Security of Payment Card Data on Cloud-Based Mobile Payment

Platforms Randy Gainer

ACI Forum on Emerging Payment Systems San Francisco

March 22, 2013

Topics to be covered

Cloud-based mobile payment solutions What is the cloud? Some benefits of moving to the cloud. Cloud security concerns What are the threats to payment data? How cloud-based solutions address the threats PCI DSS compliance for cloud-based solutions

2

Cloud-based mobile payment solutions

Source: Uzma Mahkdumi, Visa, Nov. 15, 2012

3

What is the cloud?

4

What is the cloud? (cont’d)

5

What is the cloud? (cont’d)

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

Special Publication 800-145, The NIST Definition of Cloud Computing, 2 (Sept. 2011).

6

What is the cloud? (cont’d)

“This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

The essential characteristics are – On-demand self-service – Broad network access – Resource pooling – Rapid elasticity – Measured service

Id.

7

What is the cloud? (cont’d)

Three service models: – Software as a Service (SaaS): consumer uses

provider’s applications running on provider’s cloud infrastructure (servers, storage, and network components).

– Platform as a Service (PaaS): consumer deploys consumer-created or acquired applications onto provider’s cloud infrastructure using provider’s programming languages and tools.

– Infrastructure as a Service (IaaS): consumer deploys and controls its own software on provider’s cloud infrastructure.

8

What is the cloud? (cont’d)

Four deployment models: – Private cloud: the cloud infrastructure is

provisioned for exclusive use by a single organization.

– Community cloud: the cloud infrastructure is provisioned for exclusive use by a specific community of consumers.

– Public cloud: the cloud infrastructure is provisioned for open use by the general public.

– Hybrid cloud: the cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public).

9

Some benefits of moving to the cloud

“On-demand self-service”:

http://aws.amazon.com/ecomomics

10

Some cloud benefits (cont’d)

Vivek Kundra, White House CIO, 2009-2011:

– “We quickly discovered vast inefficiencies in the $80 billion federal I.T. budget. We also saw an opportunity to increase productivity and save costs by embracing the ‘cloud computing revolution. . . . [W]e instituted a ‘Cloud First’ policy.”

Vivek Kundra, Tight Budget? Look to the ‘Cloud,’ The New York Times , Op-Ed (Aug. 30, 2011).

11

Cloud security concerns

“Storing payment credentials in the cloud for a digital wallet is new and relatively untested with scale. There are still many unknowns to be addressed. . . . [P]ayment data can be compromised in the cloud . . . .”

Marianne Crowe and Elisa Tavila, Mobile Phone Technology: “Smarter” Than We Thought – How Technology Platforms are Securing Mobile Payments in the U.S., 16-17, Federal Reserve Bank of Boston (Nov. 16, 2012) (“Crowe & Tavila”), available at http://www.bostonfed.org/bankinfo/payment-strategies/index.htm.

12

Cloud security concerns (cont’d)

Steve Wozniak, co-founder of Apple: “I really worry about everything going to the Cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.” Stephanie Mlot, Wozniak Slams the Cloud as 'Horrendous,’ PC Magazine (Aug. 6, 2012), available at http://www.pcmag.com/article2/0,2817,2408125,00.asp.

13

Cloud security concerns (cont’d)

http://blog.cloudpassage.com/2012/11/30/infographic-security-and-the-cloud-2012/

14

Threats to payment card data

Verizon, 2012 Data Breach Investigations Report (“2012 Verizon DBIR”), 16 (855 incidents investigated; 174 million records).

15

Threats to payment card data (cont’d)

Figure 17. Threat action categories over time by percent of breaches and percent of records …. 2012 Verizon DBIR, 24. “[A]n impressive 61% of all breaches featured a combination of hacking techniques and malware.” Id., 23.

16

Threats to payment card data (cont’d)

2012 Verizon DBIR, 42.

17

Threats to payment card data (cont’d)

Trustwave 2013 Global Security Report, 8.

18

Threats to payment card data (cont’d)

“[I]t is more difficult for anti-virus software to detect targeted malware as malicious. While anti-virus products detected at least 60% of all malware samples in our database, when we focused only on samples found during our compromise investigations, anti-virus detected less than 12% as malicious.”

Trustwave 2012 Global Security Report, 17 (300+ breaches investigated).

“Targeted malware has become the norm in Trustwave’s

forensic investigations, especially in credit card breaches…. In 2012, almost all POS breach investigations involved targeted malware.”

Trustwave 2013 Global Security Report, 20 (450+ breaches investigated).

