Embed Size (px)
Citation preview
Pursue the Possibilities
International Retail User Group ConferenceMay 18-21
2014Orlando, FL
Architecting Next Generation POS with Security in MindA NRF ARTS Perspective
Tom LitchfordVice President, Retail TechnologiesNational Retail [email protected]
Tim HoodVice President Strategic Technologies, Chief Solution Architect, RetailSAP [email protected]
NRF’s Technology Leadership Community
CIO Council
• An invitation only committee made up of retailing’s most prominent chief information officers.
IT Security Council
• An invitation only committee made up of retailing’s leading technology security experts.
Association for Retail Technology Standards (ARTS)
• A worldwide community of retail business and information technology professionals organized to help retail enterprises and solution providers identify, adopt and integrate current and emerging technologies into their organizations, strategies and operations.
An Average Day in an Enterprise Organization
Every 1 min a host accesses a malicious website
Every 3 mins a bot is communicating with its command and control center
Every 9 mins a High Risk application is being used
Every 10 mins a known malware is being downloaded
Every 27 mins an unkown malware is being downloaded
Every 49 mins sensitive data is sent outside the organization
Every 24 h a host is infected with a botSource: Check Point Security Report 2014
Breach Concerns are Universal Now Identified on 10-K Filings as a Top Business Risk Factor
Source: 2014 BDO Retail Risk Factor Report
“As large scale data breaches have become increasingly frequent in the retail industry, risks related to IT systems and data breaches are at an all-time high. Since 2009, the number of retailers citing concerns over data security has more than doubled, and now nine-in-ten note it as a risk factor. And there's good reason: Verizon reports that there were 467 security incidents in the retail industry in 2013, with point-of-sale intrusion and Web application attacks being the most common threats. The NRF recently announced a new Cyber Security Platform designed to provide real-time information about threats and reduce widespread hacks. While the industry continues to invest in security improvements, growing concerns over litigation (91 percent) suggest that failures can be costly beyond the harm to brand reputation and customer loyalty.”
Does PCI Compliance Create a False Sense of Security?
• 2103 marked a watershed year for POS hacking
• Bob Russo, Chairman of the PCI Security Standards Council, underscored that PCI compliance certification is a “snapshot in time” when he observed to Computerworld, “You can be in compliance today and totally out of compliance tomorrow”.
• Standards are a valuable tool for measuring and comparing security posture against common metrics. However, security is a continual process of reassessment and adaption as [retail] environments and data practices change.
• Data breaches represent a multifaceted threat to retailers. The industry faces a formidable challenge of placing greater emphasis on preventing fraud while maintaining positive customer experiences.
Source: Check Point Security Report 2014, 2013 LexisNexis True Cost of Fraud Study
The Elephant in the Room
• Massive Data Breaches
• Retail is a lucrative target for the bad actors
• The Financial Services industry prefers to lay blame, call for fines and penalties, and seek financial restitution
• Like it or not, the Federal Government is now involved
• Pressured to protect consumers
• The VISA EMV Mandate
• Need to work collaboratively to find better solutions
Chip & What??The Mad Rush to EMVEMV is proprietary…
• 25 year old technology developed specifically to combat lost, stolen and counterfeit cards
Chip & PIN everywhere BUT here…
• Chip & Signature, Chip & Choice, Chip & Tokenization
An alternative approach…
• Use encryption and tokenization for all sensitive data
• Demand PIN – an encrypted PIN could address the majority of CP fraud in the US
• Focus on solving the problem across all transaction channels, and allow innovation to occur in the emerging mobile payment space
• If the card brands insist on their version of EMV, let them pay the $30B tab to re-terminal the stores
Major Drivers of the Payment Conversation
Multichannel
NFC / HCESecure Element
Wallets
EMV
Location Based
TokenizationP2P Encryption
Bluetooth LE
• Supportive of measures to improve security
Fraud is in the media, in the press, on TV
See signature as almost worthless (“almost never” checked by associates in the store)
PIN is part of everyday life – already familiar with ATMs
• Want consistency of shopping experience
• Want to maintain possession of card
• Need to travel
• Don’t leave home without their mobile device
• Appreciate timely and relevant offers
What is the Consumer’s Point of View?
