pcitf iiw10
DESCRIPTION
TRANSCRIPT
PCI TFPayment Card Industry
Trust FrameworkA Case Study of a Monetized Identity System
Sid Sidner (TooTallSid)Ping Identity
[email protected]@TooTallSid
ConsumerMerchant
Cash
ConsumerMerchant
Acquirer Issuer
Payment Networks
Payment Card: Payment Flow (Settlement)
PCI – Payment Card Industry
• Brands (aka Associations)– Visa– MasterCard– American Express– Discover– JCB
• Issuer oriented• Operating rules• Risk management: On-us vs. Not on-us
Visa EU Ecosystem - 2006
ConsumerMerchant
Acquirer Issuer
Payment Networks
Payment Card: Identity Flow (Authorization)
5558 0101 0000 0001
5558 0101 0000 0001
5558 0101 0000 0001 5558 0101 0000 0001
The Identity Transaction• Identifier
– PAN – Personal Account Number (PAN)• Scheme and BIN (Bank Id Number) embedded in PAN to allow
routing
• Claim– Authorize transaction for payment?
• Authorized or Declined
• A Bob Blakley Identity Oracle – no identity data leakage
• Consumer has privacy• Issuer can monetize being an IdP
EMV Payment Cards• EMV – Europay, MasterCard, Visa• Chip
– Tamper Resistant Security Module– Contains secrets and crypto to use them
• Secures all aspects of a purchase– Authenticates Card– Authenticates User– Ensures Integrity of Transaction
• Chip & PIN– PIN (Personal Id Number) verified on card
• Online Chip– PIN verified at issuer
• Contact & Contactless
OITF
PCITFPCI Brand (e.g . Visa)
Operating RulesIssuers
Merchants
Consumers
PCI DSS AssessorsBrand certifiers
Acquirers
Consumer/TaxpayerMerchant
Acquirer Issuer
Payment Networks
EMV Value Propositions
• Issuer fraud reduction
• Peace of mind
• Malware protection
• Identity theft protection
• User centered identity
• PCI compliance cost reduction
• Avoidance of end-to-end encryption cost
• Fraud reduction
• Reduced interchange fees
• Higher spend
• National security protection
• Identity provider fees
• Online enrollment
12