19

Threats to payment card data (cont’d)

Targeted malware – Customized to avoid detection – Allows attacker to persistently communicate

with, and exercise command and control of, the malware inside the target network

– Used to find assets on the network to steal – Permits an attack to adapt to react to defensive

efforts (e.g., installs multiple backdoors to maintain attacker’s access).

20

Threats to payment card data (cont’d)

Targeted malware can be delivered – by spear phishing through email, IM, Twitter, or P2P

networks with a link to a drive-by web site; – by finding a port used by a remote access tool

with weak authentication credentials; and – by tunneling over an encrypted connection, such

as SSL, where security tools can’t spot the malware package.

21

Threats to payment card data (cont’d)

Trustwave 2013 Global Security Report, 15.

22

Threats to payment card data (cont’d)

From a DWT animation, available at http://vimeo.com/41021947.

23

Remotely delivered malware targets POS systems.

Threats to payment card data (cont’d)

Card information can be copied & stored before it’s encrypted.

24

Threats to payment card data (cont’d)

http://www.paymentsjournal.com/Strategy/PCI_Compliance/6659/12983/

25

Another card data vulnerability

Threats to payment card data (cont’d)

“Look at the recent breach at Global. I am sure the data was encrypted at many points, but the fact remains the data is in the clear on the card itself and must be presented to the brands in the clear.”

Annmarie Hart, With Swipe Readers, Encryption Is “Not Enough,” available at http://www.pymnts.com/briefing-room/security-and-risk/mobile-security/MagTek-s-Hart-With-Swipe-Readers-Encryption-Is-Not-Enough-TRANSCRIPT-/.

26

Threats to payment card data (cont’d)

Alleged Global Payments hacker: – “They finished End2End encryption, but E2E not a

full solution; it only defend [sic] from outside threat.”

– The alleged hacker claimed he an his colleagues had been in Global Payments’ system for 13 months, collecting data monthly.

Brian Krebs, Global Payments: Rumor and Innuendo, (April 2, 2012), available at http://krebsonsecurity.com/2012/04/global-payments-rumor-and-innuendo/.

27

Threats to payment card data (cont’d)

Data theft costs: – Global Payments, Inc. – Payment card processor, 2012 intrusion – Card data for 1.5 million cards stolen

• $35.9 mil. – estimated fraud losses, fines, other charges • $60 mil. - investigations, remediation, legal • ($2 mil.) – insurance recovery • $93.9 mil. total (not including potential litigation costs*)

Nov. 30, 2012 Global Payments, Inc. Form 10-Q. *A magistrate judge recommended Feb. 5, 2013 that all claims against Global should be dismissed.

28

Threats to payment card data (cont’d)

Customers’ claims are usually dismissed unless their information is misused or they incur other damages. – If information is misused, some customers’ claims have

been settled: e.g., In re TJX ($12.6 million including fees). Banks, card associations, and state AGs have

succeeded in recovering damages from merchants: e.g., In re TJX – – Banks and Visa settled for reported $40.9 million; – Banks and MasterCard settled for reported $24 million; and – State AGs settled for $9.75 million. – Total: $87.25 million

29

Cloud-based solutions

Payment card data is not transferred at the POS. – Instead, identifying info. from the customer is

connected to her card data in the cloud. Card data can be encrypted when it’s stored or

processed on cloud platforms.

30

Cloud-based solutions (cont’d)

31

Crowe & Tavila, 22.

Cloud-based solutions (cont’d)

Crowe & Tavila, 23.

32

Cloud-based solutions (cont’d)

The Cloud Security Alliance maintains the Cloud Controls Matrix to assist providers meet audit requirements, including the PCI DSS.

See https://cloudsecurityalliance.org/research/ccm/.

33

Cloud-based solutions (cont’d)

Auditors have confirmed that some cloud providers meet key security requirements. – See, e.g., AWS: Risk and Compliance, 6-9 (Jan. 2013),

http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf, describing AWS’s SSAE 16 SOC1 and SOC2 certifications, FISMA Moderate authorization, PCI DSS Service Provider Level 1 validation, and other certifications.

– See also Peak 10’s blog posting about its PCI DSS Level 1 validation (Jan. 2013), http://www.peak10.com/blog/post/peak-10-cloud-validated-for-payment-card-industry-pci-compliance.

34

Cloud-based solutions (cont’d)

In other words, auditors have confirmed that AWS and Peak 10 securely operate, manage, and control the components from the host operating system and virtualization layer down to the physical security of the facilities.

See, e.g., AWS, Overview of Security Processes, available at http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf, 3 (May 2011) (“AWS Security Whitepaper”)

35

Cloud-based solutions (cont’d)

AWS and Peak 10 have obtained PCI DSS Service Provider Level 1validation for their IaaS services.