What?
• Cards
• Issuing systems
• Consumer shopping behavior
• Card acceptance devices
• Point of Sale Systems
• Merchant transaction behavior
• Store Networks
• Host systems
Who?
• Retailers need to assess payment terminals and work with the manufacturers to ensure • Chip Compatibility• NFC capability• PIN pad compatibility• EMV Level 1 Certification• PCI PTS (PED) Certification
• Retailers need to assess payment system (POS or POI) and ensure the provider has enhanced terminal software application • EMV Level 2 Certification• PA-DSS Certification
• Acquirers and Issuers must upgrade their host systems to support• Transmit additional data field for each transaction• Enhanced cryptography• End-to-end testing
Change will be required to support EMV & Other New Payment Models
EMV/NFC is not the only alterative; for example: Starbucks Mobile App, PayPal, etc.
Potential business objectivesfor payments innovation:
Increase sales
Reach new customers and/or create incremental sales
Integration with couponingand loyalty programs
Decrease paymentprocessing costs
Merchant-branded,i.e. store credit,prepaid, etc.
Tender steering
Improve payment security
Dynamic authentication
PIN/password on mobile wallets
Payments Innovation Strategy
1. Optimize current payments
environment
2. Define business
objectives for payments innovation
3. Evaluate customer and
store associate use cases 4. Evaluate
access technology & payment type alternatives
5. Evaluate financial impacts & project funding
alternatives
Consider the holistic financial impact and not just the costs; Payments innovation can be self-funding via increased sales and decreased operational costs
Mobile wallet and other payment service providers are anxious to acquire merchants and may help to fund POS upgrades if retailers are assertive
Source: Market Platform Dynamics
Developing a payments innovation strategy
Card Payments Value Chain
Merchant Acquiring Bank Network Issuing Bank Cardholder
purchase transaction
Company acceptingpayment (“Payee”)
Cardholder’s bank Consumer making payment (“Payor”)
Merchant’sbank
“Acquiring” –Provide POS terminals, software, card processing, dispute management and merchant customer service
Merchants – Retailers, Billers, etc.
Processors – Chase Paymentech, Elavon, etc.
Terminals– VeriFone, NCR, ViVOtech, etc.
Intermediary between banks of payor and payee
“Issuing” –Provide payment cards, authorize and clear transactions, and provide ongoing statementing and customer service
Issuing Banks – Citi, Wells Fargo, etc.
Processors – TSYS, First Data, etc.
EMV Card Manufacturers – Gemalto, etc.
“Switch” –Provide payment card brand, operating rules, switching & settlement
Visa, MasterCard, AMEX, Discover, STAR, NYCE, Pulse, ACCEL, etc.
Source: Market Platform Dynamics
Traditional Payment Architecture (US)
POS Payment Peripherals Acquiring Bank
POS communicates with Acquirer using messages in acquirer format (eg ISO 8583 ‘variant’)
Payment Gateway Optional
POS application is integral part of payment transaction
Conceptual Sequence Diagram Traditional Model
Next Generation Payment Architecture
Payment System communicates with Acquirer using messages in acquirer format (eg ISO 8583 ‘variant’)
Payment Gateway Optional
POS Application communicates with Payment System in payment system format
Selling System Payment System Acquiring Bank
POS application is NOT part of payment transaction
Conceptual Sequence Diagram Next Generation
• A global XML standard that enables retailers to easily integrate payments systems (POI) with selling systems (POS)
• Selling system is responsible for managing the overall transaction including
• Data capture
• calculating price, tax, loyalty
• Recording transaction
• …
• Payment system is responsible for all aspects of authorized payments
• Interacting with customer
• Gathering card data
• Interacting with acquirer/host
• Determining approved/declined
www.epasorg.eu
EPASorg develops, promotes and maintains card payment protocols enabling the market to benefit from cost efficiencies, increased competition and
enhanced innovation
Bringing together industry stakeholders to drive interoperability in card payments, overcoming the barriers of today’s fragmented card payment
environment
Key Participants:• Bank and Associations : Groupement de Cartes Bancaires, ZKA, APACS,
PAN Nordic Card Association, Equens, Paylife, Royal Bank of Scotland, Sermepa, SIBS, Quercia
• Processors and Brands : Visa, AMEX • Retailers :Total, BP, RSC (C&A), IKEA, Leclerc • Software Providers :ATOS, Monext, POS Partner, Lyra Network, Gallit,
Integri• Manufacturers :Verifone, Ingenico, Hypercom, Wincor-Nixdorf,
Scheidt&Bachmann
NRF-ARTS fully endorses the EPAS Retailer Protocol
EPAS Retailer Payment Protocol Standard
EPAS Retailer Protocol Example (Simple)
• Selling system makes authorization request at beginning of tender phase• “Authorize sale transaction for $76.65 USD”
• Payment system interacts with customer (usually through customer display of payment terminal)
• “76.65 USD – OK?”
