Human Factors of XR: Using Human Factors to Design XR Systems
Mobile payments v1 1
1. Securing Mobile
Payments
v1.1
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
Witham Laboratories
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 1 Building Confidence in Payment Systems
2. Defining Mobile Payments
• What is “mobile”?
– Paying on a phone? Paying with a phone?
Accepting payments with a phone?
– What about other mobile devices:
• Tablets, laptops, e-readers, PMDs?
Witham Laboratories
1/842 High Street
East Kew 3102
– What about internet banking on a phone?
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
• ‘Mobile’ is often defined by the vendor
Rambla de Catalunya
38, 8 planta
08007 Barcelona
– Be aware that there are different meanings
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
– Let’s look at some examples …
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 2 Building Confidence in Payment Systems
3. Defining Mobile Payments
Mobile payment examples
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 3 Building Confidence in Payment Systems
4. Defining Mobile Payments
• Contactless / NFC often used for mobile
– NFC = Near Field Communications
– Contactless NFC != RFID
– Provides processing on card
• RFID is just a contactless bar-code
Witham Laboratories
1/842 High Street
East Kew 3102
– Cards require ‘active’ EM field to operate
• Draw power from the field itself
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya • Limits range of independent access to card(s)
38, 8 planta
– Collision resistance and time-delays built in
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
to prevent accidental purchases
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 4 Building Confidence in Payment Systems
5. Why is Mobile Different
• Aspires to be everything to everyone
– Card, bank, cash, Point of Sale register
• Mobile presents new sets of problems
– Different operating systems and vulns
• 400% increase in mobile virii since 2010*
Witham Laboratories
1/842 High Street – Zeus and Spyeye specifically target financial data
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
• Keyboard auto-complete caches and location
Fax: +61 3 9857 0350
logging a potential for compromise
Rambla de Catalunya
38, 8 planta
08007 Barcelona • Rapid OS development and lack of knowledge
Spain
Ph: +34 93 184 27 88
/ visibility to approval bodies
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
* Android platform, “Malicious Mobile Threats Report 2010/2011” , Juniper Witham Laboratories
Slide No. 5 Building Confidence in Payment Systems
6. Why is Mobile Different
• Introduces new market players
– Google, Apple, Square, Intel
• New market dynamics
– Is security still a main customer concern?
• Mobile often seen as a cash replacement
• ‘As good as cash’ for security may be enough, if
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
coupled with increased convenience
– Customer interface changes
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
• Does the customer interface to the issuer or
Email: lab@withamlabs.com
the phone company? Who is the issuer?
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 6 Building Confidence in Payment Systems
7. Why is Mobile Different
• Card data stored in ‘Secure Element’
– But how is the data transmitted?
Mobile Network Modem Payment
Network Network
User Interface
Witham Laboratories
1/842 High Street
East Kew 3102
Application
Melbourne
Australia
Ph: +61 3 9846 2751
Operating System
Fax: +61 3 9857 0350 Perso /
Rambla de Catalunya Update Secure Element
38, 8 planta POS /
08007 Barcelona Server POI
Spain
Ph: +34 93 184 27 88
NFC Controller
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 7 Building Confidence in Payment Systems
8. PCI SSC and Mobile
• PCI taking a three pronged approach to
mobile payments
– PCI PTS approved add-on devices
• Must be approved to SRED requirements
• Can accept MSR and/or ICC, with/without PIN
Witham Laboratories
1/842 High Street
– PA DSS approved applications on certain
East Kew 3102
Melbourne
Australia
types of mobile devices
Ph: +61 3 9846 2751
– Working with mobile vendors for further
Fax: +61 3 9857 0350
Rambla de Catalunya
solutions around mobile payments
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com • Expect more from PCI on mobile in the future
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 8 Building Confidence in Payment Systems
9. PCI PTS v3 - SRED
• PCI PIN Transaction Security program
– Secure Reading and Exchange of Data
(SRED) module introduced in v3
– Non-PIN device class approvals in v3.1
• Secure Card Reader (SCR), non-PED
Witham Laboratories
1/842 High Street
East Kew 3102
• Allows for secure mobile transactions
– Approval of physically & logically secure
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
encrypting card acceptance devices
– PIN / Chip / Stripe acceptance supported
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
with external hardware devices
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 9 Building Confidence in Payment Systems
10. PA DSS and Mobile
• PCI SSC is cautious about approval of
mobile applications
– Three types of mobile apps defined
– PA DSS approval only for two types
– Work on-going regarding type 3
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia Category 1 Category 2 Category 3
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350 PCI PTS Device Dedicated All other mobile
Rambla de Catalunya Payment Device payment software
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Can be approved to PA DSS Cannot currently be
Email: lab@withamlabs.com
approved to PA DSS
PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories
Building Confidence in Payment Systems
Slide No. 10
11. Mobile Payments Stats
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 11 Building Confidence in Payment Systems
12. Mobile Events 2011
• Visa invest in Square (April)
• Visa release mobile best practice (April)
• PCI define 3 types of mobile apps (June)
• Google Wallet released in conjunction
Witham Laboratories
with MasterCard (Sept)
1/842 High Street
• PCI release PCI PTS v3.1 as a facilitator
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
to secure mobile add-on devices (Sept)
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
• MasterCard / Intel co-operation (Nov)
• GSMA support for SIM based NFC (Nov)
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 12 Building Confidence in Payment Systems
13. Visa Mobile Best Practices
• Provide secure code loading & updates
– Using known chain of trust
• Use secure coding best practices
• Protect encryption keys
Witham Laboratories
– PCI PTS and PA DSS referenced
1/842 High Street
East Kew 3102
Melbourne
Australia
• Allow for remote disablement
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
– Reduce risk & threat of stolen device(s)
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
• Log and track sensitive operations
Email: lab@withamlabs.com
– Store remotely where possible
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 13 Building Confidence in Payment Systems
14. Visa Mobile Best Practices
• Encrypt all public transmissions of data
• Protect account data from other apps
– Encrypting reader recommended (SRED)
• Provide truncation and/or tokenisation
Witham Laboratories
– Minimize storage of account data
1/842 High Street
East Kew 3102
Melbourne
Australia
• Protect stored PAN and sensitive
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
account data
– By using encryption
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
– Only store SAD prior to authorisation
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 14 Building Confidence in Payment Systems
15. Contactless Security
Lots of press on ‘Contactless pickpockets’
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
Is this a problem?
