Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

EMV

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

Mobile Payments Data Breaches will Grow

An ISACA survey of more than 900 cybersecurity experts shows that

  • 87% expect to see an increase in mobile payment data breaches over the next 12 months
  • 42% of respondents have used this payment method in 2015

The 2015 Mobile Payment Security Study from global cybersecurity association ISACA suggests that people who use mobile payments are unlikely to be deterred by security concerns.

Other data from the survey show that cybersecurity professionals are willing to balance benefits with perceived security risks of mobile payments:

  • 23% believe that mobile payments are secure in keeping personal information safe.
  • 47% say mobile payments are not secure and 30% are unsure.
  • At 89%, cash was deemed the most secure payment method, but only 9% prefer to use it.

Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, CISA, CISM, CGEIT, CRISC, risk advisor with ISACA and president of IP Architects. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption and it shouldn’t as long as risk is properly managed and effective and appropriate security features are in place

Reports say that contactless in-store payment will continue to grow. Overall, the global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.

ISACA survey respondents ranked the major vulnerabilities associated with mobile payments:

  1. Use of public WiFi (26%)
  2. Lost or stolen devices (21%)
  3. Phishing/shmishing (phishing attacks via text messages) (18%
  4. Weak passwords (13%)
  5. User error (7%)
  6. There are no security vulnerabilities (0.3%)

What Consumers Need to Know

According to those surveyed, currently the most effective way to make mobile payments more secure is using two ways to authenticate their identity (66%), followed by requiring a short-term authentication code (18%). Far less popular was an option that puts the onus on the consumer installing phone-based security apps (9%).

CSX-Mobile-3-lg

People using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA and group director of information security for INTRALOT. “The best tactic is awareness. Embrace and educate about new services and technologies

Understand your level of risk: Ask yourself what level of personal information and financial loss is acceptable to balance the convenience of mobile payments.

Know your options: Understand the security options available to manage your risk to an acceptable level. Using a unique passcode should be mandatory, but also look into encryption, temporary codes that expire and using multiple ways to authenticate your identity.

Value your personal information: Be aware of what information you are sharing e.g., name, birthday, national identification number, pet name, email, phone number. These pieces of information can be used by hackers to gain access to accounts. Only provide the least amount of information necessary for each transaction.

Security Governance for Retailers and Payment Providers

In the emerging mobile payment landscape, ISACA notes that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure—the consumer, the payment provider or the retailer. One approach is for businesses to use the COBIT governance framework to involve all key stakeholders in deciding on an acceptable balance of fraud rate vs. revenue. Based on that outcome, organizations should set policies and make sure that mobile payment systems adhere to them.

Members of the IT or information security group taking part in the discussion should also ensure they are keeping up to date with the latest cybersecurity developments and credentials. A joint 2015 ISACA/RSA study shows that nearly 70% of information security/information technology professionals require certification when looking for candidates to fill open security positions.

The full ISACA Press Release can be found here.

PCI Council collaborates with industry to speed secure chip card acceptance for merchants

The PCI Security Standards Council has announced that it will join with the Payments Security Taskforce and EMV Migration Forum to launch the U.S. EMV VAR Qualification Program, a chip education curriculum and accreditation initiative that will help merchants and their partners securely implement chip card solutions.

The U.S. EMV VAR Qualification Program aims to streamline and simplify the testing and certification process for Value Added Resellers (VARs) and Independent Software Vendors (ISVs) to help them help securely implement chip card solutions for their merchant customers in advance of the 2015 liability milestone.

The optional program consists of three central elements:

  1. An educational curriculum from the EMV Migration Forum that provides a clear understanding of chip technology for payment cards in the U.S. market
  2. A listing on the PCI Security Standards Council website of all service providers independently accredited by the major payment networks to provide chip recommendations and implementation
  3. A pre-qualification process run by the accredited service providers to help VARs and ISVs begin the implementation process before they work with acquirers for final certification

We heard from the acquirer community that there was a limitation on the time and resources available to help the VAR community best prepare for the broad adoption of chip,” said PCI SSC Chairperson Bruce Rutherford. “This coordinated effort across all industry players will help eliminate the bottleneck and speed the certification of smaller merchants’ chip card acceptance efforts.

