www.chyp.comPlease copy and distribute1

Impact of the SPoC

PCI Standard on

the Payments Industry

myPINPadLondon

Gary Munro14th February 2018

Agenda

Perspective for Payments Industry

- PIN & PIN Security

- PIN on CoTS

- Impact of CoTS

- How long before contactless only?

- Omni-channel & PSD2

- PIN over biometric

Please copy and distribute2

PIN & PIN Security

Please copy and distribute3

Traditional Payment Terminals

• Significant hardware based security

• EMVCo and PCI technical and security specifications

• UKCA Common Criteria (UKPayments)

• Basic payment application

• Walled gardens

PIN & PIN Security

Please copy and distribute4

mPOS Payment Solutions

• Core features from the traditional payment terminal embedded into a smaller package

• Linked to tablet or mobile running a fully featured POS app

• Mobile is not a trusted environment

• Requires SRED / P2PE

• Cost remains barrier to entry

PIN on COTS

Please copy and distribute5

Tampering / Reverse Engineering

Malware Captures Credentials / Assets

Cloning

Snooping

App /Services

Securing an insecure environment

• Mobile environment is untrusted

• Payment details are an attractive target

• Developers need to secure keys and data in software

• Many known attack vectors

PIN on COTS

Please copy and distribute6

Tampering / Reverse Engineering

Malware Captures Credentials / Assets

Cloning

Snooping

Secure App Development

Whitebox/TEE Tokenisation

Device Fingerprinting

Transaction Security

Securing an insecure environment

• Countermeasures against attacks

• Techniques used for securing HCE / Mobile banking

• But software security has a very short lifecycle

• Security has to be actively managed, frequent updates are required

Additional challenges

• Reproducing a lookalike app is trivial

• but is it a viable attack?

• Can SPoC cater for DDA?

Consumer, Merchant Experience

• Would you put your PIN into a random application on a merchant’s phone?

• Would you handover a $1,000 mobile phone to a random stranger so that they can put their PIN into an application on your phone?

• Trials of SPoC in Australia and London indicate yes

• People are used to PIN entry

PIN on COTS

Please copy and distribute7

Impact of CoTS

Payments Industry

• Entry level dongles for mPOS

• Changes dynamics

• Security

• Costs

• PIN Entry as part of mPOS app?

• Does not match current model

• SaaS

• SPoC as a Service

• Payments is more than Chip & PIN

• PSD2 & SCA

Client Confidential8

How long before contactless only?

Client Confidential9

Software PIN on COTSContactless Only

• Mobile phones are poor card readers

• EMV certification issues

• Android only solution

• Mobeewave & Worldpay pilots

Contactless + PIN

• Online PIN required

• Infrastructure

• Card CVM

• Does it change the security challenge?

• Can we create a software SCRP?

• Alternatives may win race

Omni-Channel

Client Confidential10

Omni-Channel

PSD2 mandates SCA on issuers

• 2FA

Contactless payments under PSD2

No SCA is required if:

• the transaction amount is under €30, and

• the cumulative amount since last SCA is less than €150, or

• there have been less than 5 transactions since last SCA.

Client Confidential11

Omni-Channel

Contactless payments under PSD2

Every 5th contactless transaction in a row requires SCA!

• Frequent fallback to Chip & PIN

• Very poor cardholder experience

• Online PIN provides a cleaner experience

• Wearables etc

Client Confidential12

PIN over Biometric

Client Confidential13

• Biometric Advantages• Nothing to remember

• Quicker

• No screen input

• Disadvantages• Can be spoofed

• Environmental issues

• No screen input

• Security• Fingerprint v’s PIN

• FAR 0.002% : 0.01%

• Security standards?• Apple - iOS Security

• Google - AOSP

Summary

• Consumers & Issuers trust PIN

• Security is key

• Software security is complex

• Contactless only is on the horizon

• Omni-channel SCA solution required

• PIN or biometric, consumer preference

Please copy and distribute14

Questions?

Please copy and distribute15

About Consult Hyperion

16

Consult Hyperion specialises in

working out the opportunities and

threats which result from the

harmony and collision of security,

networks and transactions.

We are constantly assessing these

factors, as they change

continuously, and delivering ideas,

solutions and products to our

clients.

Please copy and distribute

Who do we do it for?

17Please copy and distribute

www.chyp.comPlease copy and distribute

Contact

18

Browse www.chyp.com

Follow @chyppings

Mail info@chyp.com

Comment http://www.chyp.com/media/blog/

Listen http://www.chyp.com/media/podcasts/

Consult Hyperion UK

Tweed House, 12 The Mount

Guildford, Surrey, GU2 4HN, UK.

+44 1483 301793

Consult Hyperion USA

535 Madison Avenue, 19th Floor

New York, NY 10022, USA.

+1 888 835 6124