POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting.

Slides:



Advertisements
Similar presentations
PRES EPCXXX_07 EPC Card Fraud Prevention & Security Activities Cédric Sarazin – Chairman Card Fraud Prevention TF 19. December.
Advertisements

PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Quality Label and Certification Processes Vienna Summit 11 April 2014 Karima Bourquard Director of Interoperability IHE-Europe.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Designing an EMV Trial – What Should You Consider Now? Tracey Black GFH Group Inc. Cardware GFH GROUP INC.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Memorial University of Newfoundland An Update on Chip September 26, 2007.
Security Controls – What Works
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Draft 1. Cards PSAM The Nets PSAM is a secure application module providing acquirers, merchants and vendors secure processing of card transactions in.
1 SEPA: A European Ambition Card Payments Pierre Orban Global Head Cards, ATM & POS Fortis Operations.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
PCI PIN Entry Device Security Requirements PCI PIN Security Standards
Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,
MasterCard Site Data Protection Program Program Alignment.
Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,
8 Nob 06 / CEN/ISSS ETSI STF 305: Procedures for Handling Advanced Electronic Signatures on Digital Accounting CEN/ISSS Workshop.
Information Security Framework & Standards
Smartcard Evaluation TM8104 – IT Security Evaluation Linda Ariani Gunawan.
SEC835 Database and Web application security Information Security Architecture.
Smart Cards By Simon Siu and Russell Doyle Overview Size of a credit card Small embedded computer chip – Memory cards – Processor cards – Electronic.
Secure Electronic Transaction (SET)
EGov Interop'05 - Feb 23-24, Geneva (Switzerland) OBSERVATORY ON INTEROPERABLE eGOVERNMENT SERVICES eGov-Interop'05 Annual Conference February.
Fruits & Vegetables GS1 Standards Deployment in Europe Atlanta - 27th March 2014 Klaus Förderer – GS1 Germany Pere Rosell – GS1 Spain.
Authentication and Payments 27 June 2000 Ann Terwilliger Product Director eCommerce Authentication Visa International.
Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.
Effective banking products CC evaluations. 8 th I.C.C.C. Rome, September 26th, CHIOCCA Martine Banking products Security Risk Manager.
PROFESSIONALISM – TEAM SPIRIT - INNOVATION 1 Cross-border eInvoicing in eRegion – Banks Perspective Martin Mihelčič Merkur.
Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US
1 Common Criteria Discussions CCSDS Security Working Group Spring 2008 Meeting March 2008 Washington DC (Marriott Courtyard Crystal City, Virginia)
1 Omissions and errors in the CC Who got it right? 8ICCC Denise Cater.
Possible elements of the technical standards Pre-sessional consultations on registries Bonn, 2-3 June 2002 Andrew Howard UNFCCC secretariat
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Background. History TCSEC Issues non-standard inflexible not scalable.
Getnationwide.com Let’s Talk about EMV Danielle Rourke.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
EPC Roadmap One year on, how are we doing? EPC Strategy Off-site, Durbuy, 2 October 2005 Gerard Hartsink, EPC Chair PRES.
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
1 Common Criteria Discussions CCSDS Security Working Group Fall 2007 Meeting 3-5 October 2007 ESA/ESOC, Darmstadt Germany (Hotel am Bruchsee, Heppenheim)
======!"§==Systems= Technical Guidance for CC Evaluation Wolfgang Killmann T-Systems GEI GmbH.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
EMV: What is it and how will it impact your business.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Chapter 21: Evaluating Systems Dr. Wayne Summers Department of Computer Science Columbus State University
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
Summary of Changes. General These are changes that have come up in many EMV migrations that I have assessed and been involved in. The changes are broken.
Electronic Banking & Security Electronic Banking & Security.
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.
Common Criteria Discussions CCSDS Security Working Group Spring 2008 Meeting March 2008 Washington DC (Marriott Courtyard Crystal City, Virginia)
Team 4 – Mack, Josh, Felicia, Kevin and Walter
Internet Payment.
Problems – Technical Requirements
Session 11 Other Assurance Services
Secure Electronic Transaction
EMV® 3-D Secure - High Level Overview
Presentation transcript:

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting GmbH

Content Affected payment systems components Domestic evaluation schemes and Payment Card Industry (PCI) Single European Area requirements (SEPA) Common Approval Scheme (CAS) for banking IC cards CAS for POS/ATMs (POI)  POI PP Security Requirements  Experiences in the creation of the POI PP  Foresight

Affected Payment System Components Banking IC cards Point of Sale Terminal (POS)  IC card based electronic payment  Includes PIN Entry Device (PED) and other components (e.g. card reader) Automated Teller Machine (ATM)  IC card based electronic money withdrawal  Includes Encrypting PIN Pad (EPP) and other components ATM and POS both are defined as Point of Interactions (POIs)

Domestic Evaluation schemes Throughout many European countries the banking industry  Has set security requirements  To manage risks within payment systems effectively Compliance of payment systems components with these security requirements has to be proved by security evaluations Different security levels and requirements  Obstacle for mutual recognition of security evaluations

