1 / 22

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme. Common Approval Scheme POI Working Group SRC Security Research & Consulting GmbH. Content. Affected payment systems components Domestic evaluation schemes and Payment Card Industry (PCI)

patch
Download Presentation

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting GmbH

  2. Content • Affected payment systems components • Domestic evaluation schemes and Payment Card Industry (PCI) • Single European Area requirements (SEPA) • Common Approval Scheme (CAS) for banking IC cards • CAS for POS/ATMs (POI) • POI PP Security Requirements • Experiences in the creation of the POI PP • Foresight

  3. Affected Payment System Components • Banking IC cards • Point of Sale Terminal (POS) • IC card based electronic payment • Includes PIN Entry Device (PED) and other components (e.g. card reader) • Automated Teller Machine (ATM) • IC card based electronic money withdrawal • Includes Encrypting PIN Pad (EPP) and other components • ATM and POS both are defined as Point of Interactions (POIs)

  4. Domestic Evaluation schemes • Throughout many European countries the banking industry • Has set security requirements • To manage risks within payment systems effectively • Compliance of payment systems components with these security requirements has to be proved by security evaluations • Different security levels and requirements • Obstacle for mutual recognition of security evaluations

  5. Examples for Domestic Evaluation Schemes • APACS (United Kingdom) • Common Criteria (without formal certification) • Based on APACS PED Protection Profile • ZKA (Germany) • Domestic high level security requirements • Informal scheme • Currence (Netherlands) • PCI+

  6. Payment Card Industry Evaluations • Global Scheme with security requirements aligned by MasterCard and VISA • Evaluator performs steps based on test and security requirements defined by PCI • Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED) • Comparison to Common Criteria • Design evaluation based on vendor questionnaire, no code review (ADV_IMP) • Predefined test cases, no ALC, ACM, ADO • Requirements of resistance against high attack potential

  7. SEPA Standardisation for Card Payments • Use of international standards for cross-border and domestic transactions • Technical requirements for payment system components are becoming closely aligned throughout Europe • The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF) • Defines certification principles as interoperability principles to be worked out • Security requirements and mutual recognition are explicitly stated

  8. SEPA Standardisation for Card Payments EPC SEPA Cards Framework SCF: • „In order for the objectives of this Framework to be achieved, SEPA-level interoperability must be ensured in the following 4 domains: • cardholder to terminal interface, • cards to terminal (EMV), • terminal to acquirer interface (protocols or minimum requirements), • acquirer to issuer interface, including network protocols (authorization and clearing).“ • „A common process for the certification of terminals, cards, and network interfaces will be defined in line with the principle described in Chapter 2.3.2.“ • „Card schemes will engage in mutual recognition for type approval. Any terminal certified for SEPA transactions by a certification body in one SEPA country can be deployed in any SEPA country for acceptance of SEPA cards across all SCF compliant schemes.“

  9. Common Approval Scheme Initiative • Common Approval Scheme (CAS) initiative has been originated • to agree on common security requirements harmonising the existing requirements • to agree on common evaluation methodology • using the Payment Card Industry (PCI) security requirements for POS/ATM as the basis for technical req. • Reducing the number of security evaluations to be performed by manufacturers and reducing the costs of security certification

  10. Belgium Atos Wordline, Banksys • France Cartes Bancaires • Germany ZKA • Italy Progetto Microcircuito • Luxemburg CETREL • Netherlands Currence, Equens • Norway BSK • Portugal SIBS • Spain Servired, Sistema 4B • Sweden PNC • United Kingdom APACS • ... (open to additional participants) Countries CC experts involved:Trusted Labs (France)SiVenture (United Kingdom)SRC (Germany)

  11. CAS Cards Working Group • Harmonisation of security requirements and methodology accomplished • Result is a finalised Generic Security Target for CC evaluations of banking IC cards • Thus no Protection Profile for banking IC cards • Generic Security Target is a guideline • Co-ordination with ISCI/JHAS • Preparation of pilot evaluations • Open question: Who will verify whether Security Target meets Generic Security Target?

  12. CAS Terminal Working Group • Work in progress: Evaluation according to PCI or CC? • Harmonisation of security requirements (in progress) • Including PCI POS PED security requirements • Harmonisation of evaluation methodology (in progress) • For CC approach results in POI Protection Profile • Within a feasibility study it will be examined whether CC evaluations conformant to the developed PP(s) pave the way for SCF compliant certification criteria and mutual recognition of security certificates

  13. Generic POI Architecture

  14. Security Problem and Security Objectives • Assets • PIN, POI management and payment transaction data, software, cryptographic keys • Threats • Perform unauthorised payment transactions by disclosure of PIN or keys or manipulation of software or data • Security Objectives • Confidential PIN Entry and PIN Processing • Authentic and integer payment transaction • Authentic and integer usage of software and related hardware / application separation

  15. CAS POI Security Requirements (subset) • PCI • Physical and logical security requirements • Tamper-responsive hardware, … • Self-test, logical anomalies, … • PCI + • Extension to message integrity for ATM/POS • Extension of requirements for Life Cycle • Code analysis • PCI – • Plaintext PIN protection at level less than high • Magnetic stripe security

  16. Challenges to create a PP for a complex product • Define the Target of Evaluation • Different implementation architectures shall be allowed • Different payment system components (ATM, EPP, POS, PED) shall be considered • Application separation • Two Evaluation Assurance Level • High attack potential as objective for PIN Entry and Enciphered PIN processing but low costs • Protection level for Plaintext PIN and POI management and transaction data processing below high • Different hardware security requirements

  17. Minimum POI

  18. POI components connected via an open network

  19. POI Protection Profile

  20. Foresight • Finalising POI PP • Pilot evaluation based on POI PP • Mutual recognition and certification scheme • Discussion already started with BSI, DCSSI, CESG • Founding a group like ISCI/JHAS for IC cards • Decision for PCI methodology or Common Criteria based on PCI functional security requirements • Any questions?

  21. Contact SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Tel. +49-(0)228-2806-0 Fax: +49-(0)228-2806-199 E-mail: info@src-gmbh.de WWW: www.src-gmbh.de

More Related