20
Troy Leach April 2012 The PCI Security Standards Council

Troy Leach April 2012

  • Upload
    ziazan

  • View
    63

  • Download
    0

Embed Size (px)

DESCRIPTION

The PCI Security Standards Council. Troy Leach April 2012. About the Council. Open, global forum Founded 2006. Responsible for PCI Security Standards. Development Management Education Awareness. PCI Security Standards. Protection of Cardholder Payment Data. - PowerPoint PPT Presentation

Citation preview

Page 1: Troy Leach April  2012

Troy LeachApril 2012

The PCI Security Standards Council

Page 2: Troy Leach April  2012

About the Council

Open, global forumFounded 2006

Responsible for PCI Security Standards

• Development

• Management

• Education• Awareness

Page 3: Troy Leach April  2012

Manufacturers

PCI PTSPin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS

Payment Applications

PCI Security

MOBILE PAYMENTS

Merchants & Service

Providers

PCI DSSSecure

Environments

PCI Security StandardsProtection of Cardholder Payment Data

Page 4: Troy Leach April  2012

Technology Updates: Mobile

Questions & Answers

Agenda

Industry Engagement

Page 5: Troy Leach April  2012

Environmental Considerations at a Glance• Market

• Increased interest in adoption of a variety of mobile technologies

• Absence of both traditional controls and standards

• PCI SSC Activity• Create efficient mechanisms for broader engagement• Evaluate need to develop standards• Facilitate, when applicable, easier compliance mechanisms

Page 6: Troy Leach April  2012

Areas of Focus for Mobile

DevicesTamper-

resistance, Secure Card

Readers, POI & P2PE

ApplicationsRequirements and/or Best Practices for authorization

and settlement

Service ProvidersService provider

protection of cardholder data and validation

“MOBILE”

Page 7: Troy Leach April  2012

Peripheral Device Encryption 

The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data.New PTS approval class for Secure (Encrypting) Card Readers (SCR)

SCR and other POI

Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

Page 8: Troy Leach April  2012

Audio connector plugs into

the phone’s

headphone

QSA must determin

e data NOT

decrypted on phone

No PIN entry

Also works on computer

s – any device with an audio

input jack

Mobile Phone Plug-in SCR

Plug-in MSR

encrypts data on

the reader even

before it reaches

the phone

Page 9: Troy Leach April  2012

2011 Guidance

.

Focused on identifying and clarifying the risks

associated with accepting payments via mobile solutions

and validating mobile payment acceptance

applications to version 2.0 of the PA-DSS.

Mobile Update – Announcement and FAQ

Page 10: Troy Leach April  2012

Mobile Application Categories

Applications for category 1 and 2

devices are eligible for PA-DSS

Applications for category 3 devices

pending development of further guidance and/or standards

Category 2:Purpose Built POS Devices

Category 3:General Purpose

Smart Device

Category 1:PTS Approved PED Devices

Page 11: Troy Leach April  2012

Current Environmental Concerns

• Rapid development of applications• Lack of “traditional” controls• Too Many Privileges• Malicious Apps• Wi-Fi Sniffing / Blackjacking• Radiation of keys and side channel attacks• Distribution and persistent connectivity• Ownership and use policy

Page 12: Troy Leach April  2012

PTS PED Vendor Solutions

Phone is designed and

purpose built as a secure device

Because secure tamper

protected device, may use either SCR or a

data key managed similar

to PIN key

By definition does not use off the shelf mobile

phones

Page 13: Troy Leach April  2012

PTS PED Vendor Solutions

Phone Compartme

nt

Cradle for phone

May employ encrypting card reader or use

data key managed similar

to PIN key

Card readers integrated to

PED

Page 14: Troy Leach April  2012

The mobile device has access to cleartext cardholder data.

Mobile Task Force to provide guidance and/or best practices

Exposure of CHD within device

Cardholder data is input using a non-encrypted solution (e.g. manual key

entry, non-encrypted card reader, etc.) and transmitted through a mobile device.

Application Security within Smart Devices 

Page 15: Troy Leach April  2012

2012 Guidance Calendar

• Mobile SCR & P2PE Guidance for Merchants

• Mobile Acceptance Best Practices

• Mobile SCR & P2PE Guidance for Assessors and Vendors

• Roadmap for Category 3 Applications

15

Page 16: Troy Leach April  2012

Three Year Outlook: Mobile

• Devices and Peripherals:• Publish guidance on use of attached PTS POI to mobile with

P2PE • Applications:

• Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation

• Create AQM checklist for PA-DSS qualification• If necessary, develop mobile standard(s) for applications and

devices that transfer cardholder data • Service Providers:

• Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data

Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require

Council to address

Page 17: Troy Leach April  2012

Technology Updates: Mobile

Questions & Answers

Agenda

Industry Engagement

Page 18: Troy Leach April  2012

Mobile Task Force 

• PCI Council Members and staff, volunteer participating organizations and subject matter experts

• Subject matter experts especially important when examining Scenario 2

• Examples of subject matter experts: • Security Assessors • OS Platform Vendors• Financial Processors• Device Manufactures

Page 19: Troy Leach April  2012

Mobile Task Force

The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance

implementations and determine whether the inherent risk of card data exposure can be

addressed by existing PCI requirements or whether additional guidance or requirements must be

developed.

Page 20: Troy Leach April  2012

Questions?

Any Questions?

Please visit our website at www.pcisecuritystandards.org