troy leach april 2012 the pci security standards council
TRANSCRIPT
![Page 1: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/1.jpg)
Troy LeachApril 2012
The PCI Security Standards Council
![Page 2: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/2.jpg)
About the Council
Open, global forumFounded 2006
Responsible for PCI Security Standards
• Development
• Management
• Education• Awareness
![Page 3: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/3.jpg)
Manufacturers
PCI PTSPin Entry Devices
Ecosystem of payment devices, applications, infrastructure and users
Software Developers
PCI PA-DSS
Payment Applications
PCI Security
MOBILE PAYMENTS
Merchants & Service
Providers
PCI DSSSecure
Environments
PCI Security StandardsProtection of Cardholder Payment Data
![Page 4: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/4.jpg)
Technology Updates: Mobile
Questions & Answers
Agenda
Industry Engagement
![Page 5: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/5.jpg)
Environmental Considerations at a Glance
• Market• Increased interest in adoption of a variety of mobile
technologies• Absence of both traditional controls and standards
• PCI SSC Activity• Create efficient mechanisms for broader engagement• Evaluate need to develop standards• Facilitate, when applicable, easier compliance mechanisms
![Page 6: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/6.jpg)
Areas of Focus for Mobile
Devices
Tamper-resistance,
Secure Card Readers, POI &
P2PE
Applications
Requirements and/or Best Practices for authorization
and settlement
Service Providers
Service provider protection of
cardholder data and validation
“MOBILE”
![Page 7: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/7.jpg)
Peripheral Device Encryption
The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data.New PTS approval class for Secure (Encrypting) Card Readers (SCR)
SCR and other POI
Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.
![Page 8: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/8.jpg)
Audio connector plugs into
the phone’s
headphone
QSA must determin
e data NOT
decrypted on phone
No PIN entry
Also works on computer
s – any device with an audio
input jack
Mobile Phone Plug-in SCR
Plug-in MSR
encrypts data on
the reader even
before it reaches
the phone
![Page 9: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/9.jpg)
2011 Guidance
.
Focused on identifying and clarifying the risks
associated with accepting payments via mobile solutions
and validating mobile payment acceptance
applications to version 2.0 of the PA-DSS.
Mobile Update – Announcement and FAQ
![Page 10: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/10.jpg)
Mobile Application Categories
Applications for category 1 and 2
devices are eligible for PA-DSS
Applications for category 3 devices
pending development of further guidance and/or standards
Category 2:Purpose Built POS Devices
Category 3:General Purpose
Smart Device
Category 1:PTS Approved PED Devices
![Page 11: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/11.jpg)
Current Environmental Concerns
• Rapid development of applications• Lack of “traditional” controls• Too Many Privileges• Malicious Apps• Wi-Fi Sniffing / Blackjacking• Radiation of keys and side channel attacks• Distribution and persistent connectivity• Ownership and use policy
![Page 12: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/12.jpg)
PTS PED Vendor Solutions
Phone is designed and
purpose built as a secure device
Because secure tamper
protected device, may use either SCR or a
data key managed similar
to PIN key
By definition does not use off the shelf mobile
phones
![Page 13: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/13.jpg)
PTS PED Vendor Solutions
Phone Compartme
nt
Cradle for phone
May employ encrypting card reader or use
data key managed similar
to PIN key
Card readers integrated to
PED
![Page 14: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/14.jpg)
The mobile device has access to cleartext cardholder data.
Mobile Task Force to provide guidance and/or best practices
Exposure of CHD within device
Cardholder data is input using a non-encrypted solution (e.g. manual key
entry, non-encrypted card reader, etc.) and transmitted through a mobile device.
Application Security within Smart Devices
![Page 15: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/15.jpg)
2012 Guidance Calendar
• Mobile SCR & P2PE Guidance for Merchants
• Mobile Acceptance Best Practices
• Mobile SCR & P2PE Guidance for Assessors and Vendors
• Roadmap for Category 3 Applications
15
![Page 16: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/16.jpg)
Three Year Outlook: Mobile
• Devices and Peripherals:• Publish guidance on use of attached PTS POI to mobile with
P2PE • Applications:
• Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation
• Create AQM checklist for PA-DSS qualification• If necessary, develop mobile standard(s) for applications and
devices that transfer cardholder data • Service Providers:
• Evaluate for potential guidance and/or security requirements for third-parties with access to cardholder data
Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require
Council to address
![Page 17: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/17.jpg)
Technology Updates: Mobile
Questions & Answers
Agenda
Industry Engagement
![Page 18: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/18.jpg)
Mobile Task Force
• PCI Council Members and staff, volunteer participating organizations and subject matter experts
• Subject matter experts especially important when examining Scenario 2
• Examples of subject matter experts: • Security Assessors • OS Platform Vendors• Financial Processors• Device Manufactures
![Page 19: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/19.jpg)
Mobile Task Force
The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance
implementations and determine whether the inherent risk of card data exposure can be
addressed by existing PCI requirements or whether additional guidance or requirements must be
developed.
![Page 20: Troy Leach April 2012 The PCI Security Standards Council](https://reader036.vdocuments.mx/reader036/viewer/2022062417/5518be6c550346b31f8b547c/html5/thumbnails/20.jpg)
Questions?
Any Questions?
Please visit our website at www.pcisecuritystandards.org