Presentation is loading. Please wait.

Presentation is loading. Please wait.

Troy Leach April 2012 The PCI Security Standards Council.

Similar presentations

Presentation on theme: "Troy Leach April 2012 The PCI Security Standards Council."— Presentation transcript:

1 Troy Leach April 2012 The PCI Security Standards Council

2 About the Council Open, global forum Founded 2006 Responsible for PCI Security Standards Development Management Education Awareness

3 Manufacturers PCI PTS Pin Entry Devices Ecosystem of payment devices, applications, infrastructure and users Software Developers PCI PA-DSS Payment Applications PCI Security MOBILE PAYMENTS Merchants & Service Providers PCI DSS Secure Environments PCI Security Standards Protection of Cardholder Payment Data

4 Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

5 Environmental Considerations at a Glance Market Increased interest in adoption of a variety of mobile technologies Absence of both traditional controls and standards PCI SSC Activity Create efficient mechanisms for broader engagement Evaluate need to develop standards Facilitate, when applicable, easier compliance mechanisms

6 Areas of Focus for Mobile Devices Tamper-resistance, Secure Card Readers, POI & P2PE Applications Requirements and/or Best Practices for authorization and settlement Service Providers Service provider protection of cardholder data and validation MOBILE

7 Peripheral Device Encryption The mobile device is just a conduit. It has no ability to decrypt the encrypted data and therefore will never have access to clear-text account data. New PTS approval class for Secure (Encrypting) Card Readers (SCR) SCR and other POI Cardholder data is only input using an encrypted solution and transmitted encrypted through a mobile device.

8 Audio connector plugs into the phones headphone QSA must determine data NOT decrypted on phone No PIN entry Also works on computers – any device with an audio input jack Mobile Phone Plug-in SCR Plug-in MSR encrypts data on the reader even before it reaches the phone

9 2011 Guidance. Focused on identifying and clarifying the risks associated with accepting payments via mobile solutions and validating mobile payment acceptance applications to version 2.0 of the PA-DSS. Mobile Update – Announcement and FAQ

10 Mobile Application Categories Applications for category 1 and 2 devices are eligible for PA-DSS Applications for category 3 devices pending development of further guidance and/or standards Category 2: Purpose Built POS Devices Category 3: General Purpose Smart Device Category 1: PTS Approved PED Devices

11 Current Environmental Concerns Rapid development of applications Lack of traditional controls Too Many Privileges Malicious Apps Wi-Fi Sniffing / Blackjacking Radiation of keys and side channel attacks Distribution and persistent connectivity Ownership and use policy

12 PTS PED Vendor Solutions Phone is designed and purpose built as a secure device Because secure tamper protected device, may use either SCR or a data key managed similar to PIN key By definition does not use off the shelf mobile phones

13 PTS PED Vendor Solutions Phone Compartment Cradle for phone May employ encrypting card reader or use data key managed similar to PIN key Card readers integrated to PED

14 The mobile device has access to cleartext cardholder data. Mobile Task Force to provide guidance and/or best practices Exposure of CHD within device Cardholder data is input using a non-encrypted solution (e.g. manual key entry, non-encrypted card reader, etc.) and transmitted through a mobile device. Application Security within Smart Devices

15 2012 Guidance Calendar Mobile SCR & P2PE Guidance for Merchants Mobile Acceptance Best Practices Mobile SCR & P2PE Guidance for Assessors and Vendors Roadmap for Category 3 Applications 15

16 Three Year Outlook: Mobile Devices and Peripherals: Publish guidance on use of attached PTS POI to mobile with P2PE Applications: Develop guidance for mobile device environments and relative security requirements to meet PA-DSS or similar validation Create AQM checklist for PA-DSS qualification If necessary, develop mobile standard(s) for applications and devices that transfer cardholder data Service Providers: Evaluate for potential guidance and/or security requirements for third- parties with access to cardholder data Council will liaise with all relevant bodies in the development of a standard in this area and identify which variants require Council to address

17 Technology Updates: Mobile Questions & Answers Agenda Industry Engagement

18 Mobile Task Force PCI Council Members and staff, volunteer participating organizations and subject matter experts Subject matter experts especially important when examining Scenario 2 Examples of subject matter experts: Security Assessors OS Platform Vendors Financial Processors Device Manufactures

19 Mobile Task Force The purpose of the Mobile Task Force is to evaluate various mobile payment acceptance implementations and determine whether the inherent risk of card data exposure can be addressed by existing PCI requirements or whether additional guidance or requirements must be developed.

20 Questions? Any Questions? Please visit our website at

Download ppt "Troy Leach April 2012 The PCI Security Standards Council."

Similar presentations

Ads by Google