1 / 26

Secure mobile payments getting the balance right

Secure mobile payments getting the balance right. Royal Holloway University of London. Richard Martin Payment System Security Visa Europe 7 September 2013. Visa Europe. European commerce is changing. €1 in every €6.75. 1 in every 6. 50% of Visa transactions. 25% Visa spend.

kieu
Download Presentation

Secure mobile payments getting the balance right

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure mobile payments getting the balance right Royal Holloway University of London Richard Martin Payment System Security Visa Europe 7 September 2013

  2. Visa Europe Visa Europe

  3. European commerce is changing €1in every €6.75 1in every 6 50% of Visa transactions 25% Visa spend Consumer spend on Visa cards Ecommerce +200% vs face-to-face Mobileby 2020 Visa cards in Europecontactless Visa Europe

  4. Striking the balance Acquirers Issuers Merchants Cardholder Visa Europe 4

  5. The Visa Europe Payment System Risk Strategy Focus our protection efforts on residual risks Design solutions that are secure from the outset Reinvigorate the data security debate Understand the level of complexity Provide cost effective solutions for all stakeholders For data security to be meaningful, it must be applied sensibly A security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectives Visa Europe

  6. Manage Evolving Risks Enhanced Authentication Protect cardholder data Continue deployment and use of robust authentication platforms -key to the stability of the payment systems of the future 1 Data Devaluation Protect cardholder data by limiting its availability Visa Europe instrumental in defining global practices for complimentary security technologies 2 Data protection Additional protection required for data which can be reused and cannot be devalued The Payment Card Industry Data Security Standard (PCI DSS)has been fundamental in raising awareness and fighting fraud 3 Visa Europe

  7. Visa Europe

  8. Mobile POS Visa’s mobile payment services Person to Person Contactless Visa Personal Payments Visa Paywave for Mobile Send money from a Visa card to any Visa card, anywhere in the world, using mobile phone number or PAN Use a mobile device to shop conveniently, quickly and securely in a face-to-face environment Visa Europe

  9. Accepting payments A Merchantuses his phone to: • Accept and process payments from customers • He will handle many card payments from many customers Making payments vs. Accepting payments Making payments A Cardholderuses her phone to: • Enter her card details into a web form • Store her card details (or a token) in a wallet • Store her card details on a secure element (e.g. contactless) Visa Europe

  10. Threat Axes and Vulnerabilities Threat Axes Vulnerabilities Over the channel: • SMS / USSD • Voice • Data: GPRS / Wifi / Bluetooth… • Operating System • Hidden processes and applications • User behaviour • User interface • Complexity • User awareness • Mobile registration and ownership Embedded Mobile Network Provider The Owner Visa Europe

  11. Recent news • 76% of Android malware profit motivated (Q1 2013) • HTML5 Framework hacks • Android Security Squad and Bluebox Security – “Master Key” attacks • SIM hack, Security Research Labs Visa Europe

  12. What exactly are we trying to protect? • Basically any data whose theft or modification could cause financial • or reputational harm to Visa, its Members and users • Key assets at risk: • Cardholder data (CHD): PAN, Expiry date, CVV, CVV2 • Sensitive authentication Data: PIN, cryptograms **** Visa Europe

  13. Q. What can we do to secure the mobile phone? • Not a lot • Issuers and acquirers need to cater for hundreds of millions of cardholders and millions of merchants • Mobile Device Management? • User policies - Enforced AV, restrictive Ts & Cs? • Enforce certification of handsets against security standards? The reality is that card issuers and acquirers will need to take mobile devices as they come Our security strategy must take this into account Visa Europe

  14. Innovation with tradition Criteria for mobile POS & acceptance Familiar & trustworthy Honour all cards User experience Security Lowering standards would threaten the system Chip & magstripe Benefits for all Visa Trusted Brand Visa Europe

  15. Visa Europe’s position on mobile acceptance devices Mobile environment Processor / Point of Decryption Secure Hardware Accessory Protected in line with Visa’s Encryption & Tokenisation Guidelines Visa Europe

  16. Mobile solutions not permitted by Visa Europe (1/4) “App” with manual key entry of card data on merchant owned mobile device • Software only solutions with no hardware accessory • App downloaded on merchant phone • Card data keyed on merchant phone • transactions processed as e-comm or MOTO • Entry of data on a merchant mobile device cannot be PCI certified at this time • This also includes PIN entry Visa Europe

  17. Mobile solutions not permitted by Visa Europe (2/4) Hardware accessory with a magstripe only reader (Used with a merchant owned mobile device) • Solutions with a magstripe only reader: • no chip reader • no PIN pad • transactions sent as a magstripe transaction or as a MOTO or e-comm transactions • Europe is a region where chip is required so this type of solution is not suitable Visa Europe

  18. Mobile solutions not permitted by Visa Europe (3/4) Hardware accessory with a chip reader but no PIN pad (used with a merchant owned mobile device) • Solutions with a chip reader: • no PIN pad • with or without magstripe • transactions sent as chip trs. • PIN pad required in Europe so this solution is not suitable • “Honour All Cards” is a must • key entry of card data on a merchant phone not permitted: magstripe support required Visa Europe

  19. Mobile solutions not permitted by Visa Europe (4/4) Contactless only acceptance • An acceptance device must “Honour All Cards” • As not all cards support contactless, it is not possible at this time to allow contactless only devices Visa Europe

  20. Two mobile acceptance solutions permitted (1/2) or Hardware accessory with chip, magstripe & PIN pad (merchant owned mobile device) • Chip & PIN must be supported • Magstripe must be supported • Contactless optional but recommended • Key entry of data on secure PED allowed when no other option • Physical (audio jack, mini USB etc.) or Bluetooth connection to mobile device • Security is ensured by PCI SRED (Secure Read Exchange Data) and point-to-point encryption) For Visa Europe internal use only 20 Visa Europe

  21. Anatomy of mobile card reader security • Security standards • PCI PIN Transaction Security (PCI PTS) • Secure PIN entry • Device hardened against physical & logical hacking • Encryption – SRED* module SRED * SRED = Secure Read and Encryption of Data. SRED is a hardware module for secure key storage & encryption functions Visa Europe

  22. Encryption on the reader removes the mobile device from the key areas of risk Processor/acquirer system PCI DSS compliant environment HSM SRED Secure host Telco / ISP Visa Europe

  23. Mobile solutions permitted by Visa Europe (2/2) Software based solution/ M-commerce app (cardholder mobile device) • Card details never entered on merchant mobile device • Secure if back end, registration process and permission to use protected • Refer to Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 – published in Sept. 2012 http://www.visaeurope.com/ais For Visa Europe internal use only 23 Visa Europe

  24. Benefits • Consistent and familiar experience for cardholders and merchants • Increased likelihood that cardholders and merchants will use mPOS • Maintains and reinforces the trust in the brand • Maintains Visa’s security profile • Ensures that an exciting new method of payment starts secure • Bringing new players to market • Innovative new ideas and concepts • Reduced costs Visa Europe

  25. mPOS solutions 7live implementations 200k+ merchants by 2014 10European markets Mobile devices allowing low cost and easy access payments Balancing security and integrity with ease of deployment Working with industry providers Visa Europe

  26. Thank you

More Related