Added PCI SSC General Manager Stephen W. Orfei, “We’re pleased to partner with the Payment Security Taskforce and the EMV Migration Forum in this important initiative to drive adoption of EMV chip technology in the U.S., a critical security layer that when combined with PCI Standards as a layered approach will help organizations better protect their customers’ valuable payment card data

The coordinated effort will begin with the launch of educational resources for the VAR and ISV communities to establish an understanding of chip technology, including targeted webinars and self-service web portals on how to build a business case for chip, an overview of a chip card transaction and how to navigate the testing and certification process.

Each VAR will then have the ability to pre-qualify its payment solution for each of the major payment networks with an accredited service provider based on its knowledge of chip technology, and work with its acquirer to receive a final certification of the solutions a merchant would need to use to process a chip card transaction.

Details of the education programme can be found here.

Details of the pre-qualification process can be found here.

The hospitality industry increases it’s adoption of Tokenization and P2Pe

The 2014 and 16th edition of the Hospitality Technology magazine Restaurant Technology Study has produced an 18 page report. 

Of specific interest to me was Chapter 5 Payment Security – “End of Swipe-and-Sign Looms”, the chapter states:-

The U.S. payment industry is in a period of transition. October 2015 will mark the end of swipe-and-sign. While card brands are committed to swapping mag-strip for EMV chip-based cards, the standard for authentication remains under debate: signature capture or PIN. While PIN authentication is considered the more secure option, there’s concern that Americans, who tend to have a variety of credit cards, would struggle to manage multiple PINs.

As the restaurant industry, and U.S. merchants at large, take a wait-and-see approach, HT (Hospitality Technology) measures the industry’s current and planned payment security practices in its 2014 Restaurant Technology Study.

The food service industry, with its fragmented technology, has historically been a target for card data theft. The sunset for swipe cards will be a welcome improvement. EMV preparedness is on restaurants’ radar, with 70% of those surveyed agreeing that it is important to have a well-defined roadmap for EMV preparedness.

When asked about their organization’s current approach to preparing for EMV

  • 26% report having some form of road-map in place; likely due to the lack of a standard
  • 37% will make this a priority in the year ahead.

What’s more, confusion with the current PCI DSS remains:-

  • 86% reporting that their organizations are “in compliance” but far fewer are able to identify compliance with some of the 12 specific requirements
  • 72% report that their organization maintains a policy that addresses information security for employees and contractors (item 12 of the PCI DSS).

With payment security an on going process and a moving target, restaurants are leveraging third parties for assistance. More than half of those surveyed outsource their PCI compliance efforts (54%), and nearly as many (52%) have purchased some form of breach protection or insurance.

Respondents were further asked about their organizations’ use of tokenization and point-to-point encryption (P2PE). Though not a requirement of PCI DSS, these technologies can reduce scope by shrinking the footprint where cardholder data is located throughout the organization.

  • 43% use P2PE and 33% plan to add the technology by 2016
  • 36% use Tokenization and an additional 30% have future implementation plans

The full report can be found here..    

Most Americans feel EMV chip cards make their debit or credit card transactions more secure

NXP Semiconductors has announced the results of its ‘Security Matters: Americans on EMV Chip Cards’ survey.

To gain further understanding of how confident Americans are in the security of EMV chip card technology and debit/credit card purchases in general, NXP polled more than 1,000 American adults on credit card usage, behavioural trends and consumer sentiment toward the electronic and cashless movement.

Attitudes towards Breaches and Retail Hacks
Overall sentiment reveals that while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent reports of compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, with 37% of the millennial age group (18 to 34 years of age) being the most likely to convert to cash. For example, 80% of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73%).

However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64%) – such as cash – to complete a purchase.

Credit Card Protection Technology
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favourably, with 69% stating that EMV chip cards are making their debit and credit card transactions more secure, with only 5% feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61%), followed by 37% expressing concerns about being charged incorrectly for purchases.