Examples for Domestic Evaluation Schemes APACS (United Kingdom)  Common Criteria (without formal certification)  Based on APACS PED Protection Profile ZKA (Germany)  Domestic high level security requirements  Informal scheme Currence (Netherlands)  PCI+

Payment Card Industry Evaluations Global Scheme with security requirements aligned by MasterCard and VISA  Evaluator performs steps based on test and security requirements defined by PCI  Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED) Comparison to Common Criteria  Design evaluation based on vendor questionnaire, no code review (ADV_IMP)  Predefined test cases, no ALC, ACM, ADO  Requirements of resistance against high attack potential

SEPA Standardisation for Card Payments Use of international standards for cross-border and domestic transactions  Technical requirements for payment system components are becoming closely aligned throughout Europe The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF)  Defines certification principles as interoperability principles to be worked out  Security requirements and mutual recognition are explicitly stated

„In order for the objectives of this Framework to be achieved, SEPA-level interoperability must be ensured in the following 4 domains: cardholder to terminal interface, cards to terminal (EMV), terminal to acquirer interface (protocols or minimum requirements), acquirer to issuer interface, including network protocols (authorization and clearing).“ „A common process for the certification of terminals, cards, and network interfaces will be defined in line with the principle described in Chapter “ „Card schemes will engage in mutual recognition for type approval. Any terminal certified for SEPA transactions by a certification body in one SEPA country can be deployed in any SEPA country for acceptance of SEPA cards across all SCF compliant schemes.“ SEPA Standardisation for Card Payments EPC SEPA Cards Framework SCF:

Common Approval Scheme Initiative Common Approval Scheme (CAS) initiative has been originated  to agree on common security requirements harmonising the existing requirements  to agree on common evaluation methodology  using the Payment Card Industry (PCI) security requirements for POS/ATM as the basis for technical req. Reducing the number of security evaluations to be performed by manufacturers and reducing the costs of security certification

Countries BelgiumAtos Wordline, Banksys BelgiumAtos Wordline, Banksys France Cartes Bancaires France Cartes Bancaires Germany ZKA Germany ZKA Italy Progetto Microcircuito Italy Progetto Microcircuito LuxemburgCETREL LuxemburgCETREL NetherlandsCurrence, Equens NetherlandsCurrence, Equens NorwayBSK NorwayBSK PortugalSIBS PortugalSIBS SpainServired, Sistema 4B SpainServired, Sistema 4B SwedenPNC SwedenPNC United KingdomAPACS United KingdomAPACS... (open to additional participants)... (open to additional participants) CC experts involved: Trusted Labs (France) SiVenture (United Kingdom) SRC (Germany)

CAS Cards Working Group Harmonisation of security requirements and methodology accomplished Result is a finalised Generic Security Target for CC evaluations of banking IC cards Thus no Protection Profile for banking IC cards  Generic Security Target is a guideline Co-ordination with ISCI/JHAS Preparation of pilot evaluations Open question: Who will verify whether Security Target meets Generic Security Target?

CAS Terminal Working Group Work in progress: Evaluation according to PCI or CC?  Harmonisation of security requirements (in progress) Including PCI POS PED security requirements  Harmonisation of evaluation methodology (in progress) For CC approach results in POI Protection Profile  Within a feasibility study it will be examined whether CC evaluations conformant to the developed PP(s) pave the way for SCF compliant certification criteria and mutual recognition of security certificates

Generic POI Architecture

Security Problem and Security Objectives Assets  PIN, POI management and payment transaction data, software, cryptographic keys Threats  Perform unauthorised payment transactions by disclosure of PIN or keys or manipulation of software or data Security Objectives  Confidential PIN Entry and PIN Processing  Authentic and integer payment transaction  Authentic and integer usage of software and related hardware / application separation

CAS POI Security Requirements (subset) PCI  Physical and logical security requirements Tamper-responsive hardware, … Self-test, logical anomalies, … PCI +  Extension to message integrity for ATM/POS  Extension of requirements for Life Cycle  Code analysis PCI –  Plaintext PIN protection at level less than high  Magnetic stripe security

Challenges to create a PP for a complex product Define the Target of Evaluation  Different implementation architectures shall be allowed  Different payment system components (ATM, EPP, POS, PED) shall be considered  Application separation Two Evaluation Assurance Level  High attack potential as objective for PIN Entry and Enciphered PIN processing but low costs  Protection level for Plaintext PIN and POI management and transaction data processing below high  Different hardware security requirements

Minimum POI

POI components connected via an open network

POI Protection Profile

Foresight Finalising POI PP Pilot evaluation based on POI PP Mutual recognition and certification scheme  Discussion already started with BSI, DCSSI, CESG  Founding a group like ISCI/JHAS for IC cards Decision for PCI methodology or Common Criteria based on PCI functional security requirements Any questions?

SRC Security Research & Consulting GmbH Graurheindorfer Str. 149a Bonn Tel. +49-(0) Fax:+49-(0) WWW: Contact

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.