PCI PIN Entry Device Security Requirements PCI PIN Security Standards

Slides:

Advertisements

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Advertisements

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Mobile Payment Security The Good, the Bad and the Ugly

Troy Leach April 2012 The PCI Security Standards Council.

What happens here: Affects us here and here Have you ever come to work: Cams Alerts – Visa Alerts MasterCard Alerts Fraud Notices and it’s only 8:10.

Complying With Payment Card Industry Data Security Standards (PCI DSS)

This refresher course will:

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

Smart Payment Processing ™ Protecting Your Business from Card Data Theft Presenter: Lucas Zaichkowsky.

Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

Memorial University of Newfoundland An Update on Chip September 26, 2007.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Visa Cemea Account Information Security (AIS) Programme

Beta Program for The Raiser’s Edge 7.86 PA DSS version Anne McDonell & Bucky Wall Corporate Readiness.

Credit Card Changes that Impact You! Changes to Accounts Receivable, Cash Receipts and Student Billing 7.77 Wanda Mahon & Bucky Wall Corporate Readiness.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

POS/ATM Protection Profile for a Common European Banking Industry Approval Scheme Common Approval Scheme POI Working Group SRC Security Research & Consulting.

PCI DSS and MasterCard Site Data Protection Program Payment System Integrity September 2008.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Draft 1. Cards PSAM The Nets PSAM is a secure application module providing acquirers, merchants and vendors secure processing of card transactions in.

EMV’s Impact on U.S. Retailers – It’s Coming! Presented by: Chris Francis VP, Market Development February 21, 2014.

Why Comply with PCI Security Standards?

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.

MasterCard Site Data Protection Program Program Alignment.

PCI DSS Managed Service Solution October 18, 2011.

The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.

BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Date goes here PCI COMPLIANCE: What’s All the Fuss? Mark Banbury Vice President and CIO, Plan Canada.

North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

JPMorgan Chase Purchasing Card Program Executive Summary.

Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US

Getnationwide.com Let’s Talk about EMV Danielle Rourke.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

1 Banking and Reconciliation. 2 To Certify As A Cash Handler  Visit the training website  Review the Payment Card Industry (PCI)

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.

Langara College PCI Awareness Training

VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!

Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

Summary of Changes. General These are changes that have come up in many EMV migrations that I have assessed and been involved in. The changes are broken.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Online Decision Process

WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.

Presented by David Cole CVM Methods.  CVM Methods in the End-to-End Process  What is a CVM List?  Risk protection tool  Types of PIN processing 

Payment Card Industry (PCI) Rules and Standards

Payment Card Industry (PCI) Rules and Standards

Terminal Risk Management

Transaction Flow end-end

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

CONFERENCE OF WESTERN ATTORNEYS GENERAL

Internet Payment.

Breaches by Merchant Type

Problems – Technical Requirements

Session 11 Other Assurance Services

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Increasing approval rates in the digital world

Presentation transcript:

PCI PIN Entry Device Security Requirements PCI PIN Security Standards

Topics Payment Card Industry Pin Entry Device (PCI PED) Security Requirements Overview Testing process Programme Requirements Mandates Common Issues Payment Card Industry PIN Security Standards Related Mandates

PCI PED Security Requirements Overview Formally known as the Visa PED Standards Standards aligned with other payment schemes PCI Pin Entry Device Security Requirements published in Oct 2004 Requirements primarily related to Attended POS Devices (On-line, offline or both) Encrypting PIN Peds (POS, ATMs, Fuel dispensers, kiosk,etc) Eventually to contain full requirements for ATM and other unattended devices Version 2 published in April 2007. Version 2 to be effective on 1st April 2008. Till then version

PCI PED Security Requirements Overview The Security Requirements are divided into two categories Device characteristics Physical Logical Device management During manufacturing Between manufacturing and initial key loading

PCI PED Testing Process Vendor to complete the relevant documentation and contact PED test lab of choice PED lab agrees a testing date and timeframe PED lab to perform evaluation and generate an evaluation report PCI participant to review report and grant approval List of Visa approved devices; www.visa.com/PIN -Ped test lab might do a pre-evaluation of the document submitted and request for additional information -Testing date and timeframe will depend on what test needs to be performed. Typically it could take 4-6 weeks for a full evaluation. -Should any discrepancies found and the device is deemed to be non-compliant the PED Lab will issue a report to vendor. -PED lab generates an evaluation report once the testing is completed successfully. -Labs cannot provide approval. Only PCI Participants can grant approval based on evaluation report provided by PED Lab. -No partial approval is granted. The device must meet all requirements to be deemed compliant Each scheme grants its own approval Visa approved devices can be found in

