200 likes | 383 Views
The PCI Security Standards Council. Troy Leach April 2012. About the Council. Open, global forum Founded 2006. Responsible for PCI Security Standards. Development Management Education Awareness. PCI Security Standards. Protection of Cardholder Payment Data.
E N D
The PCI Security Standards Council Troy Leach April 2012
About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards • Development • Management • Education • Awareness
PCI Security Standards Protection of Cardholder Payment Data Merchants & Service Providers PCI DSS Secure Environments Software Developers PCI PA-DSS Payment Applications Manufacturers PCI PTS Pin Entry Devices PCI Security MOBILE PAYMENTS Ecosystem of payment devices, applications, infrastructure and users
Technology Updates: Mobile Industry Engagement Questions & Answers Agenda
Environmental Considerations at a Glance • Market • Increased interest in adoption of a variety of mobile technologies • Absence of both traditional controls and standards • PCI SSC Activity • Create efficient mechanisms for broader engagement • Evaluate need to develop standards • Facilitate, when applicable, easier compliance mechanisms
Areas of Focus for Mobile “MOBILE” Service Providers Applications Devices Tamper-resistance, Secure Card Readers, POI & P2PE Requirements and/or Best Practices for authorization and settlement Service provider protection of cardholder data and validation
Peripheral Device Encryption The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data. New PTS approval class for Secure (Encrypting) Card Readers (SCR) SCR and other POI Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.
Mobile Phone Plug-in SCR Audio connector plugs into the phone’s headphone Also works on computers – any device with an audio input jack Plug-in MSR encrypts data on the reader even before it reaches the phone QSA must determine data NOT decrypted on phone No PIN entry
2011 Guidance Mobile Update – Announcement and FAQ . Focused on identifying and clarifying the risks associated with accepting payments via mobile solutions and validating mobile payment acceptance applications to version 2.0 of the PA-DSS.
Mobile Application Categories Applications for category 1 and 2 devices are eligible for PA-DSS Applications for category 3 devices pending development of further guidance and/or standards Category 1: PTS Approved PED Devices Category 2: Purpose Built POS Devices Category 3: General Purpose Smart Device
Current Environmental Concerns • Rapid development of applications • Lack of “traditional” controls • Too Many Privileges • Malicious Apps • Wi-Fi Sniffing / Blackjacking • Radiation of keys and side channel attacks • Distribution and persistent connectivity • Ownership and use policy
PTS PED Vendor Solutions Phone is designed and purpose built as a secure device By definition does not use off the shelf mobile phones Because secure tamper protected device, may use either SCR or a data key managed similar to PIN key
PTS PED Vendor Solutions Cradle for phone Card readers integrated to PED May employ encrypting card reader or usedata key managed similar to PIN key Phone Compartment
Application Security within Smart Devices Exposure of CHD within device Cardholder data is input using a non-encrypted solution (e.g. manual key entry, non-encrypted card reader, etc.) and transmitted through a mobile device. The mobile device has access to cleartext cardholder data. Mobile Task Force to provide guidance and/or best practices
2012 Guidance Calendar • Mobile SCR & P2PE Guidance for Merchants • Mobile Acceptance Best Practices • Mobile SCR & P2PE Guidance for Assessors and Vendors • Roadmap for Category 3 Applications 15
Three Year Outlook: Mobile • Devices and Peripherals: • Publish guidance on use of attached PTS POI to mobile with P2PE • Applications: • Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation • Create AQM checklist for PA-DSS qualification • If necessary, develop mobile standard(s) for applications and devices that transfer cardholder data • Service Providers: • Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require Council to address
Technology Updates: Mobile Industry Engagement Questions & Answers Agenda
Mobile Task Force • PCI Council Members and staff, volunteer participating organizations and subject matter experts • Subject matter experts especially important when examining Scenario 2 • Examples of subject matter experts: • Security Assessors • OS Platform Vendors • Financial Processors • Device Manufactures
Mobile Task Force The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance implementations and determine whether the inherent risk of card data exposure can be addressed by existing PCI requirements or whether additional guidance or requirements must be developed.
Questions? Any Questions? Please visit our website at www.pcisecuritystandards.org