Figure 1 from Wayne Janson and Timothy Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Pub. No. 800-144, 5 (Dec. 2011) (“NIST Public Cloud Guidelines”).

36

Cloud-based solutions (cont’d)

“Security responsibility across the cloud service models generally migrates toward the client as the client moves from an SaaS model (least responsibility) to an IaaS model (most responsibility).”

PCI DSS Cloud Computing Guidelines, 4 (February 2013)

37

Cloud-based solutions (cont’d)

AWS Security Whitepaper, 12. 38

Shared responsibility

Cloud-based solutions (cont’d)

AWS responsibility

AWS responsibility

AWS Security Whitepaper, 13

39

Instance isolation

Cloud-based solutions (cont’d)

40

Meeting PCI DSS Requirements with AWS and CloudPassage (Jan 24, 2013), available at http://vimeo.com/58163237.

Cloud-based solutions (cont’d)

PCI DSS v2, 5 (Oct. 2010)

41

9. CSP

1. Shared

10. Shared 11. Shared

2. Shared

3. Shared 4. Customer

5. Customer 6. Shared

7. Shared 8. Shared

12. Shared*

* See PCI DSS Cloud Computing Guidelines 2.0, Appendix A

Cloud-based solutions (cont’d) PCI DSS Cloud Computing Guidelines, Appendix A

42

Cloud-based solutions (cont’d)

Id.

43

Cloud-based solutions (cont’d)

Id.

44

Cloud-based solutions (cont’d)

Id.

45

Cloud-based solutions (cont’d)

Id.

46

Cloud-based solutions (cont’d)

AWS responsibility

AWS responsibility

AWS Security Whitepaper, 13

47

Instance isolation

Cloud-based solutions (cont’d)

Cloud customers can confirm that their providers comply with those PCI DSS requirements for which the providers take responsibility by obtaining – the providers’ Attestations of Compliance and – audit reports.

48

Cloud-based solutions (cont’d)

Customers can use guidelines and vendor assistance to help meet PCI DSS requirements for which customers remain responsible, e.g., – PCI SSC, PCI DSS Cloud Computing Guidelines (Feb. 2013); – PCI SSC, PCI DSS Virtualization Guidelines (June 2011); – NIST Public Cloud Guidelines; – Lawrence C. Miller, CISSP, Network Security in Virtualized

Data Centers for Dummies (2012) (“Miller”); and – Meeting PCI DSS Requirements with AWS and CloudPassage

(Jan. 24, 2013), available at http://vimeo.com/58163237 (“CloudPassage”).

49

Cloud-based solutions (cont’d)

Trustwave 2013 Global Security Report: – “Cloud-based application deployments … introduce no

fundamentally new application challenges. Rather, the security difficulties are policy- and procedure-driven, not technical…. [M]any organizations fail to document those responsibilities when transitioning to a cloud environment.” p. 50.

PCI DSS Cloud Computing Guidelines: – “The responsibility for … security controls … needs to be

clearly understood by both the client and CSP…. If these security responsibilities are not properly … understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed ….” p. 6.

50

Cloud-based solutions (cont’d)

PCI Virtualization Guidelines: – “Appropriate security controls should be identified and

implemented in a virtualized environment that provide the same level and depth of security as can be achieved in a physical environment.” p. 16.

– “It’s also critical that all individual virtual machines are installed and configured securely and according to industry best practices and security guidelines…. • “Disable or remove all unnecessary interfaces, ports, devices and

services; • Securely configure all virtual network interfaces and storage areas; • Establish limits on VM resource usage; • Ensure all operating systems and applications running inside the

virtual machine are also hardened ….” p. 18.

51

Cloud-based solutions (cont’d)

NIST Public Cloud Guidelines, 15: – “Audit mechanisms and tools should be in place to

determine how data is stored, protected, and used, to validate services, and to verify policy enforcement.

– “A risk management program should also be in place that is flexible enough to deal with the continuously evolving and shifting risk landscape.”

52

Cloud-based solutions (cont’d)

Miller, 42: – “Today’s … threat landscape … renders traditional port-

based firewalls and other security solutions largely ineffective ….

– “Next-generation firewalls provide key differentiating features to uniquely address the traditional trade-offs between security and other critical requirements, such as performance, flexible integration, and visibility of traffic.

– “A next-generation firewall performs a true classification of data center traffic, based not simply on port and protocol but on an ongoing process of application analysis, decryption, decoding, and heuristics as well.”

53

Cloud-based solutions (cont’d)

CloudPassage:

54

Questions?

55

Randy Gainer (206) 757-8047 randygainer@dwt.com