the payment device – an exploration into new technologies and methodologies
DESCRIPTION
The Payment Device – An Exploration Into New Technologies and Methodologies. Chris Lomax Head of Marketing - EMEA. Agenda. Focus on Security Contactless Solutions Internet Communications SEPA Next Generation Consumer Devices. Focus on Security. Sources of Point of Card Fraud. - PowerPoint PPT PresentationTRANSCRIPT
The Payment Device – An Exploration Into New
Technologies and Methodologies
Chris LomaxHead of Marketing - EMEA
2
- Focus on Security- Contactless Solutions- Internet Communications- SEPA- Next Generation Consumer Devices
Agenda
3
Focus on Security
Sources of Point of Card Fraud
Card Fraud
Transaction logs and database hacks
Device and line tapping
Data Communications
4
Card Fraud
Protecting Customers• In 2005 UK Card Fraud, excluding Card Not Present reduced
by 28% (£98M). Chip and PIN / EMV• In 2005 UK Card Fraud, Card Not Present increased by 21%
(£33M)• US - “Credit card fraud (28%) was the most common form of
reported identity theft….” - 2004 Federal Trade Commission
5
Transaction Logs or Database Hack
ePOS software can contain mag-stripe data.
"01/01/05 18:26:04",">> ATV1Q0<CR>""01/01/05 18:26:04","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:05",">> ATE0V1<CR>""01/01/05 18:26:05","<< <CR><LF>OK<CR><LF>""01/01/05 18:26:52",">> <STX>D4.99999599999999991100119911QR840840314193262007055999Y103954@D5473500000000014=05121019999888877776<FS><FS><FS>100<FS><FS><FS>Phantom Auto Parts Huntsville AL<FS><FS><FS>000<ETX>N <CR><LF>Content- Type: x-VISA-II/x-auth<CR><LF>""01/01/05 18:26:53",">> Connected ssl.pgs.wcom.net 443""01/01/05 18:26:54","<< <STX>E4.A001199115103900VITAL8051705182654APPROVAL 862445 0513722502322 0000123456789 <FS> <FS>000<ETX>;"
6
Tapping
Wireless device transmitting data
over a range of 200m
Surface mount assembly, with removable storage media
A device is inserted into a payment device orattached to the line and card information is collected and either later retrieved or immediately transmitted
7
Street Prices
Contributed by AmbironTrustWave 2005
8
Proactive Industry Stance
PCI – Payment Card Industry Standards
• Physical Security of Pin Accepting devices – PCI PED
• Data Center Security – PCI DSS
• Internet and Wireless Communication Standards
9
PED Certification Timeline
VISA-PED approval of all newly deployed POS PED devices
1 January 2004
PCI PED process required for ALL
new devices
1 October 2004
Completion date for old VISA PED process
certifications
December 2004Next Scheduled Review Process
2006
All installed PEDs must be Visa PED or
PCI Approved
July 2010
2004 20062005
Approved devices list found at www.visa.com/PIN
10
PCI Data Security Standard
All merchants Must Comply
11
MasterCard IP-Enabled POS Security
Security standards for IP-Enabled POS devices - Encryption of transaction data between POS device and acquire
Vendors and acquirers required to provide compliant solutions
MasterCard introducing Internet Protocol POS Terminal Compliance Testing Program
Acquirer responsible for obtaining MasterCard approved solution
MasterCard Reference documents:• Internet/IP-Enabled POS Terminals, Security Guidelines – Oct 05• Internet/IP-Enabled POS Terminals, SSL/TLS Implementation
Guidelines – Oct 05
12
Timelines
1st April 06 Acquirers ensure new wireless and IP-enabled terminals
are submitted for evaluation and approval
1st Sept 06 All newly deployed wireless and IP-enabled terminals
support encryption and comply with mandate
3rd Jan 07 Acquirers must upgrade all non-compliant wireless and IP-
enabled terminals
13
Security Leadership
VeriFone has lead representation on industry security forums defining and driving many security features and innovation
Powerful products engineered specifically to meetthe most demanding security requirements:
Terminal hardware
Software architecture
Communications security
14
VeriFone Security Model
POS Terminal Hardware
Application separation assured by secure memory management unit
EMV Level 1 Certified hardware
High security for PIN entry with DES, 3DES, RSA and AES• PED certifications: Infogard, TNO and T-Systems
Tamper evident mechanisms
Tamper proof mechanisms
Security PED fence / mesh
15
Application separation by multi-application OS – Verix V EMV Level 2 certified VeriShield digital certification for files and applications TLS 1.0 and SSL 3.0 (RSA, MD5, SHA-1, 3DES, RC4)
• Full client and server side mutual authentication - addresses WiFi and GPRS security weaknesses
Client digital certificate authentication (SSL VPN)
VeriFone Security Model
POS Terminal Software
16
Future Threat – AntiVirus
The threat from software viruses is no longer confined to the PC market
The IP-enabled terminal market is growing at a rapid pace
Although no immediate risks are evident utilising cost effective, secure and efficient Internet communications may have future risks
Hackers are always working to be malicious or to steal
Before viruses existed for personal computers no one had virus protection
17
Preventative Measures
Industry’s first anti-virus security for POS terminals Aims at minimising business impact from potential
future unknown risks Leverages on the McAfee malware detection
engine for embedded systems
18
- Focus on Security- Contactless Solutions- Internet Communications- SEPA- Next Generation Consumer Devices
Agenda
19
Contactless Technology in Payments
Transponders (sub $1.00 COGS)• Low Bandwidth, no read/write• Automated Toll collection systems• Mobile Speed Pass
Contactless Chip Cards ($2-$3)• 1356 MHz ISO 14443 A & B
– more security and complex applications– MIFARE, MasterCard, Amex
• FeliCa (14443 C non-ISO)– Proprietary Sony protocol popular in ASPAC– Not fully accepted as international standard (with controls)
20
Near Field Communication (NFC)
Next stage technology migration for contactless Developed and endorsed by all key constituents (Phillips, Sony, Nokia,
MasterCard…) Key to enabling personal devices to become payment devices Merchants still need ISO 14443 readers (today’s can be SW upgraded)
21
Merchant Value Proposition
22
VeriFone’s Market Commitment
Roadmap to leverage emerging opportunities
Multi-Lane, Consumer facing
Unattended Environments
Integrated with Handover Devices
Peripheral to Countertop Devices
23
- Focus on Security- Contactless Solutions- Internet Communications- SEPA- Next Generation Consumer Devices
Agenda
24
IP has changed how business is conducted
• E-Commerce
• Entertainment/Movies/Music
• Telecom industry
• Payment industry
Via IP & IP technologies, it is now possible to have ACCESS to services that were not previously accessible
We are no longer bound to “traditional” transaction networks
We can leverage the “Internet” to provide services to customers around the globe
Internet and the IP Revolution
25
The IP Value Proposition
Faster, Better, Cheaper
Long term infrastructure cost reduction through multiple advanced communications options
More secure transactions
Improved merchant retention viabest use of new technologies
Potential for multiple new businessmodels
Rapid time to market
Verifone is well positioned in this space
26
IP Based Payment In Action
And the list goes on and on….
