Scribd Logo
Upload

Welcome to Scribd!

  • Electronic Payments Security & Payment Card Industry (PCI) Security Standards

    Uploaded by

    msabryaly_834477085
    16 views26 pages
    Introduction to PCI

    Original Title

    PCI

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Introduction to PCI

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views26 pages

    Electronic Payments Security & Payment Card Industry (PCI) Security Standards

    Uploaded by

    msabryaly_834477085
    Introduction to PCI

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    Electronic Payments Security

    &
    Payment Card Industry (PCI)
    Security Standards

    Moe Sabry - 2015 1


    Topics
    • Payment Cards Environments
    • Transactional domain
    • Chip Card logical and Physical structures
    • Card & Terminal Keys
    • Transaction flow
    • Card Authentication
    • PIN Authentication – Online
    • PIN Authentication - Offline
    • Card - Issuer verification (Cryptogram)
    • SHA-1 Script verification
    • Billing ADF introduction
    • PCI
    • DSS vs. PA
    • Objectives
    • Production (speed vs. encryption)

    Moe Sabry - 2015 2


    Payment Cards Environments

    Moe Sabry - 2015 3


    Transactional Domain

    Moe Sabry - 2015 4


    Chip Card – Physical Structure

    Moe Sabry - 2015 5


    Chip Card – Logical Structure

    Moe Sabry - 2015 6


    Chip Card – Functional Structure

    Moe Sabry - 2015 7


    Card & Terminal Keys
    • Integrity key for script verification
    • Confidentiality key for PIN verification
    • Encryption key for handling Cryptograms
    • Terminal PIN key for PIN encryption
    • Authenticity / Issuer certificate

    Moe Sabry - 2015 8


    Encryption methods
    • RSA is the standard encryption for offline
    operations
    • TDES is the standard encryption for online
    operations

    Moe Sabry - 2015 9


    Transactional flow
    • Card Authentication
    • PIN Authentication – Online / Offline
    • Card - Issuer verification (Cryptogram)
    • Transaction Authorisation
    • SHA-1 Script verification (Optional)

    Moe Sabry - 2015 10


    Card Authentication
    • Done by using RSA:
    – Issuer bank generate a certificate for its cards
    – The “Network” digitally sign this certificate
    – Acquirer bank loads public keys from different
    networks on its POS machines
    – When card is inserted, POS use the appropriate
    network public key to verify the digitally signed
    certificate on the card

    Moe Sabry - 2015 11


    PIN Authentication – Online
    • Done by using TDES:
    – Acquirer bank generates a key for its POS to encrypt
    PINs (Terminal PIN key)
    – When card is inserted, POS prompts the cardholder to
    enter the PIN
    – POS use the Terminal PIN key to encrypt the PIN and
    send it to the acquirer bank
    – Acquirer bank decrypt the PIN then encrypt it using
    the “Network” TDES key and send it to the “Network”
    – The “Network” repeats the operation with the issuer
    bank key and send it to the issuer bank for verification
    Moe Sabry - 2015 12
    PIN Authentication – Offline
    • Done by using RSA:
    – Issuer bank generate a public key and load it on its
    cards
    – When card is inserted, POS retrieves the public
    key from the card
    – POS encrypt PIN entered by cardholder using this
    key and pass it to the card
    – The card compare the value passed from the POS
    to the encrypted PIN value stored on it

    Moe Sabry - 2015 13


    Card - Issuer verification (Cryptogram)
    • Done by using TDES:
    – The card will collect certain fields –specified by the
    issuer bank- and grouped in a certain format then
    encrypted using the “Encryption Key”
    – The encrypted block is sent to the issuer bank for
    verification
    – The bank will collect certain fields –specified by the
    issuer bank- and grouped in a certain format then
    encrypted using the “Encryption Key”
    – The encrypted block is sent to the card for verification

    Moe Sabry - 2015 14


    Script verification
    • Done by using SHA-1:
    – In certain cases the bank sends scripts to be
    executed on the card e.g.: PIN change
    – The issuer bank sends the script along with its
    hashing string
    – The card will hash the script once received and
    compare the two strings

    Moe Sabry - 2015 15


    Payment Card Industry
    Standards
    For
    Data Security
    &
    Payment Applications

    Moe Sabry - 2015 16


    PCI Standards
    • Payment Card Industry Standards for Data
    Security (PCI DSS)
    • Payment Card Industry Standards for Payment
    Applications (PCI PA)

    Moe Sabry - 2015 17


    PCI SCC
    • The Payment Card Industry Security Standards Council, or PCI SSC –
    often termed simply “the Council” – is an open global forum,
    launched in 2006, that develops, maintains and manages the PCI
    Security Standards, which include the Data Security Standard (DSS),
    Payment Application Data Security Standard (PA-DSS), and PIN
    Transaction Security (PTS) Requirements
    – American Express: www.americanexpress.com/datasecurity
    – Discover Financial Services:
    http://www.discovernetwork.com/merchants/
    – JCB International: http://www.jcb-global.com/english/pci/index.html
    – MasterCard Worldwide: http://www.mastercard.com/sdp
    – Visa Inc: http://www.visa.com/cisp
    – Visa Europe: http://www.visaeurope.com/ais

    Moe Sabry - 2015 18


    PCI DSS
    • The PCI Data Security Standard represents a
    common set of industry tools and
    measurements to help ensure the safe
    handling of sensitive information.
    • Initially created by aligning Visa's Account
    Information Security (AIS)/Cardholder
    Information Security (CISP) programs with
    MasterCard's Site Data Protection (SDP)
    program

    Moe Sabry - 2015 19


    PCI DSS
    • PCI DSS applies wherever account data is stored,
    processed or transmitted. Account Data consists of
    Cardholder Data plus Sensitive Authentication Data

    Moe Sabry - 2015 20


    PCI DSS - Objectives

    Moe Sabry - 2015 21


    PCI PA
    • The PA-DSS applies to software vendors and
    others who develop payment applications that
    store, process, or transmit cardholder data

    Moe Sabry - 2015 22


    PCI PA

    Moe Sabry - 2015 23


    PCI PA - Objectives
    • Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2,
    CVV2), or PIN block data
    • Protect stored cardholder data (Mask PAN, Encrypt stored data)
    • Provide secure authentication features
    • Log payment application activity
    • Develop secure payment applications
    • Protect wireless transmissions
    • Test payment applications to address vulnerabilities
    • Facilitate secure network implementation
    • Cardholder data must never be stored on a server connected to the Internet
    • Facilitate secure remote access to payment application
    • Encrypt sensitive traffic over public networks
    • Encrypt all non-console administrative access
    • Maintain instructional documentation and training programs for customers,
    resellers, and integrators

    Moe Sabry - 2015 24


    Q&A

    Moe Sabry - 2015 25


    References
    • Payment Card Industry (PCI) - Data Security Standard:
    “Requirements and Security Assessment Procedures Ver. 2.0”

    • Payment Card Industry (PCI) - Payment Application Data


    Security Standard: “Requirements and Security Assessment
    Procedures Ver. 2.0”

    • Payment Card Industry (PCI): “PIN Security Requirements Ver.


    1.0”

    Moe Sabry - 2015 26

    You might also like