Card Authentication • Done by using RSA: – Issuer bank generate a certificate for its cards – The “Network” digitally sign this certificate – Acquirer bank loads public keys from different networks on its POS machines – When card is inserted, POS use the appropriate network public key to verify the digitally signed certificate on the card
Moe Sabry - 2015 11
PIN Authentication – Online • Done by using TDES: – Acquirer bank generates a key for its POS to encrypt PINs (Terminal PIN key) – When card is inserted, POS prompts the cardholder to enter the PIN – POS use the Terminal PIN key to encrypt the PIN and send it to the acquirer bank – Acquirer bank decrypt the PIN then encrypt it using the “Network” TDES key and send it to the “Network” – The “Network” repeats the operation with the issuer bank key and send it to the issuer bank for verification Moe Sabry - 2015 12 PIN Authentication – Offline • Done by using RSA: – Issuer bank generate a public key and load it on its cards – When card is inserted, POS retrieves the public key from the card – POS encrypt PIN entered by cardholder using this key and pass it to the card – The card compare the value passed from the POS to the encrypted PIN value stored on it
Moe Sabry - 2015 13
Card - Issuer verification (Cryptogram) • Done by using TDES: – The card will collect certain fields –specified by the issuer bank- and grouped in a certain format then encrypted using the “Encryption Key” – The encrypted block is sent to the issuer bank for verification – The bank will collect certain fields –specified by the issuer bank- and grouped in a certain format then encrypted using the “Encryption Key” – The encrypted block is sent to the card for verification
Moe Sabry - 2015 14
Script verification • Done by using SHA-1: – In certain cases the bank sends scripts to be executed on the card e.g.: PIN change – The issuer bank sends the script along with its hashing string – The card will hash the script once received and compare the two strings
Moe Sabry - 2015 15
Payment Card Industry Standards For Data Security & Payment Applications
Moe Sabry - 2015 16
PCI Standards • Payment Card Industry Standards for Data Security (PCI DSS) • Payment Card Industry Standards for Payment Applications (PCI PA)
Moe Sabry - 2015 17
PCI SCC • The Payment Card Industry Security Standards Council, or PCI SSC – often termed simply “the Council” – is an open global forum, launched in 2006, that develops, maintains and manages the PCI Security Standards, which include the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) Requirements – American Express: www.americanexpress.com/datasecurity – Discover Financial Services: http://www.discovernetwork.com/merchants/ – JCB International: http://www.jcb-global.com/english/pci/index.html – MasterCard Worldwide: http://www.mastercard.com/sdp – Visa Inc: http://www.visa.com/cisp – Visa Europe: http://www.visaeurope.com/ais
Moe Sabry - 2015 18
PCI DSS • The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. • Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program
Moe Sabry - 2015 19
PCI DSS • PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consists of Cardholder Data plus Sensitive Authentication Data
Moe Sabry - 2015 20
PCI DSS - Objectives
Moe Sabry - 2015 21
PCI PA • The PA-DSS applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data
Moe Sabry - 2015 22
PCI PA
Moe Sabry - 2015 23
PCI PA - Objectives • Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Protect stored cardholder data (Mask PAN, Encrypt stored data) • Provide secure authentication features • Log payment application activity • Develop secure payment applications • Protect wireless transmissions • Test payment applications to address vulnerabilities • Facilitate secure network implementation • Cardholder data must never be stored on a server connected to the Internet • Facilitate secure remote access to payment application • Encrypt sensitive traffic over public networks • Encrypt all non-console administrative access • Maintain instructional documentation and training programs for customers, resellers, and integrators
Moe Sabry - 2015 24
Q&A
Moe Sabry - 2015 25
References • Payment Card Industry (PCI) - Data Security Standard: “Requirements and Security Assessment Procedures Ver. 2.0”
• Payment Card Industry (PCI) - Payment Application Data
Security Standard: “Requirements and Security Assessment Procedures Ver. 2.0”
• Payment Card Industry (PCI): “PIN Security Requirements Ver.