Security and Personal Information

  • 69% of Americans feel EMV chip cards make their debit or credit card transactions more secure
  • 28% believe they are much more secure
  • 31% of men believe they are much more secure compared to 24% of women

Security of finances

  • 73% of Americans are confident in the security of their credit/debit cards or their financial accounts (80%) with their primary financial institution
  • 33% are very confident in the security of their accounts, compared to 26% feeling very confident in the security of their credit/debit cards
  • 64% of Americans say they are more likely to pay in cash after hearing about security breaches at large retailers
  • 36% say they are not more likely to pay in cash
  • 37% of 18 to 34 year olds say they are much more likely compared to 27% of 35 to 54 year olds and 23% of those 55+
  • 5% believe chip cards make their transactions less secure

From this survey, we see a high consumer awareness of EMV chip card security and readiness to adopt secure technologies that protect credit and debit card purchases,” said Brintha Koether, Director Payments at NXP Semiconductors. “We recognize the sensitivity and loss of trust consumers immediately feel after learning of a major security breach. We have seen how secure chip technology employed outside the U.S. drastically reduces fraud as well as builds consumer confidence in card transactions, financial institutions and retailers

For full NXP Retail Hacks survey click NXP Study.

Target breach was watershed event for Debit Card Security

The 2014 Debit Issuer Study, commissioned by PULSE, found sustained growth in both consumer and business debit in 2013. Financial institutions weathered the Target data breach and are looking for solutions to enhance security, with many issuers now planning to implement EMV debit, the study shows. Debit program performance continues to improve, as active cardholders increase their usage of debit.

Key findings include:

  • Consumers continue to shift to electronic payments, with transactions per active card increasing to 20.1 per month from 19.4 a year earlier.
  • 84% of financial institutions reissued all exposed cards in response to Target, compared to only 29% that typically reissue all exposed cards as a standard response to breaches.
  • 86% of financial institutions stated that they plan to begin issuing EMV cards in the next two years, a significant increase from 50% in 2012.

In the wake of several high-profile data breaches, the industry has come together to look for solutions to increase security and advance EMV implementation,” said Steve Sievert, executive vice president of marketing and communications for PULSE. “While PIN debit remains the most secure payment method in the market, this year’s study confirms the industry is reaching a tipping point toward EMV. The majority of financial institutions plan to issue EMV debit cards starting in 2015 

Target breach was watershed event

The Target breach impacted every financial institution that participated in the study, causing fraud loss rates to increase in 2013 and compelling issuers to re-evaluate their strategies for improving card security in 2014, the study found.

Overall, 14% of all debit cards were exposed in data breaches in 2013, compared to 5% in 2012. The resulting 2013 fraud losses to financial institutions amounted to 5.7 basis points for signature debit and 0.7 basis points for PIN debit. Compared with the prior year, PIN debit fraud loss rates remained constant at 0.3 cents per transaction, on average, while signature debit loss rates increased to 2.2 cents per transaction, up from 2.0 cents.

Issuers also reported on fraud loss rates by payment usage point. International transactions caused loss rates of 51 basis points, compared to 8 basis points for domestic card-not-present transactions and 2 basis points for domestic card-present transactions.

Data breaches heightened attention to issues of debit card security. Prior to the Target incident, many financial institutions were hesitant to commit to EMV because of uncertainty around retailer adoption of chip card point-of-sale terminals, questions about the viability of the business case for migrating from magnetic stripe cards to chip cards, as well as unresolved issues related to regulation and support for merchant routing choice. In many ways, the Target breach served as a catalyst for the resolution of these issues.

The most common strategy among financial institutions is to provide account holders with an EMV debit card as part of their regular card reissuance cycle. Migration to EMV debit cards will begin in earnest in early 2015 and will span approximately three years, with many issuers attempting to provide chip cards to their international travellers and heavy debit users in advance of the liability shift in October 2015.

We were quite surprised by the across-the-board embrace of EMV by debit issuers,” said Tony Hayes, a partner at Oliver Wyman who co-led the study. “There has been a dramatic shift from issuers’ tepid interest last year to their active plans to implement EMV beginning in 2015 

Debit continues to grow, as issuers focus on growth strategies

Outside of the challenges caused by data breaches, debit continued its growth trajectory in 2013. On the consumer side, the primary performance improvement was in transactions per active card per month, which rose to 20.1 in 2013 from 19.4 in 2012. Other metrics, such as penetration, active rate and ticket size, remained consistent year-over-year. There was an uptick in usage of business debit cards: transactions per active card per month grew to 14.5 from 13.5.

