Obstacle for mutual recognition of security evaluations
Examples for Domestic Evaluation Schemes
APACS (United Kingdom)

Common Criteria (without formal certification)

Based on APACS PED Protection Profile
ZKA (Germany)

Domestic high level security requirements

Informal scheme
Currence (Netherlands)

PCI+
Payment Card Industry Evaluations
Global Scheme with security requirements aligned
by MasterCard and VISA

Evaluator performs steps based on test and security
requirements defined by PCI

Composition of design, test and vulnerability analysis
adapted for ATM (EPP) and POS (PED)
Comparison to Common Criteria

Design evaluation based on vendor questionnaire, no code
review (ADV_IMP)

Predefined test cases, no ALC, ACM, ADO

Requirements of resistance against high attack potential
SEPA Standardisation for Card Payments
Use of international standards for cross-border and
domestic transactions

Technical requirements for payment system components are
becoming closely aligned throughout Europe
The European Payments Council in its Single
European Payment Area (SEPA) Cards Framework
(SCF)

Defines certification principles as interoperability principles
to be worked out

Security requirements and mutual recognition are explicitly
stated
SEPA Standardisation for Card Payments
EPC SEPA Cards Framework SCF:
„In order for the objectives of this Framework to be achieved, SEPA-level
interoperability must be ensured in the following 4 domains:
cardholder to terminal interface,
cards to terminal (EMV),
terminal to acquirer interface (protocols or minimum requirements),
acquirer to issuer interface, including network protocols (authorization
and clearing).“
„A common process for the certification of terminals, cards, and network
interfaces will be defined in line with the principle described in Chapter 2.3.2.“
„Card schemes will engage in mutual recognition for type approval. Any terminal
certified for SEPA transactions by a certification body in one SEPA country can be
deployed in any SEPA country for acceptance of SEPA cards across all SCF
compliant schemes.“
Common Approval Scheme Initiative
Common Approval Scheme (CAS) initiative has been
originated

to agree on common security requirements harmonising the
existing requirements

to agree on common evaluation methodology

using the Payment Card Industry (PCI) security
requirements for POS/ATM as the basis for technical req.
Reducing the number of security evaluations to be
performed by manufacturers and reducing the costs
of security certification
Countries
CC experts involved:
Trusted Labs (France)
SiVenture (United Kingdom)
SRC (Germany)
 Belgium
Atos Wordline, Banksys
 France
Cartes Bancaires
 Germany
ZKA
 Italy
Progetto Microcircuito
 Luxemburg
CETREL
 Netherlands
Currence, Equens
 Norway
BSK
 Portugal
SIBS
 Spain
Servired, Sistema 4B
 Sweden
PNC
 United Kingdom
APACS
... (open to additional participants)
CAS Cards Working Group
Harmonisation of security requirements and
methodology accomplished
Result is a finalised Generic Security Target for
CC evaluations of banking IC cards
Thus no Protection Profile for banking IC cards

Generic Security Target is a guideline
Co-ordination with ISCI/JHAS
Preparation of pilot evaluations
Open question: Who will verify whether Security
Target meets Generic Security Target?
CAS Terminal Working Group
Work in progress: Evaluation according to PCI or
CC?

Harmonisation of security requirements (in progress)
Including PCI POS PED security requirements

Harmonisation of evaluation methodology (in progress)
For CC approach results in POI Protection Profile

Within a feasibility study it will be examined whether CC
evaluations conformant to the developed PP(s) pave the way
for SCF compliant certification criteria and mutual
recognition of security certificates
Generic POI Architecture
Point of Interaction (POI)
POI Application Logic
Application 1
Application 2
Administration by
Terminal Mamangement
Application n
Application/
Acquirer
System
Terminal
Management
System
Local Devices
CHV Devices:
Card Readers:
IC Card Reader
and/or
Magnetic Stripe
Reader and/or
Barcode Reader
IC Card
PIN Entry Device
(includes
a keypad,
a display,
Security Module
and may include
a Card Reader)
and/or
Biometric Device
Other Media
(e.g. Magstripe Card)
Other Security
Modules:
HSM
and/or SAM
User I/O Devices
(excluding CHV):
Keypad,
Display,
Printer,
Acoustic Signal
data flow
Security Problem and Security Objectives
Assets

PIN, POI management and payment transaction data,
software, cryptographic keys
Threats

Perform unauthorised payment transactions by disclosure
of PIN or keys or manipulation of software or data
Security Objectives

Confidential PIN Entry and PIN Processing

Authentic and integer payment transaction

Authentic and integer usage of software and related
hardware / application separation
CAS POI Security Requirements (subset)
PCI

Physical and logical security requirements
Tamper-responsive hardware, …
Self-test, logical anomalies, …
PCI +

Extension to message integrity for ATM/POS

Extension of requirements for Life Cycle

Code analysis
PCI –

Plaintext PIN protection at level less than high

Magnetic stripe security
Challenges to create a PP
for a complex product
Define the Target of Evaluation

Different implementation architectures shall be allowed

Different payment system components (ATM, EPP, POS,
PED) shall be considered

Application separation
Two Evaluation Assurance Level

High attack potential as objective for PIN Entry and
Enciphered PIN processing but low costs

Protection level for Plaintext PIN and POI management and
transaction data processing below high

Different hardware security requirements
Minimum POI
Application/
Acquirer Host
Payment Application
Administration by
Terminal Mamangement
Terminal
Management
Host
Local Devices
IC Card
Reader
IC Card
PIN Entry Device
including
a keypad,
a display and the
Security Module
data flow
POI components connected via an open network
Server
Application 1
Application 2
Application n
Administration by
Terminal Mamangement
Application/
Acquirer Host
Terminal
Management
Host
Local Devices
Open Network
IC Card
Reader
IC Card
PIN Entry Device
including
a keypad,
a display and the
Security Module
data flow
POI Protection Profile
Middle TSF
PED
PED Middle TSF
Core TSF
PIN Entry
and processing of PIN until
PIN is enciphered
(includes PED keypad)
Plaintext PIN Processing
Processing of POI management and
payment transaction data
High level
of protection
Level
of protection
below high
Foresight
Finalising POI PP
Pilot evaluation based on POI PP
Mutual recognition and certification scheme

Discussion already started with BSI, DCSSI, CESG

Founding a group like ISCI/JHAS for IC cards
Decision for PCI methodology or Common Criteria
based on PCI functional security requirements
Any questions?
Contact
SRC
Security Research & Consulting GmbH
Graurheindorfer Str. 149a
53117 Bonn
Tel.
Fax:
E-mail:
WWW:
+49-(0)228-2806-0
+49-(0)228-2806-199
[email protected]
www.src-gmbh.de
Download