pos/atm protection profile for a common european banking industry approval scheme common approval...

POS/ATM Protection Profile for a Common European Banking Industry

Approval Scheme

Common Approval Scheme POI Working Group

SRC Security Research & Consulting GmbH

CCCooommmmmmooonnn AAApppppprrrooovvvaaalll SSSccchhheeemmmeee AAA EEEUUURRROOOPPPEEEAAANNN IIINNNIIITTTIIIAAATTTIIIVVVEEE

FFFOOORRR CCCAAARRRDDD PPPAAAYYYMMMEEENNNTTTSSS IIINNN EEEUUURRROOOPPPEEE



ContentAffected payment systems components

Domestic evaluation schemes and Payment Card Industry (PCI)

Single European Area requirements (SEPA)

Common Approval Scheme (CAS) for banking IC cards

CAS for POS/ATMs (POI) POI PP Security Requirements

Experiences in the creation of the POI PP

Foresight



Affected Payment System Components

Banking IC cards

Point of Sale Terminal (POS) IC card based electronic payment

Includes PIN Entry Device (PED) and other components (e.g. card reader)

Automated Teller Machine (ATM) IC card based electronic money withdrawal

Includes Encrypting PIN Pad (EPP) and other components

ATM and POS both are defined as Point of Interactions (POIs)



Cardholder

Acquirer

Merchant

POI

Issuer

Card

10. Issuer payment

8. Ask for payment with payment transaction data

1. Payment Transaction data

1. Payment Transaction data

6. Merchant receipt

11. Acquirer payment

3. PIN request4. PIN (if offline PIN verification)

6. Cardholder receipt

5. Transaction Certificate

2. to 5. Payment transaction data and managment data

9. Payment notification 9. Cardholder payment

7. Payment transaction data including Transaction certificate and Merchant parameters



Domestic Evaluation schemes

Throughout many European countries the banking

industry Has set security requirements

To manage risks within payment systems effectively

Compliance of payment systems components with

these security requirements has to be proved by

security evaluations

Different security levels and requirements Obstacle for mutual recognition of security evaluations



Examples for Domestic Evaluation Schemes

APACS (United Kingdom) Common Criteria (without formal certification)

Based on APACS PED Protection Profile

ZKA (Germany) Domestic high level security requirements

Informal scheme

Currence (Netherlands) PCI+



Payment Card Industry Evaluations

Global Scheme with security requirements aligned by MasterCard and VISA Evaluator performs steps based on test and security

requirements defined by PCI

Composition of design, test and vulnerability analysis adapted for ATM (EPP) and POS (PED)

Comparison to Common Criteria Design evaluation based on vendor questionnaire, no code

review (ADV_IMP)

Predefined test cases, no ALC, ACM, ADO

Requirements of resistance against high attack potential



SEPA Standardisation for Card Payments

Use of international standards for cross-border and domestic transactions Technical requirements for payment system components

are becoming closely aligned throughout Europe

The European Payments Council in its Single European Payment Area (SEPA) Cards Framework (SCF) Defines certification principles as interoperability principles

to be worked out

Security requirements and mutual recognition are explicitly stated



„In order for the objectives of this Framework to be achieved, SEPA-level

interoperability must be ensured in the following 4 domains:

cardholder to terminal interface,

cards to terminal (EMV),

terminal to acquirer interface (protocols or minimum requirements),

acquirer to issuer interface, including network protocols (authorization

and clearing).“

„A common process for the certification of terminals, cards, and network

interfaces will be defined in line with the principle described in Chapter 2.3.2.“

„Card schemes will engage in mutual recognition for type approval. Any terminal

certified for SEPA transactions by a certification body in one SEPA country can be

deployed in any SEPA country for acceptance of SEPA cards across all SCF

compliant schemes.“

SEPA Standardisation for Card Payments

EPC SEPA Cards Framework SCF:



Common Approval Scheme Initiative

Common Approval Scheme (CAS) initiative has been

originated to agree on common security requirements harmonising the

existing requirements

to agree on common evaluation methodology

using the Payment Card Industry (PCI) security

requirements for POS/ATM as the basis for technical req.

