Presentation is loading. Please wait.

Presentation is loading. Please wait.

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting."— Presentation transcript:

1 POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting GmbH

2 Content Affected payment systems components Domestic evaluation schemes and Payment Card Industry (PCI) Single European Area requirements (SEPA) Common Approval Scheme (CAS) for banking IC cards CAS for POS/ATMs (POI)  POI PP Security Requirements  Experiences in the creation of the POI PP  Foresight

3 Affected Payment System Components Banking IC cards Point of Sale Terminal (POS)  IC card based electronic payment  Includes PIN Entry Device (PED) and other components (e.g. card reader) Automated Teller Machine (ATM)  IC card based electronic money withdrawal  Includes Encrypting PIN Pad (EPP) and other components ATM and POS both are defined as Point of Interactions (POIs)

4

5 Domestic Evaluation schemes Throughout many European countries the banking industry  Has set security requirements  To manage risks within payment systems effectively Compliance of payment systems components with these security requirements has to be proved by security evaluations Different security levels and requirements  Obstacle for mutual recognition of security evaluations

6 Examples for Domestic Evaluation Schemes APACS (United Kingdom)  Common Criteria (without formal certification)  Based on APACS PED Protection Profile ZKA (Germany)  Domestic high level security requirements  Informal scheme Currence (Netherlands)  PCI+

7 Payment Card Industry Evaluations Global Scheme with security requirements aligned by MasterCard and VISA  Evaluator performs steps based on test and security requirements defined by PCI  Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED) Comparison to Common Criteria  Design evaluation based on vendor questionnaire, no code review (ADV_IMP)  Predefined test cases, no ALC, ACM, ADO  Requirements of resistance against high attack potential

8 SEPA Standardisation for Card Payments Use of international standards for cross-border and domestic transactions  Technical requirements for payment system components are becoming closely aligned throughout Europe The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF)  Defines certification principles as interoperability principles to be worked out  Security requirements and mutual recognition are explicitly stated

9 „In order for the objectives of this Framework to be achieved, SEPA-level interoperability must be ensured in the following 4 domains: cardholder to terminal interface, cards to terminal (EMV), terminal to acquirer interface (protocols or minimum requirements), acquirer to issuer interface, including network protocols (authorization and clearing).“ „A common process for the certification of terminals, cards, and network interfaces will be defined in line with the principle described in Chapter 2.3.2.“ „Card schemes will engage in mutual recognition for type approval. Any terminal certified for SEPA transactions by a certification body in one SEPA country can be deployed in any SEPA country for acceptance of SEPA cards across all SCF compliant schemes.“ SEPA Standardisation for Card Payments EPC SEPA Cards Framework SCF:

10 Common Approval Scheme Initiative Common Approval Scheme (CAS) initiative has been originated  to agree on common security requirements harmonising the existing requirements  to agree on common evaluation methodology  using the Payment Card Industry (PCI) security requirements for POS/ATM as the basis for technical req. Reducing the number of security evaluations to be performed by manufacturers and reducing the costs of security certification

11 Countries BelgiumAtos Wordline, Banksys BelgiumAtos Wordline, Banksys France Cartes Bancaires France Cartes Bancaires Germany ZKA Germany ZKA Italy Progetto Microcircuito Italy Progetto Microcircuito LuxemburgCETREL LuxemburgCETREL NetherlandsCurrence, Equens NetherlandsCurrence, Equens NorwayBSK NorwayBSK PortugalSIBS PortugalSIBS SpainServired, Sistema 4B SpainServired, Sistema 4B SwedenPNC SwedenPNC United KingdomAPACS United KingdomAPACS... (open to additional participants)... (open to additional participants) CC experts involved: Trusted Labs (France) SiVenture (United Kingdom) SRC (Germany)

12 CAS Cards Working Group Harmonisation of security requirements and methodology accomplished Result is a finalised Generic Security Target for CC evaluations of banking IC cards Thus no Protection Profile for banking IC cards  Generic Security Target is a guideline Co-ordination with ISCI/JHAS Preparation of pilot evaluations Open question: Who will verify whether Security Target meets Generic Security Target?

