troy leach april 2012 the pci security standards council

Troy LeachApril 2012

The PCI Security Standards Council

About the Council

Open, global forumFounded 2006

Responsible for PCI Security Standards

• Development

• Management

• Education• Awareness

Manufacturers

PCI PTSPin Entry Devices

Ecosystem of payment devices, applications, infrastructure and users

Software Developers

PCI PA-DSS

Payment Applications

PCI Security

MOBILE PAYMENTS

Merchants & Service

Providers

PCI DSSSecure

Environments

PCI Security StandardsProtection of Cardholder Payment Data

Technology Updates: Mobile

Questions & Answers

Agenda

Industry Engagement

Environmental Considerations at a Glance

• Market• Increased interest in adoption of a variety of mobile

technologies• Absence of both traditional controls and standards

• PCI SSC Activity• Create efficient mechanisms for broader engagement• Evaluate need to develop standards• Facilitate, when applicable, easier compliance mechanisms

Areas of Focus for Mobile

Devices

Tamper-resistance,

Secure Card Readers, POI &

P2PE

Applications

Requirements and/or Best Practices for authorization

and settlement

Service Providers

Service provider protection of

cardholder data and validation

“MOBILE”

Peripheral Device Encryption 

The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data.New PTS approval class for Secure (Encrypting) Card Readers (SCR)

SCR and other POI

Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

Audio connector plugs into

the phone’s

headphone

QSA must determin

e data NOT

decrypted on phone

No PIN entry

Also works on computer

s – any device with an audio

input jack

Mobile Phone Plug-in SCR

Plug-in MSR

encrypts data on

the reader even

before it reaches

the phone

2011 Guidance

.

Focused on identifying and clarifying the risks

associated with accepting payments via mobile solutions

and validating mobile payment acceptance

applications to version 2.0 of the PA-DSS.

Mobile Update – Announcement and FAQ

Mobile Application Categories

Applications for category 1 and 2

devices are eligible for PA-DSS

Applications for category 3 devices

pending development of further guidance and/or standards

Category 2:Purpose Built POS Devices

Category 3:General Purpose

Smart Device

Category 1:PTS Approved PED Devices

Current Environmental Concerns

• Rapid development of applications• Lack of “traditional” controls• Too Many Privileges• Malicious Apps• Wi-Fi Sniffing / Blackjacking• Radiation of keys and side channel attacks• Distribution and persistent connectivity• Ownership and use policy

PTS PED Vendor Solutions

Phone is designed and

purpose built as a secure device

Because secure tamper

protected device, may use either SCR or a

data key managed similar

to PIN key

By definition does not use off the shelf mobile

phones

PTS PED Vendor Solutions

Phone Compartme

nt

Cradle for phone

May employ encrypting card reader or use

data key managed similar

to PIN key

Card readers integrated to

PED

The mobile device has access to cleartext cardholder data.

Mobile Task Force to provide guidance and/or best practices

Exposure of CHD within device

Cardholder data is input using a non-encrypted solution (e.g. manual key

entry, non-encrypted card reader, etc.) and transmitted through a mobile device.

Application Security within Smart Devices 

2012 Guidance Calendar

• Mobile SCR & P2PE Guidance for Merchants

• Mobile Acceptance Best Practices

• Mobile SCR & P2PE Guidance for Assessors and Vendors

• Roadmap for Category 3 Applications

15

Three Year Outlook: Mobile

• Devices and Peripherals:• Publish guidance on use of attached PTS POI to mobile with

P2PE • Applications:

• Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation

• Create AQM checklist for PA-DSS qualification• If necessary, develop mobile standard(s) for applications and

devices that transfer cardholder data • Service Providers:

• Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data

Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require

Council to address

Technology Updates: Mobile

Questions & Answers

Agenda

Industry Engagement

Mobile Task Force 

• PCI Council Members and staff, volunteer participating organizations and subject matter experts

• Subject matter experts especially important when examining Scenario 2

• Examples of subject matter experts: • Security Assessors • OS Platform Vendors• Financial Processors• Device Manufactures

Mobile Task Force

The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance

implementations and determine whether the inherent risk of card data exposure can be

addressed by existing PCI requirements or whether additional guidance or requirements must be

developed.

Questions?

Any Questions?

Please visit our website at www.pcisecuritystandards.org