Secure mobile payments getting the balance right Royal Holloway University of London Richard Martin Payment System Security Visa Europe 7 September 2013 For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 1 Visa Europe Owned and operated by over 3,745 European member banks In October 2007 Visa Europe became independent of the new global Visa Inc. with an exclusive, irrevocable and perpetual licence in Europe Almost 466 million Visa cards have been issued in Europe In the 12 months ending September 2012 point of sale spending totalled over €1.3 trillion Fraud continues to decline and has fallen to €40 in every €10,000 as at September 2012 (0.04%) Visa Europe Mobile POS & Acceptance 2 European commerce is changing €1 in every €6.75 Consumer spend on Visa cards 50% 25% Visa spend of Visa transactions Ecommerce +200% vs face-to-face Mobile by 2020 Visa Europe 1 in every 6 Visa cards in Europe contactless Mobile POS & Acceptance 3 Striking the balance Acquirers Issuers Merchants Cardholder Visa Europe Mobile POS & Acceptance 4 The Visa Europe Payment System Risk Strategy Focus our protection efforts on residual risks Reinvigorate the data security debate Design solutions that are secure from the outset Provide cost effective solutions for all stakeholders Understand the level of complexity For data security to be meaningful, it must be applied sensibly A security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectives Visa Europe Mobile POS & Acceptance 5 Manage Evolving Risks Enhanced Authentication Data Devaluation Data protection • • Protect cardholder data Continue deployment and use of robust authentication platforms -key to the stability of the payment systems of the future • • Protect cardholder data by limiting its availability Visa Europe instrumental in defining global practices for complimentary security technologies • Additional protection required for data which can be reused and cannot be devalued The Payment Card Industry Data Security Standard (PCI DSS) has been fundamental in raising awareness and fighting fraud • Visa Europe Mobile POS & Acceptance 6 Visa Europe Mobile POS & Acceptance 7 Visa’s mobile payment services Contactless Visa Paywave for Mobile Person to Person Visa Personal Payments Mobile POS Use a mobile device to shop conveniently, quickly and securely in a face-to-face environment Send money from a Visa card to any Visa card, anywhere in the world, using mobile phone number or PAN Visa Europe Mobile POS & Acceptance 8 Making payments vs. Accepting payments Making payments Accepting payments A Cardholder uses her phone to: A Merchant uses his phone to: • Enter her card details into a web form • Accept and process payments from customers • Store her card details (or a token) in a wallet • He will handle many card payments from many customers • Store her card details on a secure element (e.g. contactless) Visa Europe Mobile POS & Acceptance 9 Threat Axes and Vulnerabilities Threat Axes Vulnerabilities Over the channel: • Operating System • Hidden processes and applications • User behaviour • User interface • Complexity • User awareness • Mobile registration and ownership • SMS / USSD • Voice • Data: GPRS / Wifi / Bluetooth… Embedded Mobile Network Provider The Owner Visa Europe Mobile POS & Acceptance 10 Recent news • 76% of Android malware profit motivated (Q1 2013) • HTML5 Framework hacks • Android Security Squad and Bluebox Security – “Master Key” attacks • SIM hack, Security Research Labs Visa Europe Mobile POS & Acceptance 11 What exactly are we trying to protect? Basically any data whose theft or modification could cause financial or reputational harm to Visa, its Members and users Key assets at risk: • Cardholder data (CHD): PAN, Expiry date, CVV, CVV2 • Sensitive authentication Data: PIN, cryptograms **** Visa Europe Mobile POS & Acceptance 12 Q. What can we do to secure the mobile phone? A.Not a lot • Issuers and acquirers need to cater for hundreds of millions of cardholders and millions of merchants • Mobile Device Management? • User policies - Enforced AV, restrictive Ts & Cs? • Enforce certification of handsets against security standards? The reality is that card issuers and acquirers will need to take mobile devices as they come Our security strategy must take this into account Visa Europe Mobile POS & Acceptance 13 Innovation with