27
Wireless Industry Technologies
4G
Bandwidth
WI-FIWIMAX
3G - EDGE/WCDMA/CDMA2000 1x EV
2.5G - GPRS/CDMA2000 1X
2G - GSM/CDMA/TDMA
Bluetooth
100
10
1
0.1
0.01
(Mb/s)
Mobility0.01 0.1 1 10 100(Km)
Metropolitan Area Network
(MAN)
Personal Area Network (PAN)
Local Area Network (LAN)
Wide Area Network (WAN)
28
Internet revolution - mass adoption of Broadband• Low cost IP connectivity• Always-on high speed transactions• Eliminate need for dedicated dial-up lines and low speed private networks
Wireless connectivity - IP everywhere• Mobile payments – WiFi and GPRS• No fixed cabling – dynamic stores layout
Standardised platforms• Multi-application support
– Credit– Debit– Pre-Authorised / Pre-Paid Debit– Loyalty– Gift Card– Mobile top-up– etc
Enablers And Facilitators
29
IP Enabled - Value Added Services
Complementary to terminal based payment applications Web hosted applications Reduce time to market for new applications No limit to number of applications at point of sale Software development costs are reduced No terminal migration issues
Internet meets POS browser based services
30
IP Enabled - Value Added Services
Business Logic
Database
Web Server
Terminal running thin-
client browser
IP network
Application Hosting Service
31
Enhanced Communication Leadership
The first modular design with multiple communications options
The first Ethernet solution
The first CDMA solution
The first Wi-Fi solution
The first Micro-Browser solution
The first SSL based security solution
And we keep raising the bar…
32
- Focus on Security- Contactless Solutions- Internet Communications- SEPA- Next Generation Consumer Devices
Agenda
33
SEPA and Payment Terminals
Single European Payments Area (SEPA) The objective of SEPA is for a single market payments area
• Open, competitive market• Coherent legislation and regulation• Preventing fraud• Standardisation
It covers retail payment instruments:• Cash (the €uro notes and coins are already in circulation)• Direct debits and bank giros• ATM cash transactions• Credit and debit cards
SEPA standards are to be implemented• Starting in 2008 through to 2010 SS PAPA
34
SEPA Card Framework (SCF)
The Framework is aimed at building an environment in which there are no technical, legal or commercial barriers to stand in the way of cardholders, banks and merchants choosing and using SCF compliant payment and ATM access card products
Approved Framework published 8 March 2006 as version 2
SS PAPA
35
Implications for Terminal Solutions
Single security standard• Endorse the use of PCI PED• Or one standard approval across all SEPA region• Elimination of multiple national standards – GIE CB, UK CC, ZKA, C-TAP,
SAKO-I….. Standardised cardholder interface process
• The keying / transaction sequence to be standardised• Display language based on card issuer ISO code
European Payments Council (EPC) to provide SEPA Governance EPC membership to be open to vendors (associate members)
• Standards Working Groups
Out of Scope• Standard host interface message
– All data elements already in most national / proprietary formats– Forcing this will delay implementation– Encourage gradual migration to a standard interface
• No TMS, or File Transfer standards needed
36
- Focus on Security- Contactless Solutions- Internet Communications- SEPA- Next Generation Consumer Devices
Agenda
37
Today’s PIN pad has evolved to tomorrow’s “client-facing terminal”
Enhanced communications allowsindividualized messaging to each client
Content Driven
Grab attention with animations or video with Screen Savers, Videos, Banners, Pop-ups and multi-media content and commercial images to uplift your brand
Evolution of the PIN Pad
38
What content?
Content Evolution
39
Move away from the limitations of static images and leverage the same attention-getting dynamic messaging you used on television, plasma displays, digital signage, the Web and in print right where the consumer is • Reinforce Brand image using
– Special Promotions – Screen Saver– Customised product
Revenue Generation Potential Communicate with the
consumer without slowing transactions using video and animations
Present your message brilliantly
40
VeriFone - Track Record of Innovation
Innovative payment transaction solutions Value added services at the point of sale Superior insight into customer needs
VeriFone Wins Frost & Sullivan 2005 Product Line Strategy Leadership Award
Frost & Sullivan, founded in 1961, is recognized as a global marketing research and solution leader, with offices located worldwide.
41
Questions