SlideShare a Scribd company logo

Mobile payments v1 1

A
AndrewRJamieson
TechnologyEconomy & FinanceBusiness
1 of 21
Securing Mobile Payments v1.1 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Witham Laboratories Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 1 Building Confidence in Payment Systems
Defining Mobile Payments • What is “mobile”? – Paying on a phone? Paying with a phone? Accepting payments with a phone? – What about other mobile devices: • Tablets, laptops, e-readers, PMDs? Witham Laboratories 1/842 High Street East Kew 3102 – What about internet banking on a phone? Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 • ‘Mobile’ is often defined by the vendor Rambla de Catalunya 38, 8 planta 08007 Barcelona – Be aware that there are different meanings Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Let’s look at some examples … PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 2 Building Confidence in Payment Systems
Defining Mobile Payments Mobile payment examples Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 3 Building Confidence in Payment Systems
Defining Mobile Payments • Contactless / NFC often used for mobile – NFC = Near Field Communications – Contactless NFC != RFID – Provides processing on card • RFID is just a contactless bar-code Witham Laboratories 1/842 High Street East Kew 3102 – Cards require ‘active’ EM field to operate • Draw power from the field itself Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya • Limits range of independent access to card(s) 38, 8 planta – Collision resistance and time-delays built in 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com to prevent accidental purchases PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 4 Building Confidence in Payment Systems
Why is Mobile Different • Aspires to be everything to everyone – Card, bank, cash, Point of Sale register • Mobile presents new sets of problems – Different operating systems and vulns • 400% increase in mobile virii since 2010* Witham Laboratories 1/842 High Street – Zeus and Spyeye specifically target financial data East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 • Keyboard auto-complete caches and location Fax: +61 3 9857 0350 logging a potential for compromise Rambla de Catalunya 38, 8 planta 08007 Barcelona • Rapid OS development and lack of knowledge Spain Ph: +34 93 184 27 88 / visibility to approval bodies Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS * Android platform, “Malicious Mobile Threats Report 2010/2011” , Juniper Witham Laboratories Slide No. 5 Building Confidence in Payment Systems
Why is Mobile Different • Introduces new market players – Google, Apple, Square, Intel • New market dynamics – Is security still a main customer concern? • Mobile often seen as a cash replacement • ‘As good as cash’ for security may be enough, if Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 coupled with increased convenience – Customer interface changes Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • Does the customer interface to the issuer or Email: lab@withamlabs.com the phone company? Who is the issuer? PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 6 Building Confidence in Payment Systems
Why is Mobile Different • Card data stored in ‘Secure Element’ – But how is the data transmitted? Mobile Network Modem Payment Network Network User Interface Witham Laboratories 1/842 High Street East Kew 3102 Application Melbourne Australia Ph: +61 3 9846 2751 Operating System Fax: +61 3 9857 0350 Perso / Rambla de Catalunya Update Secure Element 38, 8 planta POS / 08007 Barcelona Server POI Spain Ph: +34 93 184 27 88 NFC Controller Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 7 Building Confidence in Payment Systems
PCI SSC and Mobile • PCI taking a three pronged approach to mobile payments – PCI PTS approved add-on devices • Must be approved to SRED requirements • Can accept MSR and/or ICC, with/without PIN Witham Laboratories 1/842 High Street – PA DSS approved applications on certain East Kew 3102 Melbourne Australia types of mobile devices Ph: +61 3 9846 2751 – Working with mobile vendors for further Fax: +61 3 9857 0350 Rambla de Catalunya solutions around mobile payments 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com • Expect more from PCI on mobile in the future PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 8 Building Confidence in Payment Systems
PCI PTS v3 - SRED • PCI PIN Transaction Security program – Secure Reading and Exchange of Data (SRED) module introduced in v3 – Non-PIN device class approvals in v3.1 • Secure Card Reader (SCR), non-PED Witham Laboratories 1/842 High Street East Kew 3102 • Allows for secure mobile transactions – Approval of physically & logically secure Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta encrypting card acceptance devices – PIN / Chip / Stripe acceptance supported 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com with external hardware devices PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 9 Building Confidence in Payment Systems
PA DSS and Mobile • PCI SSC is cautious about approval of mobile applications – Three types of mobile apps defined – PA DSS approval only for two types – Work on-going regarding type 3 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Category 1 Category 2 Category 3 Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 PCI PTS Device Dedicated All other mobile Rambla de Catalunya Payment Device payment software 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Can be approved to PA DSS Cannot currently be Email: lab@withamlabs.com approved to PA DSS PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 10
Mobile Payments Stats Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 11 Building Confidence in Payment Systems