tradition Criteria for mobile POS & acceptance Honour all cards Security User experience Chip & magstripe Lowering standards would threaten the system Familiar & trustworthy Benefits for all Visa Trusted Brand Visa Europe Mobile POS & Acceptance 14 Visa Europe’s position on mobile acceptance devices Mobile environment Processor / Point of Decryption Secure Hardware Accessory Protected in line with Visa’s Encryption & Tokenisation Guidelines Visa Europe Mobile POS & Acceptance 15 Mobile solutions not permitted by Visa Europe (1/4) “App” with manual key entry of card data on merchant owned mobile device Software only solutions with no hardware accessory App downloaded on merchant phone Card data keyed on merchant phone – transactions processed as e-comm or MOTO Entry of data on a merchant mobile device cannot be PCI certified at this time This also includes PIN entry Visa Europe Mobile POS & Acceptance 16 Mobile solutions not permitted by Visa Europe (2/4) Hardware accessory with a magstripe only reader (Used with a merchant owned mobile device) Solutions with a magstripe only reader: – no chip reader – no PIN pad – transactions sent as a magstripe transaction or as a MOTO or e-comm transactions Europe is a region where chip is required so this type of solution is not suitable Visa Europe Mobile POS & Acceptance 17 Mobile solutions not permitted by Visa Europe (3/4) Hardware accessory with a chip reader but no PIN pad (used with a merchant owned mobile device) Solutions with a chip reader: – no PIN pad – with or without magstripe – transactions sent as chip trs. PIN pad required in Europe so this solution is not suitable “Honour All Cards” is a must – key entry of card data on a merchant phone not permitted: magstripe support required Visa Europe Mobile POS & Acceptance 18 Mobile solutions not permitted by Visa Europe (4/4) Contactless only acceptance An acceptance device must “Honour All Cards” As not all cards support contactless, it is not possible at this time to allow contactless only devices Visa Europe Mobile POS & Acceptance 19 Two mobile acceptance solutions permitted (1/2) Hardware accessory with chip, magstripe & PIN pad (merchant owned mobile device) Chip & PIN must be supported Magstripe must be supported Contactless optional but recommended Key entry of data on secure PED allowed when no other option or Physical (audio jack, mini USB etc.) or Bluetooth connection to mobile device Security is ensured by PCI SRED (Secure Read Exchange Data) and point-to-point encryption) For Visa Europe internal use only 20 Visa Europe Mobile POS & Acceptance 20 Anatomy of mobile card reader security • Security standards • PCI PIN Transaction Security (PCI PTS) SRED • Secure PIN entry • Device hardened against physical & logical hacking • Encryption – SRED* module * SRED = Secure Read and Encryption of Data. SRED is a hardware module for secure key storage & encryption functions Visa Europe Mobile POS & Acceptance 21 Encryption on the reader removes the mobile device from the key areas of risk Processor/acquirer system PCI DSS compliant environment HSM SRED Secure host Telco / ISP Visa Europe Mobile POS & Acceptance 22 Mobile solutions permitted by Visa Europe (2/2) Software based solution/ M-commerce app (cardholder mobile device) Card details never entered on merchant mobile device – Secure if back end, registration process and permission to use protected – Refer to Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 – published in Sept. 2012 http://www.visaeurope.com/ais For Visa Europe internal use only 23 Visa Europe Mobile POS & Acceptance 23 Benefits • Consistent and familiar experience for cardholders and merchants • Increased likelihood that cardholders and merchants will use mPOS • Maintains and reinforces the trust in the brand • Maintains Visa’s security profile • Ensures that an exciting new method of payment starts secure • Bringing new players to market • Innovative new ideas and concepts • Reduced costs Visa Europe Mobile POS & Acceptance 24 mPOS solutions Mobile devices allowing low cost and easy access payments Balancing security and integrity with ease of deployment Working with industry providers 7 200k+ merchants by 2014 live implementations 10 European markets Visa Europe Mobile POS & Acceptance 25 Thank you For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 26