13 CAS Terminal Working Group Work in progress: Evaluation according to PCI or CC?  Harmonisation of security requirements (in progress) Including PCI POS PED security requirements  Harmonisation of evaluation methodology (in progress) For CC approach results in POI Protection Profile  Within a feasibility study it will be examined whether CC evaluations conformant to the developed PP(s) pave the way for SCF compliant certification criteria and mutual recognition of security certificates

14 Generic POI Architecture

15 Security Problem and Security Objectives Assets  PIN, POI management and payment transaction data, software, cryptographic keys Threats  Perform unauthorised payment transactions by disclosure of PIN or keys or manipulation of software or data Security Objectives  Confidential PIN Entry and PIN Processing  Authentic and integer payment transaction  Authentic and integer usage of software and related hardware / application separation

16 CAS POI Security Requirements (subset) PCI  Physical and logical security requirements Tamper-responsive hardware, … Self-test, logical anomalies, … PCI +  Extension to message integrity for ATM/POS  Extension of requirements for Life Cycle  Code analysis PCI –  Plaintext PIN protection at level less than high  Magnetic stripe security

17 Challenges to create a PP for a complex product Define the Target of Evaluation  Different implementation architectures shall be allowed  Different payment system components (ATM, EPP, POS, PED) shall be considered  Application separation Two Evaluation Assurance Level  High attack potential as objective for PIN Entry and Enciphered PIN processing but low costs  Protection level for Plaintext PIN and POI management and transaction data processing below high  Different hardware security requirements

18 Minimum POI

19 POI components connected via an open network

20 POI Protection Profile

21 Foresight Finalising POI PP Pilot evaluation based on POI PP Mutual recognition and certification scheme  Discussion already started with BSI, DCSSI, CESG  Founding a group like ISCI/JHAS for IC cards Decision for PCI methodology or Common Criteria based on PCI functional security requirements Any questions?

22 SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a 53117 Bonn Tel. +49-(0)228-2806-0 Fax:+49-(0)228-2806-199 E-mail:info@src-gmbh.de WWW:www.src-gmbh.de Contact

Download ppt "POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting."

Similar presentations

Www.europeanpaymentscouncil.eu PRES EPCXXX_07 EPC Card Fraud Prevention & Security Activities Cédric Sarazin – Chairman Card Fraud Prevention TF 19. December.

PRES EPCXXX_07 EPC Card Fraud Prevention & Security Activities Cédric Sarazin – Chairman Card Fraud Prevention TF 19. December.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.

Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.

Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Designing an EMV Trial – What Should You Consider Now? Tracey Black GFH Group Inc. Cardware 2011 1 GFH GROUP INC.

Designing an EMV Trial – What Should You Consider Now? Tracey Black GFH Group Inc. Cardware GFH GROUP INC.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Memorial University of Newfoundland An Update on Chip September 26, 2007.

Memorial University of Newfoundland An Update on Chip September 26, 2007.
Security Controls – What Works

Security Controls – What Works
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Draft 1. Cards PSAM The Nets PSAM is a secure application module providing acquirers, merchants and vendors secure processing of card transactions in.

Draft 1. Cards PSAM The Nets PSAM is a secure application module providing acquirers, merchants and vendors secure processing of card transactions in.
1 SEPA: A European Ambition Card Payments Pierre Orban Global Head Cards, ATM & POS Fortis Operations.

1 SEPA: A European Ambition Card Payments Pierre Orban Global Head Cards, ATM & POS Fortis Operations.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
PCI PIN Entry Device Security Requirements PCI PIN Security Standards

PCI PIN Entry Device Security Requirements PCI PIN Security Standards
Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,

Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,
MasterCard Site Data Protection Program Program Alignment.

MasterCard Site Data Protection Program Program Alignment.

Similar presentations

Ads by Google