POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting GmbH Content Affected payment systems components Domestic evaluation schemes and Payment Card Industry (PCI) Single European Area requirements (SEPA) Common Approval Scheme (CAS) for banking IC cards CAS for POS/ATMs (POI) POI PP Security Requirements Experiences in the creation of the POI PP Foresight Affected Payment System Components Banking IC cards Point of Sale Terminal (POS) IC card based electronic payment Includes PIN Entry Device (PED) and other components (e.g. card reader) Automated Teller Machine (ATM) IC card based electronic money withdrawal Includes Encrypting PIN Pad (EPP) and other components ATM and POS both are defined as Point of Interactions (POIs) 10. Issuer payment Acquirer Issuer 8. Ask for payment with payment transaction data 11. Acquirer payment Merchant 6. Merchant receipt 7. Payment transaction data including Transaction certificate and Merchant parameters 9. Payment notification 1. Payment Transaction data 1. Payment Transaction data 9. Cardholder payment Cardholder 3. PIN request 4. PIN (if offline PIN verification) 2. to 5. Payment transaction data and managment data POI 5. Transaction Certificate 6. Cardholder receipt Card Domestic Evaluation schemes Throughout many European countries the banking industry Has set security requirements To manage risks within payment systems effectively Compliance of payment systems components with these security requirements has to be proved by security evaluations Different security levels and requirements Obstacle for mutual recognition of security evaluations Examples for Domestic Evaluation Schemes APACS (United Kingdom) Common Criteria (without formal certification) Based on APACS PED Protection Profile ZKA (Germany) Domestic high level security requirements Informal scheme Currence (Netherlands) PCI+ Payment Card Industry Evaluations Global Scheme with security requirements aligned by MasterCard and VISA Evaluator performs steps based on test and security requirements defined by PCI Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED) Comparison to Common Criteria Design evaluation based on vendor questionnaire, no code review (ADV_IMP) Predefined test cases, no ALC, ACM, ADO Requirements of resistance against high attack potential SEPA Standardisation for Card Payments Use of international standards for cross-border and domestic transactions Technical requirements for payment system components are becoming closely aligned throughout Europe The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF) Defines certification principles as interoperability principles to be worked out Security requirements and mutual recognition are explicitly stated SEPA Standardisation for Card Payments EPC SEPA Cards Framework SCF: „In order for the objectives of this Framework to be achieved, SEPA-level interoperability must be ensured in the following 4 domains: cardholder to terminal interface, cards to terminal (EMV), terminal to acquirer interface (protocols or minimum requirements), acquirer to issuer interface, including network protocols (authorization and clearing).“ „A common process for the certification of terminals, cards, and network interfaces will be defined in line with the principle described in Chapter 2.3.2.“ „Card schemes will engage in mutual recognition for type approval. Any terminal certified for SEPA transactions by a certification body in one SEPA country can be deployed in any SEPA country for acceptance of SEPA cards across all SCF compliant schemes.“ Common Approval Scheme Initiative Common Approval Scheme (CAS) initiative has been originated to agree on common security requirements harmonising the existing requirements to agree on common evaluation methodology using the Payment Card Industry (PCI) security requirements for POS/ATM as the basis for technical req. Reducing the number of security evaluations to be performed by manufacturers and reducing the costs of security certification Countries CC experts involved: Trusted Labs (France) SiVenture (United Kingdom) SRC (Germany) Belgium Atos Wordline, Banksys France Cartes Bancaires Germany ZKA Italy Progetto Microcircuito Luxemburg CETREL Netherlands Currence, Equens Norway BSK Portugal SIBS Spain Servired, Sistema 4B Sweden PNC United Kingdom APACS ... (open to additional participants) CAS Cards Working Group Harmonisation of security requirements and methodology accomplished Result is a finalised Generic Security Target for CC evaluations of banking IC cards Thus no Protection Profile for banking IC cards Generic Security Target is a guideline Co-ordination with ISCI/JHAS Preparation of pilot evaluations Open question: Who will verify whether Security Target meets Generic Security Target? CAS Terminal Working Group Work in progress: Evaluation according to PCI or CC? Harmonisation of security requirements (in progress) Including PCI POS PED security requirements Harmonisation of evaluation methodology (in progress) For CC approach results in POI Protection Profile Within a feasibility study it will be examined whether CC evaluations conformant to the developed PP(s) pave the way for SCF compliant certification criteria and mutual recognition of security certificates Generic POI Architecture Point of Interaction (POI) POI Application Logic Application 1 Application 2 Administration by Terminal Mamangement Application n Application/ Acquirer System Terminal Management System Local Devices CHV Devices: Card Readers: IC Card Reader and/or Magnetic Stripe Reader and/or Barcode Reader IC Card PIN Entry Device (includes a keypad, a display, Security Module and may include a Card Reader) and/or Biometric Device Other Media (e.g. Magstripe Card) Other Security Modules: HSM and/or SAM User I/O Devices (excluding CHV): Keypad, Display, Printer, Acoustic Signal data flow Security Problem and Security Objectives Assets PIN, POI management and payment transaction data, software, cryptographic keys Threats Perform unauthorised payment transactions by disclosure of PIN or keys or manipulation of software or data Security Objectives Confidential PIN Entry and PIN Processing Authentic and integer payment transaction Authentic and integer usage of software and related hardware / application separation CAS POI Security Requirements (subset) PCI Physical and logical security requirements Tamper-responsive hardware, … Self-test, logical anomalies, … PCI + Extension to message integrity for ATM/POS Extension of requirements for Life Cycle Code analysis PCI – Plaintext PIN protection at level less than high Magnetic stripe security Challenges to create a PP for a complex product Define the Target of Evaluation Different implementation architectures shall be allowed Different payment system components (ATM, EPP, POS, PED) shall be considered Application separation Two Evaluation Assurance Level High attack potential as objective for PIN Entry and Enciphered PIN processing but low costs Protection level for Plaintext PIN and POI management and transaction data processing below high Different hardware security requirements Minimum POI Application/ Acquirer Host Payment Application Administration by Terminal Mamangement Terminal Management Host Local Devices IC Card Reader IC Card PIN Entry Device including a keypad, a display and the Security Module data flow POI components connected via an open network Server Application 1 Application 2 Application n Administration by Terminal Mamangement Application/ Acquirer Host Terminal Management Host Local Devices Open Network IC Card Reader IC Card PIN Entry Device including a keypad, a display and the Security Module data flow POI Protection Profile Middle TSF PED PED Middle TSF Core TSF PIN Entry and processing of PIN until PIN is enciphered (includes PED keypad) Plaintext PIN Processing Processing of POI management and payment transaction data High level of protection Level of protection below high Foresight Finalising POI PP Pilot evaluation based on POI PP Mutual recognition and certification scheme Discussion already started with BSI, DCSSI, CESG Founding a group like ISCI/JHAS for IC cards Decision for PCI methodology or Common Criteria based on PCI functional security requirements Any questions? Contact SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Tel. Fax: E-mail: WWW: +49-(0)228-2806-0 +49-(0)228-2806-199 info@src-gmbh.de www.src-gmbh.de