Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
www.chyp.comPlease copy and distribute1
Impact of the SPoC
PCI Standard on
the Payments Industry
myPINPadLondon
Gary Munro14th February 2018
Agenda
Perspective for Payments Industry
- PIN & PIN Security
- PIN on CoTS
- Impact of CoTS
- How long before contactless only?
- Omni-channel & PSD2
- PIN over biometric
Please copy and distribute2
PIN & PIN Security
Please copy and distribute3
Traditional Payment Terminals
• Significant hardware based security
• EMVCo and PCI technical and security specifications
• UKCA Common Criteria (UKPayments)
• Basic payment application
• Walled gardens
PIN & PIN Security
Please copy and distribute4
mPOS Payment Solutions
• Core features from the traditional payment terminal embedded into a smaller package
• Linked to tablet or mobile running a fully featured POS app
• Mobile is not a trusted environment
• Requires SRED / P2PE
• Cost remains barrier to entry
PIN on COTS
Please copy and distribute5
Tampering / Reverse Engineering
Malware Captures Credentials / Assets
Cloning
Snooping
App /Services
Securing an insecure environment
• Mobile environment is untrusted
• Payment details are an attractive target
• Developers need to secure keys and data in software
• Many known attack vectors
PIN on COTS
Please copy and distribute6
Tampering / Reverse Engineering
Malware Captures Credentials / Assets
Cloning
Snooping
Secure App Development
Whitebox/TEE Tokenisation
Device Fingerprinting
Transaction Security
Securing an insecure environment
• Countermeasures against attacks
• Techniques used for securing HCE / Mobile banking
• But software security has a very short lifecycle
• Security has to be actively managed, frequent updates are required
Additional challenges
• Reproducing a lookalike app is trivial
• but is it a viable attack?
• Can SPoC cater for DDA?
Consumer, Merchant Experience
• Would you put your PIN into a random application on a merchant’s phone?
• Would you handover a $1,000 mobile phone to a random stranger so that they can put their PIN into an application on your phone?
• Trials of SPoC in Australia and London indicate yes
• People are used to PIN entry
PIN on COTS
Please copy and distribute7
Impact of CoTS
Payments Industry
• Entry level dongles for mPOS
• Changes dynamics
• Security
• Costs
• PIN Entry as part of mPOS app?
• Does not match current model
• SaaS
• SPoC as a Service
• Payments is more than Chip & PIN
• PSD2 & SCA
Client Confidential8
How long before contactless only?
Client Confidential9
Software PIN on COTSContactless Only
• Mobile phones are poor card readers
• EMV certification issues
• Android only solution
• Mobeewave & Worldpay pilots
Contactless + PIN
• Online PIN required
• Infrastructure
• Card CVM
• Does it change the security challenge?
• Can we create a software SCRP?
• Alternatives may win race
Omni-Channel
PSD2 mandates SCA on issuers
• 2FA
Contactless payments under PSD2
No SCA is required if:
• the transaction amount is under €30, and
• the cumulative amount since last SCA is less than €150, or
• there have been less than 5 transactions since last SCA.
Client Confidential11
Omni-Channel
Contactless payments under PSD2
Every 5th contactless transaction in a row requires SCA!
• Frequent fallback to Chip & PIN
• Very poor cardholder experience
• Online PIN provides a cleaner experience
• Wearables etc
Client Confidential12
PIN over Biometric
Client Confidential13
• Biometric Advantages• Nothing to remember
• Quicker
• No screen input
• Disadvantages• Can be spoofed
• Environmental issues
• No screen input
• Security• Fingerprint v’s PIN
• FAR 0.002% : 0.01%
• Security standards?• Apple - iOS Security
• Google - AOSP
Summary
• Consumers & Issuers trust PIN
• Security is key
• Software security is complex
• Contactless only is on the horizon
• Omni-channel SCA solution required
• PIN or biometric, consumer preference
Please copy and distribute14
About Consult Hyperion
16
Consult Hyperion specialises in
working out the opportunities and
threats which result from the
harmony and collision of security,
networks and transactions.
We are constantly assessing these
factors, as they change
continuously, and delivering ideas,
solutions and products to our
clients.
Please copy and distribute
www.chyp.comPlease copy and distribute
Contact
18
Browse www.chyp.com
Follow @chyppings
Mail [email protected]
Comment http://www.chyp.com/media/blog/
Listen http://www.chyp.com/media/podcasts/
Consult Hyperion UK
Tweed House, 12 The Mount
Guildford, Surrey, GU2 4HN, UK.
+44 1483 301793
Consult Hyperion USA
535 Madison Avenue, 19th Floor
New York, NY 10022, USA.
+1 888 835 6124