Upload
kieu
View
61
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Secure mobile payments getting the balance right. Royal Holloway University of London. Richard Martin Payment System Security Visa Europe 7 September 2013. Visa Europe. European commerce is changing. €1 in every €6.75. 1 in every 6. 50% of Visa transactions. 25% Visa spend. - PowerPoint PPT Presentation
Citation preview
For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 1
Secure mobile payments getting the balance right
Richard MartinPayment System Security Visa Europe
7 September 2013
Royal Holloway University of London
Visa Europe 2Mobile POS & Acceptance
Owned and operated by over 3,745 European member banks
In October 2007 Visa Europe became independent of the new global Visa Inc. with an exclusive, irrevocable and perpetual licence in Europe
Almost 466 million Visa cards have been issued in Europe
In the 12 months ending September 2012 point of sale spending totalled over €1.3 trillion
Fraud continues to decline and has fallen to €40 in every €10,000 as at September 2012 (0.04%)
Visa Europe
Visa Europe 3Mobile POS & Acceptance
1in every
650%
of Visa transactions
European commerce is changing
Consumer spend on Visa cards
25%Visa spend
Ecommerce +200% vs face-to-face
Mobileby 2020
Visa cards in Europecontactless
€1in every
€6.75
Visa Europe 4Mobile POS & Acceptance 4
Striking the balance
Acquirers Issuers
CardholderMerchants
Visa Europe 5Mobile POS & Acceptance
The Visa Europe Payment System Risk Strategy
Focus our protection efforts on
residual risks
Design solutions that are secure from the outset
Reinvigorate the data security
debate
Understand the level of
complexity
Provide cost effective
solutions for all stakeholders
For data security to be meaningful, it must be applied sensiblyFor data security to be meaningful, it must be applied sensibly
A security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectivesA security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectives
Visa Europe 6Mobile POS & Acceptance
Manage Evolving Risks
Enhanced Authentication
DataDevaluation
Dataprotection
• Protect cardholder data• Continue deployment and use of robust authentication platforms -key to
the stability of the payment systems of the future
• Protect cardholder data by limiting its availability• Visa Europe instrumental in defining global practices for complimentary
security technologies
• Additional protection required for data which can be reused and cannot be devalued
• The Payment Card Industry Data Security Standard (PCI DSS)has been fundamental in raising awareness and fighting fraud
Visa Europe 7Mobile POS & Acceptance
Visa Europe 8Mobile POS & Acceptance
Visa’s mobile payment services
Contactless
Visa Paywave for Mobile
Use a mobile device to shop conveniently, quickly and securely in a face-to-face
environment
Person to Person
Visa Personal Payments
Send money from a Visa card to any Visa card, anywhere in
the world, using mobile phone number or PAN
Mobile POS
Visa Europe 9Mobile POS & Acceptance
Making payments vs. Accepting payments
Making payments
A Cardholder uses her phone to:
• Enter her card details into a web form
• Store her card details (or a token) in a wallet
• Store her card details on a secure element (e.g. contactless)
Accepting payments
A Merchant uses his phone to:
• Accept and process payments from customers
• He will handle many card payments from many customers
Visa Europe 10Mobile POS & Acceptance
Threat Axes Vulnerabilities
Over the channel:• SMS / USSD• Voice• Data: GPRS / Wifi /
Bluetooth…
Embedded
The OwnerThe Owner
• Operating System• Hidden processes
and applications• User behaviour• User interface• Complexity• User awareness• Mobile registration
and ownershipMobile Network Provider
Threat Axes and Vulnerabilities
Visa Europe 11Mobile POS & Acceptance
Recent news
• 76% of Android malware profit motivated (Q1 2013)
• HTML5 Framework hacks
• Android Security Squad and Bluebox Security – “Master Key” attacks
• SIM hack, Security Research Labs
Visa Europe 12Mobile POS & Acceptance
What exactly are we trying to protect?
Basically any data whose theft or modification could cause financial
or reputational harm to Visa, its Members and users
Key assets at risk:
• Cardholder data (CHD): PAN, Expiry date, CVV, CVV2
• Sensitive authentication Data: PIN, cryptograms
****
Visa Europe 13Mobile POS & Acceptance
Q. What can we do to secure the mobile phone?
A.Not a lot• Issuers and acquirers need to cater for hundreds of millions of
cardholders and millions of merchants
• Mobile Device Management?