PCI PED Mandates Effective Now 1 January 2004 - All newly deployed attended POS PIN acceptance devices (including replacement devices) must have passed testing by a PCI recognized laboratory and be approved by Visa for new deployments. Effective Now 1 October 2005 - All newly deployed EPPs, including replacements or those in newly deployed ATMs, must have passed testing by a PCI-recognized laboratory and have been approved by Visa. 1 October 2007 All newly deployed unattended POS PIN acceptance devices must contain an EPP that has passed testing by a PCI recognized laboratory and is approved by Visa for new deployments. Additionally, if the device is used for offline PIN acceptance, it must contain a laboratory validated and Visa-approved secure smart card reader. 1 July 2010 All attended POS PIN acceptance devices must pass testing by a PCI recognized laboratory and have been approved by Visa.

PCI PED Common Issues Device not PED compliant Older model of device deployed prior to PCI PED requirement PCI PED compliance not taken into account when new services are tested and rolled out.

PCI PIN Security Standards Overview Visa PIN Security Requirements were first published in Mid 1990s 2004 Visa aligned standard with other payment schemes and published Payment Card Industry Pin Security Standards

PCI PIN Security Standards Overview Consist of seven Control Objectives Control Objective One PINs are processed using equipment and methodologies that ensure they are kept secure. Control Objective Two Cryptographic keys used for PIN encryption/decryption are created using processes that ensure that it is not possible to predict any key. Control Objective Three Keys are conveyed or transmitted in a secure manner. Control Objective Four Key loading to hosts and PIN entry devices is handled in a secure manner.

PCI PIN Security Standards Overview Control Objective Five Keys are used in a manner that prevents or detects their unauthorized usage. Control Objective Six Keys are administered in a secure manner. Control Objective Seven Equipment used to process PINs and keys is managed in a secure manner.

PCI PIN Security Standards Programme Requirements All acquiring Members and their agents processing PIN-based Visa transactions are required to undergo an on-site review every three years. On an annual basis all acquiring Members processing PIN-based Visa transactions will be required to complete a certificate to confirm their level of compliance. On-site review to be conducted by Visa Risk Limited Acquiring Members or their agents to generate and agree remediation plan with Visa CEMEA

PCI PIN Security Standards Common Issues Cryptographic keys shared between production and test environment Pin not protected using a secure PIN Block format Deploying unapproved Pin Entry Devices Cryptographic keys not created in a secure manner Cryptographic key not unique Cryptographic keys stored in an unsecured manner or format Lack of documented procedures Poor device management Lack of audit trail or logs for key utilisation

Other related Mandates Chip Reading PIN Entry Devices Effective Now All Chip-Reading devices (including Unattended Acceptance Terminals) placed in service that support “enciphered Offline PIN” must also support “plaintext Offline PIN.” Effective Now All newly deployed Chip-Reading devices must be capable of accepting a PIN (have either a PIN pad or a port capable of supporting a PIN pad). The PIN functionality must either be active or be capable of being activated through a software update.

Other related Mandates Triple Data Encryption Standard (TDES) Global Mandates Effective Now All newly deployed ATMs (including replacement devices) must support TDES. Effective Now All newly deployed point of sale (POS) PIN acceptance devices (including replacement devices) must support TDES. 1 July 2010 Cardholder PINs must be TDES encrypted from all Points-of-Transaction to the Issuer. However, each Visa Region's TDES dates will supersede the global TDES date whenever the Visa Region date precedes the global date. Note: "Must support" means the device has all the necessary hardware and software required for TDES installed and only requires the loading of a TDES key.

Other related Mandates Visa (CEMEA) TDES Mandate Effective Now All PIN transactions must be TDES encrypted from point of acceptance to Visa. All PIN transactions between Visa and Issuer hosts must be TDES encrypted. A non-compliance grace period will be introduced until 1 July 2007, at which time all CEMEA Members must be fully compliant to the Regional TDES requirements. A non-compliance fee structure specific to TDES migration will be introduced and rigidly enforced by the end of the grace period (details of non-compliance fees will be announced at a later date).

Visa (CEMEA) TDES Mandate TDES Questionnaire in CEMEA Fraud Information Service Portal

Thank you