Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards

1. Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic Assurance Services LLC X9F4 Working Group Information Assurance Consortium Payment Card Industry (QSA)

2. Agenda • Standards Organizations • Authentication Case Studies • TG-3 PIN Compliance • SET Brand CA Compliance • WebTrust for CA Compliance • PCI DSS Compliance • Other Standards • Summary………………….

3. Standards Organizations Formal Organizations Informal Organizations ISO ANSI USA Member IETF JTC1 INCITS NIST US TAG TC68 X9 CABF US TAG • ISO: International Standards • 172 countries • 248 Technical Committees • ~3000 standards • ANSI: USA National Body • 820 organizations • 284 accredited groups • IETF: Internet • (?) individuals • 118 subgroups • 5734 specifications • TC68: Financial Services • 63 countries • 11 Subgroups • 50 standards • X9: Financial Services • 150 organizations • 15 subgroups • 115 standards • NIST: Federal Government • ~30 subgroups • +10,000 documents • JTC1: Information Technology • 85 countries • 19 Subgroups • 357standards • INCITS: Information Technology • 1700 organizations • 40 subgroups • (?) standards • CA Browser Forum • 42 members • 5 documents

4. Case Studies • TG-3 PIN Compliance • TG-3 Compliance • TG-3 Assessments • SET Brand CA Compliance • SET Brand CA Compliance • SET Brand CA “audits” • WebTrust for CA Compliance • WebTrust for CA Compliance • WebTrust for CA Evaluations • PCI DSS Compliance • PCI Compliance • PCI (QSA) Assessments • Two slides per topic • Compliance program • Compliance effort • Four case studies • Facts • Issues • Stories

5. TG-3 PIN Compliance • X9 TG-3 (TR-37) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management • ANSI X9.8 PIN Management and Security • ANSI X9.24 Retail Financial Services – Symmetric Key Management • Part 1: Using Symmetric Techniques • Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys • Adopted by EFT Networks in 1996 • Pulse; wholly owned subsidiary of Discover Financial Services • STAR; wholly owned subsidiary of First Data Resources (FDR) • NYCE; wholly owned subsidiary of Metavante • Certified TG-3 Assessor (CTGA) • ISO 9564 PIN Management and Security • ISO 11568 Banking – Key Management – Retail • EMV Integrated Circuit Card Specification for Payment System (offline)

6. TG-3 Assessments • Symmetric Keys • General Security Controls • TRSM Controls • General Key Management • Additional Key Management • Asymmetric Keys • General Asymmetric Controls • Asymmetric Controls • Mutual Authentication • Credential Management • Additional Asymmetric Controls • Prescriptive checklist • Reviews • Interviews • Inspections • Observations • Tests Exception Exception Control Objective Yes No N/A Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _

7. SET Brand CA Compliance • Secure Electronic Transaction (SET) • Book 1: Business Description • Book 2: Programmer’s Guide • Book 3: Formal Protocol Definition • Visa and MasterCard: 1995 – 2003 • Participants • 16+ companies involved • 50+ key individuals involved • Brand CA • JCB; Japan • MasterCard (MC); USA • PBS; Denmark • Visa; USA • Cyber-Comm (CC); France SET Root CA MC Visa Brand CA User M PG R Regional Geo-Political CA U M PG User CA Merchant CA Payment Gateway CA

8. SET Brand CA “Audits” • Brand CA Control Objectives (TG-3) • ANSI X9.79 PKI Policy and Practices • Policy Authority (PA) • Certificate Issuer (CI) • Certificate Manufacturer (CM) • Registration Authority (RA) • Repository (Rep) • Subscriber (Sub) • Relying Party (RP) • PKI Standards • WebTrust for CA • ISO 21188 Exception Exception SET PA CI MC JCB PA CA of Japan Control Objective Yes No N/A Procedures… _ _ _ Procedures… _ _ _ RA Rep RA Bank of Japan Sumitomo Bank Procedures… _ _ _ Procedures… _ _ _ CM Rep Fujitsu Procedures… _ _ _ Procedures… _ _ _ Sub RP Merchant Consumer Procedures… _ _ _ Procedures… _ _ _ Procedures… _ _ _

9. WebTrust for CA Compliance • ANSI X9.79 PKI Policy and Practices • CA control criteria submitted to AICPA and CICA • Redeveloped as WebTrust for CA • Auditing standard: WebTrust for CA • Licensed in 37 countries by CPA (or equivalent) • Mandated by most states as SAS 70 criteria • Mandated by all Browser Vendors • CA Browser Forum • Extended Validation (EV) Audit Criteria • EV Certificate Issuance and Management Guide • EV Certificate Usage Guide • ISO 21188 PKI Policy and Practices Organization  Auditor X Out Sourced SAS 70  X Auditor Service Provider

10. WebTrust for CA Evaluations • Audit performed by licensed CPA (or equivalent) • American Institute of Certified Public Accountants • Canadian Institute of Chartered Accountants • WebTrust for CA • WebTrust for CA Extended Validation (EV) • Evaluation is “Readiness” Check for Audit • Validate CP and CPS (RFC 3647) • Validate X.509 certificates (RFC 5280) • Validate Subscriber (EV) Agreement • Validate Operational Procedures • Controls over Root CA (offline) and Subordinate CA (online) • Controls over SSL and VPN implementations Public Key Certificate

11. PCI Compliance • Payment Card Industry Security Standards Council (PCI SSC) • Expansion of the Visa Cardholder Information Security Program (CISP) • Visa, MasterCard, Amex, Discover, JCB established in 2006 • 500+ Participating Organizations • PCI Data Security Standard (DSS) • Qualified Security Assessor (QSA) Company • Approved Scanning Vendor (ASV) Company • Penetration Tester qualifications and test results undefined • Wireless controls scattered throughout requirements • PCI Payment Application Data Security Standard (PA-DSS) • Payment Application Qualified Security Assessor (PA-QSA) Company • PCI PIN Transaction Security (PTS) • Formerly PIN Encryption Device (PED) compliance program • Visa and MasterCard PIN compliance programs

12. PCI (QSA) Assessments • PCI DSS v1.2 “protect cardholder data” • Requirement 1: Install and maintain a firewall • Requirement 2: Do not use vendor-supplied defaults • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data • Requirement 5: Manage anti-virus software • Requirement 6: Software assurance • Requirement 7: Restrict access by business need to know • Requirement 8: Assign a unique ID • Requirement 9: Restrict physical access • Requirement 10: Track and monitor all access • Requirement 11: Regularly test security systems • Requirement 12: Maintain information security policy • Wireless controls scattered throughout requirements

13. Other Authentication Standards • ANSI Standards • X9.84 Biometric Management and Security • X9.95 Trusted Time Stamps (TSA) • X9.112 Wireless Management and Security (802.11x) • Work in Progress • X9.117 Mutual Authentication • X9.112 Wireless – Part 3: Mobile Banking (TSM) • Gaps: no password standard • Green Book CSC-STD-002-85 (1985) Password Management • FIPS 112 (1985) Password Usage withdrawn 2005 • ANSI X9.26 (1990) Financial Institution Sign-On Authentication for Wholesale Transactions withdrawn 1999

14. Summary • Many standards to choose from • Many technologies to choose from • Many compliance programs to follow • Many today; more tomorrow • Change is inevitable • Watch out for technology transitions • Mergers and acquisitions • New vulnerabilities • Technology breakthroughs • Compliance is a journey, not a destination