• User policies - Enforced AV, restrictive Ts & Cs?
• Enforce certification of handsets against security standards?
The reality is that card issuers and acquirers will need to take mobile devices as they come
Our security strategy must take this into account
Visa Europe 14Mobile POS & Acceptance
Innovation with tradition Criteria for mobile POS & acceptance
Benefits for allVisa Trusted Brand
Familiar & trustworthy
User experienceHonour all cards
Chip & magstripe
Security
Lowering standards would threaten the system
Visa Europe 15Mobile POS & Acceptance
Visa Europe’s position on mobile acceptance devices
Mobile environment Processor / Point of Decryption
Secure
Hardware
Accessory
Protected in line with Visa’s Encryption & Tokenisation Guidelines
Visa Europe 16Mobile POS & Acceptance
Mobile solutions not permitted by Visa Europe (1/4)
Software only solutions with no hardware accessory
App downloaded on merchant phone
Card data keyed on merchant phone– transactions processed as
e-comm or MOTO
“App” with manual key entry of card data on merchant owned mobile device
Entry of data on a merchant mobile device cannot be PCI certified at this time
This also includes PIN entry
Visa Europe 17Mobile POS & Acceptance
Mobile solutions not permitted by Visa Europe (2/4)
Hardware accessory with a magstripe only reader(Used with a merchant owned mobile device)
Solutions with a magstripe only reader:
– no chip reader– no PIN pad– transactions sent as a
magstripe transaction or as a MOTO or e-comm transactions
Europe is a region where chip is required so this type of solution is not suitable
Visa Europe 18Mobile POS & Acceptance
Mobile solutions not permitted by Visa Europe (3/4)
Hardware accessory with a chip reader but no PIN pad (used with a merchant owned mobile device)
PIN pad required in Europe so this solution is not suitable
“Honour All Cards” is a must– key entry of card data on a merchant phone not
permitted: magstripe support required
Solutions with a chip reader:
– no PIN pad– with or without magstripe– transactions sent as chip trs.
Visa Europe 19Mobile POS & Acceptance
Mobile solutions not permitted by Visa Europe (4/4)
Contactless only acceptance
An acceptance device must “Honour All Cards”
As not all cards support contactless, it is not possible at this time to allow contactless only devices
Visa Europe 20Mobile POS & Acceptance
Two mobile acceptance solutions permitted (1/2)
20For Visa Europe internal use only
Hardware accessory with chip, magstripe & PIN pad (merchant owned mobile device)
Chip & PIN must be supported Magstripe must be supported Contactless optional but
recommended Key entry of data on secure PED
allowed when no other option
Physical (audio jack, mini USB etc.) or Bluetooth connection to mobile device
Security is ensured by PCI SRED (Secure Read Exchange Data) and point-to-point encryption)
or
Visa Europe 21Mobile POS & Acceptance
Anatomy of mobile card reader security
• Security standards
• PCI PIN Transaction Security (PCI PTS)
• Secure PIN entry
• Device hardened against physical & logical hacking
• Encryption – SRED* module
SRED
* SRED = Secure Read and Encryption of Data. SRED is a hardware module for secure key storage & encryption functions
Visa Europe 22Mobile POS & Acceptance
Processor/acquirer system
PCI DSS compliant environment
Encryption on the reader removes the mobile device from the key areas of risk
Telco / ISP
SRED HSM
Secure host
Visa Europe 23Mobile POS & Acceptance
Mobile solutions permitted by Visa Europe (2/2)
23For Visa Europe internal use only
Software based solution/ M-commerce app (cardholder mobile device)
Card details never entered on merchant mobile device
– Secure if back end, registration process and permission to use protected
– Refer to Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 – published in Sept. 2012
http://www.visaeurope.com/ais
Visa Europe 24Mobile POS & Acceptance
Benefits
• Consistent and familiar experience for cardholders and merchants
• Increased likelihood that cardholders and merchants will use mPOS
• Maintains and reinforces the trust in the brand
• Maintains Visa’s security profile
• Ensures that an exciting new method of payment starts secure
• Bringing new players to market
• Innovative new ideas and concepts
• Reduced costs
Visa Europe 25Mobile POS & Acceptance
Working with industry providers
mPOS solutions
10 European markets
7 live
implementations
Mobile devices allowing low cost and easy access
payments Balancing security and integrity with ease of deployment
200k+ merchants by
2014
For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 26
Thank you