protecting payments throughout the ecosystem€¦ · controlcase annual conference –new orleans,...
TRANSCRIPT
![Page 1: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/1.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Protecting Payments Throughout
the EcosystemEmma Sutcliffe
Senior Director, Data Security Standards
PCI Security Standards Council
![Page 2: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/2.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• Founded in 2006
• Guiding open standards for
payment card security
PCI Security Standards Council
![Page 3: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/3.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Standards, Best Practices & Services
Training – Merchants, Assessors, Acquirers, Integrators
Validation & Qualification – Equipment, Services, Assessors, Investigators
Payment Equipment Payment SoftwareMerchant & Service Provider Environments
Role of PCI SSC
![Page 4: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/4.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Understanding the Ecosystem
![Page 5: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/5.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Emerging Payment Technologies
![Page 6: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/6.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• PCI DSS− Requirements applicable to mobile and other technologies as they emerge
• PA-DSS − Payment applications running on mobile hardware dedicated to payment
acceptance
• Point-to-Point Encryption (P2PE) − PCI-listed P2PE solutions using PTS approved mobile PEDs
1
Mobile Technologies
![Page 7: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/7.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• New standard to address Token Service Provider environments− Requirements for securing environments where payment tokens are generated
/ issued
• Token Service Provider defined by EMVCo
1
Token Service Provider (TSP)
Issuer
TSPToken-holder
Merchant
Acquirer
Payment Brand
![Page 8: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/8.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• Addendum to the Card Production standard
• Physical and Logical Security Requirements for vendors that:
› Perform cloud-based (host card emulation) or secure element (SE) provisioning services;
› Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or
› Manage associated cryptographic keys
Mobile Provisioning Security Requirements
![Page 9: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/9.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
EMV Chip
• EMV Chip reduces
face-to-face
counterfeit fraud
• EMV Chip Needs PCI
![Page 10: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/10.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
Common Goal: Devalue Data
Point-to-Point Encryption
Tokenization
EMV
![Page 11: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/11.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
A Holistic Approach
![Page 12: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/12.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
The Move to EMV
![Page 13: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/13.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
The Security Fruit Tree
Ground fruit Magnetic stripe
Low-hanging
fruitCard-Not-Present
Bulk fruit EMV
High Fruit PCI and EMV
![Page 14: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/14.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
The Security Fruit Tree after EMV migration
Low-hanging
fruitCard-Not-Present
Bulk fruit EMV
High Fruit PCI and EMV
![Page 15: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/15.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Global Trends
Canada
Counterfeit and Lost/Stolen
CNP
According to Aite Group, CNP fraud in the U.S. is projected to double by 2018 to $6.4 billion
UK
![Page 16: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/16.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
E-Commerce Security
![Page 17: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/17.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
Threats to E-Commerce
E-commerce systems targeted to steal data
Data stolen elsewhere used for e-commerce fraud
![Page 18: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/18.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Protecting E-Commerce
• Controls that prevent, detect, & respond to threats
• PCI security standards
E-Commerce systems as a target
![Page 19: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/19.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
Common Implementations
![Page 20: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/20.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
PCI DSS v3.2 SAQ Updates
• Merchant web servers that perform redirect continue to be highly targeted
• Basic security controls not being applied. • SAQs A and A-EP include new requirements to help
organizations address this threat.
![Page 21: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/21.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Protecting E-Commerce
• Controls that prevent, detect, & respond to threats
• PCI security standards
E-Commerce systems as a target
![Page 22: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/22.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Protecting E-Commerce
• Controls that prevent, detect, & respond to threats
• PCI security standards
E-Commerce systems as a target
• Fraud detection and modelling
• Cardholder authentication
E-commerce used for fraudulent transactions
![Page 23: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/23.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• Collaboration with EMVCo • Supports EMV® 3-D Secure 2.0 Specification • Cardholder authentication for e-commerce and connected
devices, including in-app purchases
1
3-D Secure
![Page 24: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/24.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Securing Telephone Payments
![Page 25: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/25.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• PCI DSS applies to audio recordings• Methods are available to prevent storage of PAN/SAD • Consider people, process, technology
1
Telephone Recordings Containing PAN/SAD
![Page 26: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/26.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Securing Software
![Page 27: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/27.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• Software development is continuous• The threat is continuous• Application security must also be continuous
1
Securing Software
![Page 28: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/28.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Promoting a Security Mindset
![Page 29: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/29.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
Compliance AND Security
• Security is a 24x7 mentality
• Not a “check-the-box” once a year and done
![Page 30: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/30.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
PCI Resources
![Page 31: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/31.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
• Building a security awareness program
• Protecting against malware• Skimming prevention• Defending against phishing attacks• Working with third parties• Maintaining PCI DSS compliance• Accepting payments with a mobile
devices• Coming Soon: Securing E-Commerce
1
Guidance Documents
Available at: www.pcisecuritystandards.org
![Page 32: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/32.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
Small Merchant Guidance
![Page 33: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/33.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016 1
FAQs
• New FAQs regularly added› PCI DSS v3.2 transition dates› SAQ eligibility › Multi-factor authentication› Migration dates for SSL/early TLS
• RSS Feed available
www.pcisecuritystandards.org/faq
![Page 34: Protecting Payments Throughout the Ecosystem€¦ · ControlCase Annual Conference –New Orleans, Louisiana USA 2016 • Building a security awareness program • Protecting against](https://reader036.vdocuments.us/reader036/viewer/2022062508/604bd3f5569663612350f1a0/html5/thumbnails/34.jpg)
ControlCase Annual Conference – New Orleans, Louisiana USA 2016
Thank you