1 / 20

Troy Leach April 2012

The PCI Security Standards Council. Troy Leach April 2012. About the Council. Open, global forum Founded 2006. Responsible for PCI Security Standards. Development Management Education Awareness. PCI Security Standards. Protection of Cardholder Payment Data.

ziazan
Download Presentation

Troy Leach April 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The PCI Security Standards Council Troy Leach April 2012

  2. About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards • Development • Management • Education • Awareness

  3. PCI Security Standards Protection of Cardholder Payment Data Merchants & Service Providers PCI DSS Secure Environments Software Developers PCI PA-DSS Payment Applications Manufacturers PCI PTS Pin Entry Devices PCI Security MOBILE PAYMENTS Ecosystem of payment devices, applications, infrastructure and users

  4. Technology Updates: Mobile Industry Engagement Questions & Answers Agenda

  5. Environmental Considerations at a Glance • Market • Increased interest in adoption of a variety of mobile technologies • Absence of both traditional controls and standards • PCI SSC Activity • Create efficient mechanisms for broader engagement • Evaluate need to develop standards • Facilitate, when applicable, easier compliance mechanisms

  6. Areas of Focus for Mobile “MOBILE” Service Providers Applications Devices Tamper-resistance, Secure Card Readers, POI & P2PE Requirements and/or Best Practices for authorization and settlement Service provider protection of cardholder data and validation

  7. Peripheral Device Encryption The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data. New PTS approval class for Secure (Encrypting) Card Readers (SCR) SCR and other POI Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

  8. Mobile Phone Plug-in SCR Audio connector plugs into the phone’s headphone Also works on computers – any device with an audio input jack Plug-in MSR encrypts data on the reader even before it reaches the phone QSA must determine data NOT decrypted on phone No PIN entry

  9. 2011 Guidance Mobile Update – Announcement and FAQ . Focused on identifying and clarifying the risks associated with accepting payments via mobile solutions and validating mobile payment acceptance applications to version 2.0 of the PA-DSS.

  10. Mobile Application Categories Applications for category 1 and 2 devices are eligible for PA-DSS Applications for category 3 devices pending development of further guidance and/or standards Category 1: PTS Approved PED Devices Category 2: Purpose Built POS Devices Category 3: General Purpose Smart Device

  11. Current Environmental Concerns • Rapid development of applications • Lack of “traditional” controls • Too Many Privileges • Malicious Apps • Wi-Fi Sniffing / Blackjacking • Radiation of keys and side channel attacks • Distribution and persistent connectivity • Ownership and use policy

  12. PTS PED Vendor Solutions Phone is designed and purpose built as a secure device By definition does not use off the shelf mobile phones Because secure tamper protected device, may use either SCR or a data key managed similar to PIN key

  13. PTS PED Vendor Solutions Cradle for phone Card readers integrated to PED May employ encrypting card reader or usedata key managed similar to PIN key Phone Compartment

  14. Application Security within Smart Devices Exposure of CHD within device Cardholder data is input using a non-encrypted solution (e.g. manual key entry, non-encrypted card reader, etc.) and transmitted through a mobile device. The mobile device has access to cleartext cardholder data. Mobile Task Force to provide guidance and/or best practices

  15. 2012 Guidance Calendar • Mobile SCR & P2PE Guidance for Merchants • Mobile Acceptance Best Practices • Mobile SCR & P2PE Guidance for Assessors and Vendors • Roadmap for Category 3 Applications 15

  16. Three Year Outlook: Mobile • Devices and Peripherals: • Publish guidance on use of attached PTS POI to mobile with P2PE • Applications: • Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation • Create AQM checklist for PA-DSS qualification • If necessary, develop mobile standard(s) for applications and devices that transfer cardholder data • Service Providers: • Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require Council to address

  17. Technology Updates: Mobile Industry Engagement Questions & Answers Agenda

  18. Mobile Task Force • PCI Council Members and staff, volunteer participating organizations and subject matter experts • Subject matter experts especially important when examining Scenario 2 • Examples of subject matter experts: • Security Assessors • OS Platform Vendors • Financial Processors • Device Manufactures

  19. Mobile Task Force The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance implementations and determine whether the inherent risk of card data exposure can be addressed by existing PCI requirements or whether additional guidance or requirements must be developed.

  20. Questions? Any Questions? Please visit our website at www.pcisecuritystandards.org

More Related