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 15 Building Confidence in Payment Systems
16. Contactless Security
• CVV3 / CVC3 is used to dislocate data
on contactless card with MSR / ICC data
– Provides a unique value per transaction
– Uses information from the terminal
• Prevents replay attacks
Witham Laboratories
1/842 High Street
East Kew 3102
– Uses unique secret keys in card
• Mitigates card cloning
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
• Contactless data can be intercepted,
08007 Barcelona
Spain
Ph: +34 93 184 27 88 but PAN/expiry only provides little value
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 16 Building Confidence in Payment Systems
17. Security without CVM
• But there’s no PIN / signature!
– Contactless floor limits prevent large-scale
fraud using stolen card
– Scheme rules reduce cardholder liability
– Reduction in PIN use and CVV3/CVC3
Witham Laboratories
1/842 High Street
reduces incentives for skimming
East Kew 3102
Melbourne
Australia
Ph: +61 3 9846 2751
– Other scheme incentives reduce value of
PAN / expiry only data
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
• Documented fraud on contactless cards
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
in Australia very low
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 17 Building Confidence in Payment Systems
18. Mobile Payments Security
• ‘Secure element’ used in phones
– To protect the cryptographic keys and data
– Current approvals to requirements such as
MasterCard CAST / EMV chip security
– Protects against side channel and physical
Witham Laboratories
1/842 High Street
attacks
East Kew 3102
• Secure element like a physical card chip
Melbourne
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Rambla de Catalunya
38, 8 planta
on your phone
08007 Barcelona
Spain
Ph: +34 93 184 27 88 – Integration may expose new vulns
– Understand risks when assessing mobile
Email: lab@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 18 Building Confidence in Payment Systems
19. What’s the Future for Mobile?
• Mobile payments will not disappear
– An area of growth, not a fad
• Contactless / NFC will play a big part
– Co-existence of other wireless interfaces
possible for the short term
• Mobile payments likely to push secure
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
elements into phones
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
– Lead to other possible uses
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
– Certification requirements may expand
PCI PTS PCI PIN PCI DSS PA-DSS
beyond current CAST / EMV chip
Witham Laboratories
Slide No. 19 Building Confidence in Payment Systems
20. What’s the Future for Mobile?
• Understand what ‘mobile’ means to
your business
– Payment, banking, acceptance, other (?)
– Risk mitigations are different
• Look past the hype for the real story
Witham Laboratories
1/842 High Street
East Kew 3102
Melbourne
– Both in benefits and risks
Australia
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350 • Be aware of emerging standards
Rambla de Catalunya
38, 8 planta
08007 Barcelona
Spain
– OK today may not be OK tomorrow
Ph: +34 93 184 27 88
Email: lab@withamlabs.com • Ensure CHD remains protected …
PCI PTS PCI PIN PCI DSS PA-DSS
Witham Laboratories
Slide No. 20 Building Confidence in Payment Systems
21. Questions?
Witham Laboratories
1/842 High Street
For further information please contact
East Kew 3102
Melbourne
Australia
Andrew Jamieson
Ph: +61 3 9846 2751
Fax: +61 3 9857 0350
Technical Manager
Rambla de Catalunya
38, 8 planta
08007 Barcelona Witham Laboratories
Spain
Ph: +34 93 184 27 88
Email: lab@withamlabs.com
Email: andrew.jamieson@withamlabs.com
PCI PTS PCI PIN PCI DSS PA-DSS
Phone: +61 3 9846 2751
Witham Laboratories
Slide No. 21 Building Confidence in Payment Systems