Continuing historical trends, signature debit declined in share of total transactions between 2012 and 2013, falling to 62% from 64% for consumer cards, and to 70% from 72% for business cards. As regulated issuers (those with more than $10 billion in global assets) receive equivalent interchange for signature and PIN transactions but incur lower costs on PIN transactions, large debit issuers now tend to prefer PIN transactions.

As issuers continue to promote the migration of cash payments to cards, PULSE expects overall ATM use to naturally decline. In 2013, ATM withdrawals reached a study-wide low of 2.3 per active card per month. Large banks expect ATM transactions to continue to decline, but community banks and credit unions project increased ATM transaction volume as they seek to drive traffic from the branch to the ATM.

The original press release can be found here

P2Pe, Pseudo-P2Pe, End-2-End Encryption, Linked Encryption, they are all good

This week’s Vendorcom Secure Payments Special Interest Group (SIG) met to discuss P2Pe and it became clear that there are many ways to achieve a compliant outcome.

My first impression was the large number of attendees at the SIG, 50+, only one of them was a Merchant. The rest were a mixed bag of Acquirers, PSPs, QSAs, Vendors and Consultants making it more of a Vested Interest Group than a Special one.

The Logic Group (TLG) started the presentations and covered their listed P2Pe solutions and how they achieved compliance. They explained all the hard work getting all the elements through the audits and the 970 P2Pe Controls (more than double that of PCI DSS).

TLG cited the issues of key custody and management and how once during the development period it required 6 people to cover the physical as well as the logical security requirements.

The Q&A session before lunch was mostly aimed at John Elliot of VISA Europe who handled even the most difficult questions very well and delivered the answers with humour. He even confirmed that next week there is a gathering in the US to ratify the much discussed Tokenization standard and some clarifications to the PCI DSS version 3.0. He however was wrong on one prediction that the new Self Assessment Questionnaires (SAQ) would be out on Thursday and they weren’t but to be fair to John almost everyone associated with PCI has tried to predict the arrival of the new SAQs and got it wrong. They finally came out today (28th February 2014).

After lunch Spire Payments and MagTek presented on their device solutions and their compatibility with the PCI PTS SRED and how they could fit into a P2Pe compliant solution.

Next up were Vodat International with their alternative to P2Pe. The Vodat solution is a managed end to end solution with encryption and resilience. Ian Martin’s presentation was supported by VISA Europe as a way to achieve PCI DSS compliance.

Some other discussion point

  • Linked Encryption combined with EMV could make a significant security improvement for the US market
  • Some merchants think switching to Ingenico gives them P2Pe
  • Some merchants and the PCI SSC are concerned that there are only two listed P2Pe solutions
  • PCI SSC would like to make P2Pe modular e.g. if you want to do your own key management or choose your own PEDs, etc.
  • An April deadline for moving to TLS 1.1 or above is not true, maintaining secure software is always required.
  • All mobile payments are mandated to have P2Pe
  • P2Pe will probably never be mandatory, except for mobile
  • If you have a certified P2Pe solution you can complete an SAQ no matter what size of merchant you are

It was an interesting day and after all the presentations and discussions what became clear is there are many ways to achieve PCI DSS compliance; Point to Point Encryption (P2Pe), Pseudo-P2Pe, End-2-End Encryption and Linked Encryption or a combination of them.

What is not in doubt is the chosen solutions must meet the business profile of the merchant and help them achieve PCI DSS compliance. The solution itself will not achieve compliance because there is more to compliance than installing a solution for example there is the on going maintenance of compliance and the human element.

Whichever solution you represent or are looking to buy lets hope it is installed and maintained well enough to meet and maintain continuous security and PCI DSS compliance.

Increasing Security and Reducing Fraud with EMV Chip and PCI Standards an Infographic

When data is exposed, it puts your customers and your reputation as a business at serious risk. EMV chip technology combined with PCI Security Standards offer a powerful combination for increasing card data security and reducing fraud.

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: