Payment Card Industry

1
Payment Card Industry Data Security Standards
Cryptography
DELBRASSINE Charles PCI Qualified Security
Assessor PCI Approved Scanning Vendor PCI
Qualified Payment Application Security Assessor
IT Works S.A. - Rue de Bitbourg 11 L1273
Luxembourg HAMM cdelbrassine_at_itworks.lu
2
Agenda

• Introduction to Payment Card Business
• Fraud Counterfeit Evolution
• PCI Data Security Standards
• SEPA Card Framework
• New Challenges for Cryptography

3
Payment Card Industry Actors Card Present
Acquirer (Merchant Bank)
Issuer
CardHolder
Merchants
4
Authentication as part of Authorization Card
Present

• A type of transaction in which the card is
  present and is swiped through an electronic
  device that reads the chip or the contents of the
  magnetic stripe on the back of the card
• Authentication is based on
• Chip and PIN
• Magnetic stripe and PIN
• Magnetic stripe and signature
• Imprint and signature
• The magnetic stripe contains a cryptographic
  value to allow changes to the magstripe data to
  be detected.
• CAV Card Authentication Value (JCB)
• CVC Card Validation Code (MasterCard)
• CVV Card Verification Value (Visa Discover)
• CSC Card Security Code (AmEx)

5
Payment Card Industry Actors Card Not Present
Payment Gateway
E-Commerce Merchant
CardHolder
6
Authentication as part of Authorization Card
Not Present

• A transaction where the credit card is not
  present at the time of purchase (such as mail
  order, telephone order, e-business order)
• Authentication is based on
• A 3- or 4-digit value printed on the card or
  signature strip, but not encoded on the magnetic
  stripe
• AVS - Address verification system
• Verified by Visa (Password based)
• Minimum Information required Name, PAN, (Exp
  Date).
• The 3 or 4 digit value is called
• CID Card IDentification Number (Amex
  Discover)
• CAV2 Card Authentication Value 2 (JCB)
• CVV2 Card Verification Value 2 (Visa)
• CVC2 Card Validation Code 2 (MasterCard)

7
Agenda

• Introduction to Payment Card Business
• Fraud Counterfeit Evolution
• PCI Data Security Standards
• SEPA Card Framework
• New Challenges for Cryptography

8
Payment Card Fraud Evolution

• 1983 Re-embossed counterfeit fraud
• 1988 Re-encoded counterfeit fraud
• 1989 Card not present fraud/ fraud applications
• 1991 Never received issued fraud
• 1992 Merchant fraud
• 1994 Identity Theft
• 2000 Skimmed counterfeit
• 2002 Communications interception
• Now Merchant server Hacking
• Now E-Business Merchant server hacking
• Now Chip sniffing and card counterfeit
• Now Fake terminals
• Future ????

9
Fraud Counterfeit Statistics
10
Fraud Card not present

• CNP authentication is still possible without
  CVV2
• CNP fraud remains the main fraud concern in
  Europe
• 2006 a growth of 44.7 compared to FY2005.
• E-commerce fraud shows a yearly growth in excess
  of 69, representing 54.2 of all CNP Fraud
  acquired in Europe in 2006.
• Top 5 countries are the UK (57.2 of tot CNP) ,
  France (7.3 of the total CNP fraud), Germany
  (7.2 ), Italy (6.1 ) and Spain (4.4 ).
• The most significant CNP fraud growths were in
  Israel (214), Italy (90) and Denmark (121).
• Gaming and Airlines/Travel Agencies shows the
  most significant growths.

11
Fraud Card not present

• A solution exists Called 3D Secure Issuing
  based on
• PAN
• PIN
• Chip Authentication Program (OTP)
• BUT

12
Fraud EMV Fallback

• Chip Fallback to Magstripe
• Increased by more than 63.4 in 2006 (vs 2005)
• 71.3 of the European Chip Fallback to Magnetic
  Stripe Fraud was acquired on European ATMs.
• The fallback Fraud on ATM has grown by more than
  163 in 2006 vs 2005.
• The UK and Spain acquired 76 of European ATM
  fallback fraud in 2006.
• Solution
• The decision to ban ATM fallback in Europe should
  solve this threat.

13
Last important issues.

• Card Systems (USA) 2005
• A massive data breach by CardSystems, which
  reportedly exposed credit card transaction
  records of approximately 40 millions people
  because they stored these transaction records in
  contravention of rules established for VISA and
  MasterCard processors.
• ELEMENT 5 (D) 2005
• More than one million credit cards.
• TJX (USA) Announced in 2007
• More than 45 millions of cards compromised
• While the company previously believed that the
  intrusion took place only from May 2006 to
  January 2007, TJX now believes its computer
  systems was also intruded upon in July 2005 and
  on various subsequent dates in 2005. TJX
  continues to believe there was no compromise of
  customer data after-mid December 2006."

14
Skimming Tools Magnetic Stripe Capture
15
Skimming Workshop Card Creation
Counterfeit holograms confiscated in Sidney
16
Counterfeit Workshop seizure in Taiwan
110.000 Cards
17
What about ATM Skimming ?
18
What about PIN Capture ?
19
ATM Skimming Full Kit.
20
Skimming Tool available on Internet
Autonomous mini skimmer with PC Connectivity
Software 50 white cards 150
Autonomous wireless mini cam 20g Video
recorder connectivity 35
21
Chip Cloning/Skimming Kit on Internet
22
The Last Trend. Fake Terminals

• Formal terminals are replaced by fake terminals
  that does not realize any transaction but look
  and react like formal one.
• Hackers are not interested in the transaction but
  want to
• Sniff the dialog between the chip and the
  terminal
• Intercept the PIN introduction on the Pin Pad.
• Some solutions exists
• Dynamic Data Encryption DDA-Cards
• Combined Data Encryption CDA-Cards
• Terminal and/or application authentication
• but.

23
Agenda

• Introduction to Payment Card Business
• Fraud Counterfeit Evolution
• PCI Data Security Standards
• SEPA Card Framework
• New Challenges for Cryptography

24
The PCI Security Standards Council

• Who are the founders of the PCI Security
  Standards Council?
• Founders of the PCI Security Standards Council
  are American Express, Discover Financial
  Services, JCB, MasterCard Worldwide and Visa
  International
• What is the mission of the PCI Security Standards
  Council?
• The mission of the PCI Security Standards Council
  is to enhance payment account security by
  fostering broad adoption of the PCI Security
  Standard

25
The PCI Security Standards

• What is the Payment Card Industry (PCI) Data
  Security Standard (DSS)?
• The PCI Data Security Standard represents a
  common set of industry tools and measurements to
  help ensure the safe handling of sensitive
  information.
• The standard provides an actionable framework for
  developing a robust account data security process
  - including preventing, detecting and reacting to
  security incidents.
• Who does it apply to ?
• Any entity that stores, processes, and/or
  transmits cardholder data.
• Merchants
• Acquirers / Issuers Service Providers
• Service providers
• Etc

26
PCI DSS Penalties Fines Case Study

• Data Volume
• Little restaurant
• 250-300 transactions a month
• Card Data storage of the last 3 years 10.000
  compromised cards
• Cost and penalties (Does not include reputation)
• Incident Fee 50.000
• Issuer Recovery Fee 50.000 (5-15 per
  reissued card)
• Fraud 20.000.000 ( 2.000 per card)
• Other costs ??

27
The PCI Security Standards - Cryptography

• Build Maintain a Secure Network
• Requirement 1 Install maintain a firewall
  configuration to protect cardholder data
• Requirement 2 Do not use vendor-supplied
  defaults for system passwords other security
  parameters
• Protect Cardholder Data
• Requirement 3 Protect stored cardholder data
• Requirement 4 Encrypt transmission of cardholder
  data across open, public networks
• Maintain a Vulnerability Management Program
• Requirement 5 Use regularly update anti-virus
  software
• Requirement 6 Develop maintain secure systems
  applications
• Implement Strong Access Control Measures
• Requirement 7 Restrict access to cardholder data
  by business need-to-know
• Requirement 8 Assign a unique ID to each person
  with computer access
• Requirement 9 Restrict physical access to
  cardholder data
• Regularly Monitor Test Networks
• Requirement 10 Track monitor all access to
  network resources cardholder data

28
The PCI Security Standards - Cryptography
29
The PCI DSS Requirements linked to Cryptography

• Requirement 3.4
• Render PAN, at minimum, unreadable anywhere it
  is stored (including data on portable digital
  media, backup media, in logs, and data received
  from or stored by wireless networks) by using any
  of the following approaches
• Strong one-way hash functions (hashed indexes)
• Truncation
• Index tokens and pads (pads must be securely
  stored)
• Strong cryptography with associated key
  management processes and procedures.

30
The PCI DSS Requirements linked to Cryptography

• Requirement 3.6
• Fully document and implement all key management
  processes and procedures for keys used for
  encryption of cardholder data, including the
  following
• 3.6.1 Generation of strong keys
• 3.6.2 Secure key distribution
• 3.6.3 Secure key storage
• 3.6.4 Periodic changing of keys
• 3.6.5 Destruction of old keys
• 3.6.7 Prevention of unauthorized substitution of
  keys
• 3.6.8 Replacement of known or suspected
  compromised keys
• 3.6.9 Revocation of old or invalid keys
• 3.6.10 Requirement for key custodians to sign a
  form stating that they understand and accept
  their key-custodian responsibilities.

31
The PCI DSS Requirements linked to Cryptography

• Requirement 4
• Encrypt transmission of cardholder data across
  open, public networks
• Sensitive information must be encrypted during
  transmission over networks that are easy and
  common for a hacker to intercept, modify, and
  divert data while in transit.
• 4.1 Use strong cryptography and security
  protocols such as secure sockets layer (SSL) /
  transport layer security (TLS) and Internet
  protocol security (IPSEC) to safeguard sensitive
  cardholder data during transmission over open,
  public networks.
• Examples of open, public networks that are in
  scope of the PCI DSS are the Internet, WiFi (IEEE
  802.11x), global system for mobile communications
  (GSM), and general packet radio service (GPRS).
• Etc.

32
Agenda

• Introduction to Payment Card Business
• Fraud Counterfeit Evolution
• PCI Data Security Standards
• SEPA Card Framework
• New Challenges for Cryptography

33
SEPA Card Framework

• What is the SEPA ?
• The Single Euro Payments Area (SEPA) is a
  European Commission (EC) and European Payments
  Council (EPC) initiative that plans to remove the
  barriers to movement of cross-border electronic
  Euro payments.
• What is the SEPA Card Framework ?
• This SEPA Cards Framework spells out some
  principles and rules which when implemented by
  banks, schemes, and other stakeholders, will
  enable European customers to use general purpose
  cards to make payments and cash withdrawals in
  throughout the SEPA area with the same ease and
  convenience than they do in their home country.
• There should be no differences whether they use
  their card in their home country or somewhere
  else within SEPA.
• No general purpose card scheme designed
  exclusively for use in a single country, as well
  as no card scheme designed exclusively for
  cross-border use within SEPA, should exist any
  longer.

34
SEPA Card Framework

• What are the deadlines ?
• The above options may evolve further between now
  and end 2010, the date by which all payment card
  products and brands falling within the scope of
  this Framework will have become SCF compliant
• In order to deliver on the scope of this
  Framework, and to meet cardholders and
  merchants expectations across SEPA, each bank
  needs to decide which option it will implement
  from 1 January 2008 onwards.
• After end 2010 no card scheme designed
  exclusively for use in a single country should
  operate anymore for POS and ATM transactions

35
How does SEPA CF requirements impact cryptography
usage ?

• Current infrastructure is usually
  acquirer-specific, brand-specific
  country-specific. This new approach will require
  
• Common Security Standards at the point of sale
  level
• Cryptographic interoperability
• Complex and standardized key management
• Common approval certification
• . Etc

36
Agenda

• Introduction to Payment Card Business
• Fraud Counterfeit Evolution
• PCI Data Security Standards
• SEPA Card Framework
• New Challenges for Cryptography

37
What are the challenges ?

• Cryptographic science is currently able to
  support roughly all needs conjured during this
  presentation but they are some specific
  requirements
• Payment Card Industry is a real on-line
  business and transaction time has financial
  business impacts.
• Merchants affected by this measure are usually
  not well up on cryptography.
• Cost is a very important factor.
• Point of Sales and terminals have limited
  capabilities.
• Merchants want to use standard telecommunication
  media.

38

• THANK YOU FOR YOUR ATTENTION.