Payment Security Update

Rick Dakin, CEO & Cofounder

October 2, 2014

Agenda

Coalfire Introduction

Changing Environment Threats Technology Compliance

Mobile Security

Recent Data Breaches

Risk Management Strategies

About Coalfire

3

Focused expertise in Healthcare (HIPAA), Retail (PCI),Banking (GLBA), Utilities (NERC) and Cloud (FedRAMP) 

Over [200] employees and contractors across [8] offices: UK, Denver, Seattle, New York, Atlanta, Los Angeles, San Francisco and Dallas

Full suite of IT GRC solutions: compliance audit, risk  and vulnerability assessment, application security, penetration testing  and forensic analysis

Served over [1,500] clients to date, including Oracle, Epic, IBM,Ford, Nordstrom, EchoStar, Microsoft, Intuit, Overstock, Savvis 

ITGovernance

Risk and Compliance

Leading independent provider of IT Governance, Risk and Compliance(IT‐GRC) solutions

Changing Environment

4

New attack vectors More active Nation StatesNew attack surfaces 

Payments  ‐ Yesterday and Today

What’s a consumer mobile device?

Sensitive data goes mobile

• Payment data

• Corporate email

• Corporate apps

• VPN credentials

• Banking data

• Healthcare ePHI

• Home automation

• Automotive

• Social

• Dropboxes We can’t wait to manage sensitive data on mobile.

What are Mobile Payments? • Consumer electronic device – this is generally assumed to be a 

widely available device that runs one of the “mobile” operating systems currently available.  Form factor, and the term “mobile,” is becoming increasingly irrelevant, but will include devices not capable of meeting traditional PCI DSS requirements around host or server based security.

• iOS, Android, Windows Mobile• Devices can serve many functions including payment 

capture, payment presentment, client access for ecommerce transactions, store use, etc.

• Purpose‐built payment device – these devices fall into one of the categories described in the PCI PTS standard

• Traditional card swipe and PIN capture devices• SCR – Secure card readers can be attached using USB, 

serial, audio jack, dedicated device ports, etc.

More Mobile Payments• Wallets, e‐wallets, digital wallets – These are applications 

and/or services that facilitate the access to, storage and presentment of consumer payment details

• Wallet applications can be enabled using various techniques and technologies (QR codes, NFC, Web transfer, etc)

• It is generally (and wrongly) assumed that wallets store payment details securely using consumer electronic device protections or other means (secure element or secure cloud storage)

• Mobile POS or mPOS – an increasingly difficult use case to define, but generally refers to the use of a non‐traditional POS application/system/tool to facilitate the consumer checkout process in a face‐to‐face situation

Mobile Payment Options

Wallets

Google Wallet PayPal MasterCard PayPass

Payment Applications

Square Paypal Here Verifone Mobile Pay Apple Pay

Can this possibly be safe?

Threats and attacks are increasing

“Repackaging”

Spy‐ads

Malware

Phishing

Loss / Theft

QR attacks

Wi‐Fi

Botnet

Smartphones are 90% more likely to be lost than laptops

Phishing is many times more successful on mobile devices

Android Market had over 400,000 downloads of malicious apps identified in 2011

Legitimate‐sounding applications from the Dark Side

Multi‐media whiz‐bang idea, can be used for evil

Man‐in‐the middle attacks, just like using a laptop

An emerging threat to organizational infrastructure 

Mobile’s proliferation and access to sensitive data make it an enticing target

Vulnerabilities of the mobile platform today

Security awareness and usage Confusion over security “ownership” Small size increases loss and theft Authentication and access control not 

designed for multi‐user or secure application management

Mobile security standards are immature and not consistently deployed … even when available

o No firewallso No system hardening or patchingo No Monitoring or alertingo No antivirus

Payment security trends on mobile devices

Deploy encrypting sled devices provide fastest way to reduce risk for merchant acceptance on consumer mobile … stay on current POS platform (Verifone, Ingenico, etc)

Integrate a 3rd party payment gateway that handles all encryption on the POS and decrypts authorization request in the cloud (Square, Shift 4, Verishield, etc)

Close you eyes and hope for the best.  “Deploy a dongle.”  While the most popular route today, it does not offer any risk mitigation and no ability to achieve PCI compliance.