Reducing the number of security evaluations to be

performed by manufacturers and reducing the costs

of security certification



Countries BelgiumBelgium Atos Wordline, Banksys Atos Wordline, Banksys

FranceFrance Cartes BancairesCartes Bancaires

GermanyGermany ZKAZKA

ItalyItaly Progetto MicrocircuitoProgetto Microcircuito

LuxemburgLuxemburg CETRELCETREL

NetherlandsNetherlands Currence, EquensCurrence, Equens

NorwayNorway BSKBSK

PortugalPortugal SIBSSIBS

SpainSpain Servired, Sistema 4BServired, Sistema 4B

SwedenSweden PNCPNC

United KingdomUnited Kingdom APACS APACS

... (open to additional participants)... (open to additional participants)

CC experts involved:Trusted Labs (France)SiVenture (United Kingdom)SRC (Germany)



CAS Cards Working Group

Harmonisation of security requirements and methodology accomplished

Result is a finalised Generic Security Target for CC evaluations of banking IC cards

Thus no Protection Profile for banking IC cards Generic Security Target is a guideline

Co-ordination with ISCI/JHAS

Preparation of pilot evaluations

Open question: Who will verify whether Security Target meets Generic Security Target?



CAS Terminal Working Group

Work in progress: Evaluation according to PCI or

CC? Harmonisation of security requirements (in progress)

Including PCI POS PED security requirements

Harmonisation of evaluation methodology (in progress)

For CC approach results in POI Protection Profile Within a feasibility study it will be examined whether CC

evaluations conformant to the developed PP(s) pave the

way for SCF compliant certification criteria and mutual

recognition of security certificates



Generic POI Architecture

Application 1

Application 2

Application n

Application/Acquirer System

Terminal Management System

Local Devices

Card Readers:IC Card Reader

and/or Magnetic Stripe Reader and/or

Barcode Reader

CHV Devices:

and may include a Card Reader)

and/or Biometric Device

Other SecurityModules:

HSM

and/or SAM

User I/O Devices(excluding CHV):

Keypad, Display, Printer,

Acoustic Signal

IC Card Other Media(e.g. Magstripe Card)

POI Application Logic

Point of Interaction (POI)

PIN Entry Device (includes a keypad, a display,

Security Module data flow

Administration byTerminal Mamangement



Security Problem and Security Objectives

Assets PIN, POI management and payment transaction data,

software, cryptographic keys

Threats Perform unauthorised payment transactions by disclosure

of PIN or keys or manipulation of software or data

Security Objectives Confidential PIN Entry and PIN Processing

Authentic and integer payment transaction

Authentic and integer usage of software and related hardware / application separation



CAS POI Security Requirements (subset)

PCI Physical and logical security requirements

Tamper-responsive hardware, …

Self-test, logical anomalies, …

PCI + Extension to message integrity for ATM/POS Extension of requirements for Life Cycle Code analysis

PCI – Plaintext PIN protection at level less than high Magnetic stripe security



Challenges to create a PP for a complex product

Define the Target of Evaluation Different implementation architectures shall be allowed

Different payment system components (ATM, EPP, POS, PED) shall be considered

Application separation

Two Evaluation Assurance Level High attack potential as objective for PIN Entry and

Enciphered PIN processing but low costs

Protection level for Plaintext PIN and POI management and transaction data processing below high

Different hardware security requirements



Minimum POI

Payment Application

Application/Acquirer Host

Terminal Management Host

Local Devices

IC Card Reader

PIN Entry Device including

a keypad, a display and theSecurity Module

IC Card

data flow




POI components connected via an open network

Application 1Server

Application 2

Application n

Application/Acquirer HostTerminal Management Host

Local Devices

IC Card Reader

PIN Entry Device including

a keypad, a display and theSecurity Module

IC Card

Open Network


data flow



Core TSFPIN Entry

and processing of PIN until PIN is enciphered

(includes PED keypad)

PED Middle TSF

Middle TSF

Plaintext PIN Processing

Processing of POI management andpayment transaction data

PED

Level of protectionbelow high

High level of protection

POI Protection Profile



Foresight

Finalising POI PP

Pilot evaluation based on POI PP

Mutual recognition and certification scheme Discussion already started with BSI, DCSSI, CESG

Founding a group like ISCI/JHAS for IC cards

Decision for PCI methodology or Common Criteria

based on PCI functional security requirements

Any questions?



SRC Security Research & Consulting GmbHGraurheindorfer Str. 149a53117 Bonn

Tel. +49-(0)228-2806-0Fax: +49-(0)228-2806-199E-mail: [email protected]: www.src-gmbh.de

Contact

pos/atm protection profile for a common european banking industry approval scheme common approval...

Documents

requirements obstacle

minimum requirements

card schemes

electronic payment

sepa transactions

sepa standardisation

sepa country

acceptance of sepa cards