Presentation is loading. Please wait.

Presentation is loading. Please wait.

Troy Leach April 2012 The PCI Security Standards Council.

Published byAdolfo Sartwell Modified over 10 years ago

Similar presentations

Presentation on theme: "Troy Leach April 2012 The PCI Security Standards Council."— Presentation transcript:

1 Troy Leach April 2012 The PCI Security Standards Council

2 About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness

3 Manufacturers PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment Applications PCI Security MOBILE PAYMENTS Merchants & Service Providers PCI DSS Secure Environments PCI Security Standards Protection of Cardholder Payment Data

4 Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

5 Environmental Considerations at a Glance Market Increased interest in adoption of a variety of mobile technologies Absence of both traditional controls and standards PCI SSC Activity Create efficient mechanisms for broader engagement Evaluate need to develop standards Facilitate, when applicable, easier compliance mechanisms

6 Areas of Focus for Mobile Devices Tamper-resistance, Secure Card Readers, POI & P2PE Applications Requirements and/or Best Practices for authorization and settlement Service Providers Service provider protection of cardholder data and validation MOBILE

7 Peripheral Device Encryption The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data. New PTS approval class for Secure (Encrypting) Card Readers (SCR) SCR and other POI Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

8 Audio connector plugs into the phones headphone QSA must determine data NOT decrypted on phone No PIN entry Also works on computers – any device with an audio input jack Mobile Phone Plug-in SCR Plug-in MSR encrypts data on the reader even before it reaches the phone

9 2011 Guidance. Focused on identifying and clarifying the risks associated with accepting payments via mobile solutions and validating mobile payment acceptance applications to version 2.0 of the PA-DSS. Mobile Update – Announcement and FAQ

10 Mobile Application Categories Applications for category 1 and 2 devices are eligible for PA-DSS Applications for category 3 devices pending development of further guidance and/or standards Category 2: Purpose Built POS Devices Category 3: General Purpose Smart Device Category 1: PTS Approved PED Devices

11 Current Environmental Concerns Rapid development of applications Lack of traditional controls Too Many Privileges Malicious Apps Wi-Fi Sniffing / Blackjacking Radiation of keys and side channel attacks Distribution and persistent connectivity Ownership and use policy

12 PTS PED Vendor Solutions Phone is designed and purpose built as a secure device Because secure tamper protected device, may use either SCR or a data key managed similar to PIN key By definition does not use off the shelf mobile phones

13 PTS PED Vendor Solutions Phone Compartment Cradle for phone May employ encrypting card reader or use data key managed similar to PIN key Card readers integrated to PED

14 The mobile device has access to cleartext cardholder data. Mobile Task Force to provide guidance and/or best practices Exposure of CHD within device Cardholder data is input using a non-encrypted solution (e.g. manual key entry, non-encrypted card reader, etc.) and transmitted through a mobile device. Application Security within Smart Devices

15 2012 Guidance Calendar Mobile SCR & P2PE Guidance for Merchants Mobile Acceptance Best Practices Mobile SCR & P2PE Guidance for Assessors and Vendors Roadmap for Category 3 Applications 15

16 Three Year Outlook: Mobile Devices and Peripherals: Publish guidance on use of attached PTS POI to mobile with P2PE Applications: Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation Create AQM checklist for PA-DSS qualification If necessary, develop mobile standard(s) for applications and devices that transfer cardholder data Service Providers: Evaluate for potential guidance and/or security requirements for third- parties with access to cardholder data Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require Council to address

17 Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

18 Mobile Task Force PCI Council Members and staff, volunteer participating organizations and subject matter experts Subject matter experts especially important when examining Scenario 2 Examples of subject matter experts: Security Assessors OS Platform Vendors Financial Processors Device Manufactures

19 Mobile Task Force The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance implementations and determine whether the inherent risk of card data exposure can be addressed by existing PCI requirements or whether additional guidance or requirements must be developed.

20 Questions? Any Questions? Please visit our website at www.pcisecuritystandards.orgwww.pcisecuritystandards.org

Download ppt "Troy Leach April 2012 The PCI Security Standards Council."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.

What we all need to know. Approval Date: April 30, 2012 Approved by: President's Council.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Navigating the New SAQs (Helping the 99% validate PCI compliance)

Navigating the New SAQs (Helping the 99% validate PCI compliance)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.

PCI Compliance Roundtable Update Presented by the PCI Compliance Task Force.
Smart Payment Processing ™ 800-846-4472 www.MercuryPay.com Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google