Presentation Title - Mobile Payments Conference

Download Report

Transcript Presentation Title - Mobile Payments Conference 

Mobile Payment Security
The Good, the Bad and the Ugly
Tony Bates
PSC – Confidential – All Rights Reserved
This Presentation
This Presentation is a discussion of the business issues
Pose questions rather than provide answers
This Presentation is NOT a technical presentation
No techy twaddle
PSC – Confidential – All Rights Reserved
Payment : Security : Compliance
 With offices in the USA, Canada, UK and Australia, PSC is a leading
global PCI and PA-DSS Assessor and Approved Scanning Vendor.
 One of a select few companies qualified worldwide to provide expert
services and solutions to organizations that require specialist
compliance or consulting support in the areas of Payments, Security
or Compliance.
 Our focus is exclusively on Clients that accept or process payments or
technology companies in the payment industry.
 To ensure Independence, PSC does not represent, resell or receive
commissions from any third party hardware, software or solutions
vendors.
PSC – Confidential – All Rights Reserved
What is Mobile Payments ?
 Payment Presentment
 Payment Acceptance
✔ - Digital Wallets
✔ - Mobile Web payments
✔ - Online Wallets
✔ - NFC Contactless
✔ - Mobile Point of Sale
✔ - Smart Phone
✔ - PDA
✔ - iPad/Tablet
✔ - Cash
✔ - Checks
✔ - Credit/Debit Card
✔ - FastTrack
✔ - Vehicle License Plate
? - Bus or Train
? - Laptop
PSC – Confidential – All Rights Reserved
✗- Desktop
Mobile Payment Software - Presentment
 Security Card Holder’s responsibility
 Card company’s Cardholder Agreement
 No industry standards for digital wallets solutions
 Wallet application security?
 Wallet interoperability?
 Multiple payment instruments in a single wallet?
- Which one is “on top”?
 What about release of personal data ?
PSC – Confidential – All Rights Reserved
Mobile Payment Software - Interoperability
 Too many protocols
- IP over 3G/4G
- Bluetooth
- NFC
 Too few “true” standards
 Solutions tend to be monolithic
- Chicken and egg problems with adoption
- Lack of compatibility with other solutions
- Security models vary greatly in maturity
PSC – Confidential – All Rights Reserved
Mobile Payment Software - Acceptance
 Payment Card Industry Security Standards Council
- PCI Data Security Standard (PCI DSS)
- Applies to Services Providers and Merchants
- Payment Application Data Security Standard (PA-DSS)
- Applies to Payment applications used by Services Providers and
Merchants
 Card Company Regulations
 State Regulations regarding Personal Information
PSC – Confidential – All Rights Reserved
OK for PADSS
 Category 1
- Payment application operates only on a PTS-approved mobile
device.
 Category 2
- Payment application meets ALL of the following criteria:
- Payment application is only provided as a complete solution “bundled”
with a specific mobile device by the vendor
- Underlying mobile device is purpose-built (by design or by constraint)
with a single function of performing payment acceptance
- Payment application, when installed on the “bundled” mobile device (as
assessed by the Payment Application Qualified Security Assessor (PAQSA) and explicitly documented in the payment application’s Report on
Valication (ROV), provides an environment which allows the merchant to
meet and maintain PCI DSS compliance.
PSC – Confidential – All Rights Reserved
NOT OK for PADSS
 Category 3
- Payment application operates on any consumer electronic handheld
device (e.g., smart phone, tablet, or PDA) that is not solely
dedicated to payment acceptance for transaction processing
PSC – Confidential – All Rights Reserved
Visa Mobile Acceptance Best Practices
Consumer Mobile Device:
- Any electronic handheld device (e.g., smart phone, tablet or PDA)
that is not solely dedicated to payment acceptance and that has the
ability to wirelessly communicate account data (via GSM, GPRS,
CDMA, etc.) for transaction processing.
Mobile Payment Acceptance Solution:
- Consists of mobile payment application, a consumer mobile device
and, where account data is electronically read from a payment card,
a hardware accessory capable of reading account data.
- Solutions that do not electronically read account data may not be
acceptable in all territories or may face some restrictions. Clients
must review local Visa Operating Regulations prior to providing
mobile payment acceptance solutions to merchants.
PSC – Confidential – All Rights Reserved
MasterCard PADSS Mandate
 Effective 1 July 2012, MasterCard will revise the
MasterCard SDP Program Standards to require all
merchants and Service Providers that use third partyprovided payment applications to only use those
applications that are compliant with the Payment Card
Industry Payment Application Data Security Standard (PCI
PA-DSS), as applicable.
 The applicability of the PCI PA-DSS to third party-provided
payment applications is defined in the PCI PA-DSS
Program Guide.
 In addition, MasterCard will establish a new PA-DSS
compliance validation requirement for Level 1, Level 2, and
Level 3 merchants as well as Level 1 and Level 2 Service
Providers.
PSC – Confidential – All Rights Reserved
Mobile Payment Security Testing
 Current solutions choose time-to market over security
- E.g. Square – currently no encryption in readers
 The usual “web” tools don’t do it
 Much more technical and specialized than the web
 A must
- Complexity breeds security problems
- Multiple protocols, devices, networks
- Good penetration testing by experts
PSC – Confidential – All Rights Reserved
Apple “iWallet” patent – Parental Controls
 Granted on Tuesday March 6
- A method, comprising: defining one or more rules using a handheld
electronic device, wherein the one or more rules establish restrictions on
transactions made using a financial account associated with an account
holder other than the user of the handheld electronic device; and applying
the one or more rules to the financial account.
PSC – Confidential – All Rights Reserved
Summary
 Poor definition of marketplace
- Hard to define security solutions and standards
 Standards don’t fully apply – or protect
 Card brand mandates cover what the way they would
like to see the industry
- Not the way the industry is
 Risk based assessments and penetration testing poor
in this area
- Not enough experts
PSC – Confidential – All Rights Reserved
Questions
Questions
Tony Bates
[email protected]
PSC – Confidential – All Rights Reserved
+1 408-228-0961