Mobile Events 2011 • Visa invest in Square (April) • Visa release mobile best practice (April) • PCI define 3 types of mobile apps (June) • Google Wallet released in conjunction Witham Laboratories with MasterCard (Sept) 1/842 High Street • PCI release PCI PTS v3.1 as a facilitator East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya to secure mobile add-on devices (Sept) 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • MasterCard / Intel co-operation (Nov) • GSMA support for SIM based NFC (Nov) Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 12 Building Confidence in Payment Systems
Visa Mobile Best Practices • Provide secure code loading & updates – Using known chain of trust • Use secure coding best practices • Protect encryption keys Witham Laboratories – PCI PTS and PA DSS referenced 1/842 High Street East Kew 3102 Melbourne Australia • Allow for remote disablement Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya – Reduce risk & threat of stolen device(s) 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • Log and track sensitive operations Email: lab@withamlabs.com – Store remotely where possible PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 13 Building Confidence in Payment Systems
Visa Mobile Best Practices • Encrypt all public transmissions of data • Protect account data from other apps – Encrypting reader recommended (SRED) • Provide truncation and/or tokenisation Witham Laboratories – Minimize storage of account data 1/842 High Street East Kew 3102 Melbourne Australia • Protect stored PAN and sensitive Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya account data – By using encryption 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Only store SAD prior to authorisation PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 14 Building Confidence in Payment Systems
Contactless Security Lots of press on ‘Contactless pickpockets’ Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com Is this a problem? PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 15 Building Confidence in Payment Systems
Contactless Security • CVV3 / CVC3 is used to dislocate data on contactless card with MSR / ICC data – Provides a unique value per transaction – Uses information from the terminal • Prevents replay attacks Witham Laboratories 1/842 High Street East Kew 3102 – Uses unique secret keys in card • Mitigates card cloning Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta • Contactless data can be intercepted, 08007 Barcelona Spain Ph: +34 93 184 27 88 but PAN/expiry only provides little value Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 16 Building Confidence in Payment Systems
Security without CVM • But there’s no PIN / signature! – Contactless floor limits prevent large-scale fraud using stolen card – Scheme rules reduce cardholder liability – Reduction in PIN use and CVV3/CVC3 Witham Laboratories 1/842 High Street reduces incentives for skimming East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 – Other scheme incentives reduce value of PAN / expiry only data Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta • Documented fraud on contactless cards 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com in Australia very low PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 17 Building Confidence in Payment Systems
Mobile Payments Security • ‘Secure element’ used in phones – To protect the cryptographic keys and data – Current approvals to requirements such as MasterCard CAST / EMV chip security – Protects against side channel and physical Witham Laboratories 1/842 High Street attacks East Kew 3102 • Secure element like a physical card chip Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta on your phone 08007 Barcelona Spain Ph: +34 93 184 27 88 – Integration may expose new vulns – Understand risks when assessing mobile Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 18 Building Confidence in Payment Systems
What’s the Future for Mobile? • Mobile payments will not disappear – An area of growth, not a fad • Contactless / NFC will play a big part – Co-existence of other wireless interfaces possible for the short term • Mobile payments likely to push secure Witham Laboratories 1/842 High Street East Kew 3102 Melbourne elements into phones Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 – Lead to other possible uses Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Certification requirements may expand PCI PTS PCI PIN PCI DSS PA-DSS beyond current CAST / EMV chip Witham Laboratories Slide No. 19 Building Confidence in Payment Systems
What’s the Future for Mobile? • Understand what ‘mobile’ means to your business – Payment, banking, acceptance, other (?) – Risk mitigations are different • Look past the hype for the real story Witham Laboratories 1/842 High Street East Kew 3102 Melbourne – Both in benefits and risks Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 • Be aware of emerging standards Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain – OK today may not be OK tomorrow Ph: +34 93 184 27 88 Email: lab@withamlabs.com • Ensure CHD remains protected … PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 20 Building Confidence in Payment Systems
Questions? Witham Laboratories 1/842 High Street For further information please contact East Kew 3102 Melbourne Australia Andrew Jamieson Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Technical Manager Rambla de Catalunya 38, 8 planta 08007 Barcelona Witham Laboratories Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com Email: andrew.jamieson@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Phone: +61 3 9846 2751 Witham Laboratories Slide No. 21 Building Confidence in Payment Systems

