Software-Based PIN Entry on COTS. Jeremy King International Director PCI Security Standards Council

Transcription

1 Software-Based PIN Entry on COTS Jeremy King International Director PCI Security Standards Council

2 PCI Security Standards Council 2

3 Payments are Changing We do not like queuing We do not carry much cash We no longer write cheques No Cheques Accepted 3

4 We Love Events And we want to buy things from these events with our credit and debit cards. 4

5 We Occasionally Need to Pay for Repairs Club and society subs and fees 5

6 We Now Expect Payments to be Fast Frictionless Easy Anywhere Secure 6

7 Software-Based PIN Entry on COTS Why not PIN on Glass? AMP Smart POS 8000 PCI PTS 4.0 Approved 7

8 Software-Based PIN Entry on COTS What is novel here? A different approach to PIN CVM entry Software-based entry on merchant-facing COTS mobile devices Restricted transactions Only contact and contactless EMV chip transactions processed online allowed Note: Offline PIN validation permitted PCI developing the standard and evaluation program Software-Based PIN Entry is a total Solution Standards have to be adopted and implemented by the Global Card Schemes Global Card Scheme rules will define usage 8

9 Software-Based PIN Entry on COTS Key Principles PIN Isolation Dedicated SCRP PIN App Security Monitoring Secure Communication EMV Only 9

10 Software-Based PIN Entry on COTS High-Level Architectural Concept (for illustrative purposes only) PIN CVM App Monitor App APP Secure Channel Encrypted PIN Data Secure Channel Encrypted Account Data 10 PCI-Approved Secure Card Reader PIN Merchant COTS Device Backend Environment

11 Merchant COTS Device New area for PCI SSC The PIN CVM Application must: Provide for PIN entry Be linked to the monitoring system PIN CVM Be linked to the SCRP App Security Collects and prepares attestation data Allow for secure encryption of the PIN upon entry Transmit the encrypted PIN to SCRP Enables encrypted payment data to be transmitted to the back-end 11

12 Secure Card Reader PIN (SCRP) Specific set of security requirements physical and logical Higher security than PCI PTS Secure card reader Must only accept EMV chip or contactless cards No magnetic stripe reader Receives encrypted PIN from PIN CVM Application For Offline PIN Validates with Chip card For Online PIN encrypts with ISO standard PIN block and sends through PIN CVM Application to Monitoring System Dedicated SCRP 12

13 Monitoring System New concept for a PCI Standard Critical component of entire process Used to monitor the solution COTS Device SCRP PIN CVM Application Provides behavioural analytics Validates updates and patches have been implemented Validates COTS device has not been tampered with Key aspect in the payment process Monitoring 13

14 What does this mean for vendors? SCRP device must be evaluated under the PTS Program by a PTS Lab Work with a SPOC laboratory on SPOC solution validation Validation will be multi-part SCRP (PTS Lab) PIN CVM application (SPOC Lab) Monitoring/Attestation System (SPOC Lab) Back-end Monitoring Environment (QSA) PCI PIN Assessment (PIN assessor) Can be single or multi vendor solutions 14

15 Software-Based PIN Entry on COTS Where are we, and where are we going? Standard developed with input from PCI Mobile Task Force, PCI Labs, PCI Participating Organizations and assessors Dedicated Request for Comment (RFC) period for PCI SSC Participating Organizations and Assessors Security Requirements expected in January, Test Requirements to follow in February Validation program documentation expected in Q

16 Timeline Jan 2018 Vendors can commence solution development Assessment of solutions can commence Program Development Testing Requirements Evaluator development and training Communications Target release April 2018 Target release February 2018 After release of program guide On-going 16

17 17

18 Help Secure Payment Data pcisecuritystandards.org 18