Creating your own payment card Joost Kremers MSc CEH

Transcription

1 Joost Kremers MSc CEH

2 Contents Who am I? Introduction Landscape Landscape elements Hardware Security Modules Key Management 1

3 Who am I? Joost Kremers MSc CEH : Computer RU/TU/e/Utwente : Deloitte 2014: Penetration Deloitte : Still Deloitte... Cryptography Key management Facilitation of trainings CISSP, CISA, CISM, CRISC, CEH 2

4 Why are you still at Deloitte? 3

5 Creating your own payment card In a foreign country! 4

6 Requirements Where all the fun begins Client is expanding it s business to China. One of the products they offer is a (B2B) payment card that allows payment at their sites. Due to the Chinese firewall, the client s global systems cannot be used. This gives us the opportunity to build things right. Setting up an EMV-card (Mchip Advance) and all supporting systems. Complying with GDPR. Complying where possible with PCI. In line with client security standards. Cards should be issued with a default PIN (123456) which must be changed on first use 5

7 PCI DSS Payment Card Industry Data Security Standard Mandated by PCI Council Required certification if you process creditcard details 1. Build and Maintain a Secure Network and Systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy 6

8 Disclaimer: simplified Feel free to ask for more details 7

9 Where do we start? High-level landscape Card platform Client site Card issuer Authorization host 8

10 Card platform Storing client information Collection and storage of client information Information on client credit Interface for support teams Interface that allows for new card requests Generate new Primary Account Number BIN Account number Luhn digit How does the authorization host know that the card exists and what it s PIN-code is? And how does it validate it? 9

11 PIN checking standard PVV Right-most 11- digits of PAN excluding Luhn PVKi Left-most 4-digits of PIN Encrypt with PVK Ciphertext PVV 10

12 PIN checking standard PVV (56) Encrypt with PVK 1A67BCDE429F18FA

13 Where do we start? High-level landscape Card platform Client site PAN Customer data PIN Card issuer Authorization host 12

14 Personal Identification Number PIN Obviously PINs have to be encrypted. Alice and Bob have the same PIN-code. How do we prevent their encrypted PINs from being the same? ISO 9564 format 0 Plaintext PIN field: FFFFFFFF Plaintext account: EDC How do we now encrypt this value? 13

15 Where do we start? High-level landscape Card platform Client site PAN Customer data PINblock Card issuer Authorization host 14

16 Card issuer Card creation Creating the plastic (& magstripe) & Chip But what? Card specification required Based on the EMV-standard 15

17 Magnetic stripe 16

18 Magnetic stripe Track 2 17

19 EMV cryptographic keys Symmetric Asymmetrisch 18

20 EMV cryptographic keys Symmetric Asymmetric IMKac Certificates 19

21 EMV cryptographic keys IMKac Root CA MKac Issuer certificate Card certificate 20

22 Keep on building High-level landscape Card platform Client site PAN Customer data PINblock Card issuer Authorization host 21

23 Client side Payment terminals Terminal should understand how to process your payment card Terminal software knowing how to interpret the Chip data elements PoS-to-Host connection Root CA public key TIK 22

24 Keep on building High-level landscape Card platform Client site PAN Customer data PINblock {PIN}TIK {Transaction details}mkac Card issuer Authorization host 23

25 Authorization host Approving or declining the transaction PIN ok? Products ok? Credit ok? Fraud checks? Creating settlement files 24

26 Keep on building High-level landscape Card platform Client site PAN Customer data PINblock (n)ack Card issuer Authorization host 25

27 Where is the crypto? 26

28 Hardware security modules The magic boxes 27

29 Cryptographic keys Different types LMK {IMKac}LMK {BDK}LMK 28

30 Example of an HSM call Validating someone PIN-code Authorization host PAN {PINblock}TIK {PINblock}LMK 29

31 Example of an HSM call Validating someone PIN-code Authorization host (n)ack 30

32 Key management 31

33 32

34 Key management Securing cryptographic keys from creation to destruction LMK LMK Comp 1 LMK Comp 2 LMK Comp 3 33

35 Key ceremony Physical security Highly scripted activity where cryptographic key material is Created Exchanged Renewed Destroyed High security environment Guarded entry Green zone Yellow zone Dedicated room Main safe Subsafe Seal bag Key components 34

36 Script/affidavit Audit trail 35

37 The final picture 36

38 We created our own payment card! Using these blocks Joost Card platform Client site Card issuer Authorization host 37

39 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights and service to address clients most complex business challenges. To learn more about how Deloitte s approximately 264,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.