Recommended

Mobile payment
Mobile paymentMobile payment
Mobile paymentSoftware Park Thailand
 
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain Technology
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain TechnologyRugged Mobile Business Solution - Top 10 Trend in Supply Chain Technology
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain TechnologyIntermec Asia
 
Widyatama Lecture Applied Networking.IV Week02
Widyatama Lecture Applied Networking.IV Week02Widyatama Lecture Applied Networking.IV Week02
Widyatama Lecture Applied Networking.IV Week02Djadja Sardjana
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentStefano Maria De' Rossi
 
Gemalto NFC
Gemalto NFCGemalto NFC
Gemalto NFCMobileMonday Beijing
 
Dr. shah jehan
Dr. shah jehanDr. shah jehan
Dr. shah jehanshah jehan
 
Gone in a flash pdf
Gone in a flash pdfGone in a flash pdf
Gone in a flash pdfAndrewRJamieson
 
Propuesta curricular
Propuesta curricularPropuesta curricular
Propuesta curricularrubenrba
 

Recommended

Mobile payment
Mobile paymentMobile payment
Mobile paymentSoftware Park Thailand
 
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain Technology
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain TechnologyRugged Mobile Business Solution - Top 10 Trend in Supply Chain Technology
Rugged Mobile Business Solution - Top 10 Trend in Supply Chain TechnologyIntermec Asia
 
Widyatama Lecture Applied Networking.IV Week02
Widyatama Lecture Applied Networking.IV Week02Widyatama Lecture Applied Networking.IV Week02
Widyatama Lecture Applied Networking.IV Week02Djadja Sardjana
 
Mobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentMobile Payment fraud & risk assessment
Mobile Payment fraud & risk assessmentStefano Maria De' Rossi
 
Gemalto NFC
Gemalto NFCGemalto NFC
Gemalto NFCMobileMonday Beijing
 
Dr. shah jehan
Dr. shah jehanDr. shah jehan
Dr. shah jehanshah jehan
 
Gone in a flash pdf
Gone in a flash pdfGone in a flash pdf
Gone in a flash pdfAndrewRJamieson
 
Propuesta curricular
Propuesta curricularPropuesta curricular
Propuesta curricularrubenrba
 
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COMMY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COMvunangluong
 
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.comBio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.comvunangluong
 
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COMMẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COMvunangluong
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NETĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NETvunangluong
 
Biddeford Arena & Expo Center
Biddeford Arena & Expo CenterBiddeford Arena & Expo Center
Biddeford Arena & Expo CenterR Du
 
Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)AndrewRJamieson
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355AndrewRJamieson
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN Thailand2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN ThailandIMC Institute
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesAll the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesMEDICI admin
 
Accessing pay buy mobile model
Accessing pay buy mobile modelAccessing pay buy mobile model
Accessing pay buy mobile modelArief Gunawan
 
Aps Coaxial Sockets
Aps Coaxial SocketsAps Coaxial Sockets
Aps Coaxial Socketsnnorbert
 
Panel 8-The future of authentication
Panel 8-The future of authenticationPanel 8-The future of authentication
Panel 8-The future of authenticationInternational Federation for Information Technologies in Travel and Tourism (IFITT)
 
Mk9500
Mk9500Mk9500
Mk9500Telectronica
 
Computer science ppt
Computer science pptComputer science ppt
Computer science pptbrijesh kumar
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014Adrian Wright
 