Merchant acceptance strategies – not clear cut The risks highlighted previously are compounded when 

mobile is now an aggregating point of sensitive data.

Are customers demanding the replacement of their credit card with a mobile device?

Should a merchant consider cloud‐based wallets, carrier payment solutions or mobile‐based store loyalty/gift programs?

Compliance Strategies – Not clear cut

PCI DSS Special Interest Groups Mobile Task Force Working Groups

Guidance Published

• Mobile Payment Acceptance Security Guidelines for Developers (Sept 2012)• Use secure and dedicated payment sleds• Prefer PTS approved device … accept PIN transactions

• Mobile Payment Acceptance Security Guidelines for Merchants (Feb 2013)• You own all the risk for non‐validated payment devices

Mobile Guidance

• Category 1 – PTS approved device• Category 2 – Single-Use device• Category 3 – Multi-Use device

Compliance Strategies – part 2

Visa Ready

“The program provides innovators a path for the certification of devices, software and solutions used to initiate or accept Visa payments as well as guidance and best

practices to access the power of the Visa network.”

http://usa.visa.com/business/why-pay-with-visa/visa-ready.html

Acquirers

Ultimately, it is up to the acquirer to determine what mobile acceptance platforms are acceptable

Third party evaluation may be acceptable in the interim

Merchant PCI Compliance ConcernsUsing an “un‐validated” mobile POS solution?

PCI DSS ROC Scope:• No assurance that Track Data isn’t captured and 

stored insecurely• Wireless is in scope at merchant retail 

environments• Centralized logging and monitoring is virtually 

impossible PCI DSS SAQ Risk:

• Up to the responsible merchant to accurately determine scope and applicability

Mobile security action items Mobile is here … deal with the risk

o Awarenesso New policies and security controlso Trainingo Risk Assessment before integration of 3rd parties or 

deployment of new technologieso Require encryption and tokenizationo Enhance physical security

Enhance testing and oversight while new technologies are being deployed

o Validated applications and service providers … make it mandatory … even without PCI requirement

Make users aware that their wallets have no firewalls, security controls or fraud protection … NOT YOUR JOB TO PROTECT THEM

NFC mobile payments – just around the corner?

Legacy paradigm of plastic cards represented by a mobile device expands the security challenges for PCI.

The mobile wallet contains the valuable assets – now who is the  “owner”?

Billions of mobile devices will now contain “toxic” cardholder data – so much for limiting the footprint.

Mobile security management solutions take on an even greater importance

Card Issuer

Now … Apple Pay is here with a new security strategy

21

Mobile Wallet Merchant NFC Card Processor or Acquiring Bank

1. Request Mobile card

2.  User identified

3.  Card and associated token issued

4. . Token installed in wallet

5. Token presented to merchant

5. Transaction receipt

6. Authorization request with token

7. Transaction authorized

Vault

Token exchange

And … What is up with all those data breaches?

22

A wake‐up call – the cyber threat is increasing

23

Current Cyber Attack Data

24

Heartbleed Bug opens new vulnerabilities

25

User / Admin Credentials Captured Web sites are no longer secure

Perimeter devices (firewalls and routers) are vulnerable

A single credential can be escalated to compromise entire access control mechanisms

Criminals don’t have to take some of the data … they can take it all!

Kill Chain Analysis Report

Missed Opportunities

27

28

Lessons Learned

New VISA Guidance to Retailers

29

Compliance

Security

Risk Management

VISA Strategy Enhance network security

Control administrative accounts

Harden POS platforms

Secure web accessible applications

Mitigate 3rd Party Risk

Deploy more secure applications EM Encryption Tokenization

Beyond compliance – focus on security

30

Defense in Depth Secure Applications Physical and logical access controls in 

place (focus on admin users) Sufficient network segmentation  FIM or White List solution SIEM solution & Monitoring (become 

agile)

New Security Technology EMV, Tokenization or Encryption

Static to Active Security Continuous Monitoring Integrated Incident Response Change Management

CEO IT Security Scorecard

31

1. Are we already compromised but simply do not know it yet?

2. How would I know if we had a serious alert and when it would be escalated?

3. If we have a serious vulnerability, how would the senior executive team know if it has been remediated to an acceptable level of risk?