• “Credit or Debit?”
• “Would you like cash back?”
• “How much cash would you like back?”
• “Insert card now”
• “Enter PIN”
• …
• Payment system interacts with Acquirer/Host and gets approval/decline
• Payment system responds to Selling system with result• “Transaction Authorized for sale of $76.65 USD and cash back of $60.00USD. Authorization
code XXXXXXXXXXXXXXXX”
EPAS Retail Protocol Message
Selling System
Payment System
Acquiring Bank
EPAS Retail Protocol Message
• Enable payment systems to evolve at a more rapid pace than selling systems
• Regulatory changes (PCI-DSS, EMV, ++)
• Mobile payments
• Contactless/NFC
• Prepaid instruments
• Simplify integration of regional payment systems into global selling systems
• Acquirers are regional
• Chip and Pin/EMV
• German Debit scheme
• Limit PCI-DSS envelope to payment system
• Keep card data out of selling systems
• Option for returning data, masked, tokenized, encrypted) card data from payment to selling system
• Reduced bank/acquirer certification costs
• Pre-certified payment systems
Business Benefits of Payment Protocol to Isolate Payments
End to End Encryption
Read Cardholder
Data
Card Data Encrypted
at Card Reader
Merchant Network
Secured with SSL
Optional Payment Gateway
ConnectionAcquirer
Decryption & Auth’n
Card Data is Encrypted on Payment Terminal and forwarded via Merchant Network SSL Socket via Merchant Network to Gateway Private Network to Bank Authorization
Message is sent back through SSL socket to Payment terminal
Response is received back at payment terminal for completion
Message Response back to Gateway
End to End Encryption vs Tokenization
Source: PricewaterhouseCoopers September 2009 Market Study
Security Principle PCI DSS Requirement
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
PCI DSS Requirements Codification of Security Best Practices for Merchants
Architecting Next Generation POS for Security
• Opportunity now to rethink payments strategy
• Review the infrastructure holistically while focusing on improving the customer experience
• Address security and liability risk
• Isolate payments business logic and technologies
• Provide greater flexibility to respond to constantly evolving payments technologies and regulations
ARTS Payment Integration White PaperUse Case Summary
• Sale
• Return
• Pre-Authorization/Completion
• Manual Authorization/Floor limits/Force
• Payments on Layaway/Layby
• Paid In/Paid Out
• Fleet Cards
• Activation/Top-Up/Cashout/De-activation/reversal (gift card)
• Line Void
• Post Void
• Cancel Authorization request (while waiting for authorization to be returned)
• Payment to account
• Cash back
• Open/Close Terminal
• Open/Close Store
Call to Action
• If you haven’t started yet, you are late
• There is no single solution, think in layers
• If you think you are finished, you are vulnerable
The threat has reached the point that, given enough time,
motivation, and funding, a determined adversary will likely
be able to penetrate any system accessible from the Internet.
Joseph M Demarest, Assistant Director, Cyber Division Federal Bureau of Investigation
Statement before the Senate Judiciary Committee, May 8, 2013
This is an opportunity to increase customer satisfaction while improving security and protecting your valuable brand
ARTS Twenty Years of Leadership
37th Annual Conference
International RetailUSER GROUP Pursue the Possibilities
Thank You!
Tom Litchford
Tim Hood