Rick Management Strategies

32

Increasing Maturity for Cyber Risk Management

33

Compliance Validation (ITGC)PCI, HIPAA, SSAE16, FISMA, FedRAMP

Technical TestingVulnerability Scans, Pen Testing

Depth of Service

Mat

urity

of S

ervi

ce

Continuous DiagnosticsAppSec, Forensic, APT,  Sand Box

AnalysisCCM, Risk Assessment

Risk ManagementAdvisory, Governance

Enterprise IT Risk Management

Baseline Compliance Management

34

Market Maturity 2014 – Cyber Risk Management

1. Governance – early efforts focused on policies and compliance reporting.

2. Compliance – The early winner for resources. Organizations did not want to be negligent and made baseline compliance investments.

3. Security Operations – While compliance achieved baseline results, operations remain sporadic and largely ineffective against current threats.

4. Security Testing – Basic vulnerability testing and light pen testing has become commonplace. However, effective infrastructure, application security and 3rd

party integration is largely unserved.

5. Threat Management – The hackers and adversarial nation states are winning. While tools are becoming available, the skills and resources to counter more sophisticated threats remains weak.

0

1

2

3

4

5Governance

Compliance

Security OperationsSecurity Testing

Threat Management

Industry Cyber Maturity Rating ‐ 2014

1. Initiated – early efforts with an informal organization.

2. Piloted – functional expertise and some early repeatability. Getting the job done.

3. Deployed – Baseline operations achieved and deployment teams in place.

4. Institutionalized – The entire organization operates with consistency and quality.

5. Optimized – This visionary and collaborative state allows for all to contribute to include partners and clients.

35

Market Maturity – Cyber Risk Management Definitions

Compliance1. IT General Controls Matrix

and Metrics2. IT GC testing and operational

response3. Internal Compliance

Validation4. External Compliance

Validation5. Beyond Compliance Testing

and Reporting

Technical Testing1. Vulnerability Scanning2. Vulnerability Management –

includes remediation tracking3. Penetration Testing4. Application Testing and

Validation5. Red Team Testing and

integrated control validation through forensic testing

Security Operations1. Network and system security2. Logging, monitoring and

response3. Application security and 3rd

party controls4. Integrated forensic analysis

and incident response5. Continuous diagnostics and

enterprise dashboard reporting

Threat Management1. Threat advisory processing2. Malware protection3. Application White Listing4. APT Detection and Response5. Threat Intelligence Management and

integration into industry threat groups

Governance1. Policies and enforcement2. Security plans (Disaster Recovery, Incident Response,

3rd Party Management)3. Compliance Reporting4. Risk Analysis and Advisory5. Risk Management and appropriate Cyber Insurance

36

Market Maturity 2016 – Opportunity for GrowthWhile the need for enhanced compliance management will grow, it will not grow at the rate or complexity of the other cyber risk management components. The following opportunities will dominate.• Sec Ops - Become more nimble at security

operations. Convert static security perimeters and fragile systems to dynamic event monitoring and response.

• Security Testing – Expand routine vulnerability scans to include continuous application level testing. Extend pen tests to full red team exercises.

• Threat Management – An emerging area that will determine winners and losers is threat management. New tools for detecting APT and other threats will enable better responses and proactive planning for security operations.

• Governance - Governance will move upstairs. Executives and boards are just now starting to interact with IT leadership to manage cyber risk. They need better dashboards, testing and analysis.

00.51

1.52

2.53

3.54

4.55

Governance

Compliance

Security OperationsSecurity Testing

Threat Management

Industry Cyber Maturity Rating ‐ 2016

QuestionsRick DakinCoalfire CEO

rdakin@Coalfire.com