Palm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentationPalm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentationgagana5017
 
Mobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMasabi
 
Ptcl presentation
Ptcl presentationPtcl presentation
Ptcl presentationmehmoonarafaqat
 
aps Test Socket Technologies
aps Test Socket Technologiesaps Test Socket Technologies
aps Test Socket Technologiesnnorbert
 
Tokenization
TokenizationTokenization
TokenizationCentury Business Solutions
 

More Related Content

Viewers also liked

MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COMMY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COMvunangluong
 
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.comBio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.comvunangluong
 
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COMMẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COMvunangluong
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NETĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NETvunangluong
 
Biddeford Arena & Expo Center
Biddeford Arena & Expo CenterBiddeford Arena & Expo Center
Biddeford Arena & Expo CenterR Du
 
Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)AndrewRJamieson
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355AndrewRJamieson
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 

Viewers also liked (9)

MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COMMY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
MY PHAM CAO CAP PHYSIO RADIANCE - VUI TRẺ KHỎE.COM
 
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.comBio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
Bio Disc: Đĩa Sinh Học - Đĩa Năng Lượng.com
 
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COMMẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
MẶT DÂY CHUYỀN NĂNG LƯỢNG VELOCI - VUI TRẺ KHỎE.COM
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
Encryptionvstokenisationforshare
 
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NETĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
ĐĨA NĂNG LƯỢNG SINH HỌC - ĐĨA NĂNG LƯỢNG.COM - ĐĨA SINH HỌC.NET
 
Biddeford Arena & Expo Center
Biddeford Arena & Expo CenterBiddeford Arena & Expo Center
Biddeford Arena & Expo Center
 
Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)Encryption vs tokenisation (for share)
Encryption vs tokenisation (for share)
 
IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355IoT Security – It’s in the Stars! 16_9 v201605241355
IoT Security – It’s in the Stars! 16_9 v201605241355
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)
 

Similar to Mobile payments v1 1

2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN Thailand2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN ThailandIMC Institute
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesAll the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesMEDICI admin
 
Accessing pay buy mobile model
Accessing pay buy mobile modelAccessing pay buy mobile model
Accessing pay buy mobile modelArief Gunawan
 
Aps Coaxial Sockets
Aps Coaxial SocketsAps Coaxial Sockets
Aps Coaxial Socketsnnorbert
 
Computer science ppt
Computer science pptComputer science ppt
Computer science pptbrijesh kumar
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014Adrian Wright
 
Palm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentationPalm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentationgagana5017
 
Mobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMasabi
 
aps Test Socket Technologies
aps Test Socket Technologiesaps Test Socket Technologies
aps Test Socket Technologiesnnorbert
 
Industrial application on online banking
Industrial application on online bankingIndustrial application on online banking
Industrial application on online bankingAbhilash Kallayil
 
FMCG Anti-Counterfeit Solution
FMCG Anti-Counterfeit SolutionFMCG Anti-Counterfeit Solution
FMCG Anti-Counterfeit SolutionToon Wee
 
Wireless Point-of-Sale 1999
Wireless Point-of-Sale 1999Wireless Point-of-Sale 1999
Wireless Point-of-Sale 1999Frank Maduri
 
Internet Of things (IoT) ppt
Internet Of things (IoT) pptInternet Of things (IoT) ppt
Internet Of things (IoT) pptAhibaPathan
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsAirTight Networks
 

Similar to Mobile payments v1 1 (20)

2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN Thailand2013 TAIWAN ICT ROADSHOW IN Thailand
2013 TAIWAN ICT ROADSHOW IN Thailand
 
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative CompaniesAll the 12 Payment Enabling Technologies & 54 Illustrative Companies
All the 12 Payment Enabling Technologies & 54 Illustrative Companies
 
Accessing pay buy mobile model
Accessing pay buy mobile modelAccessing pay buy mobile model
Accessing pay buy mobile model
 
Aps Coaxial Sockets
Aps Coaxial SocketsAps Coaxial Sockets
Aps Coaxial Sockets
 
Panel 8-The future of authentication
Panel 8-The future of authenticationPanel 8-The future of authentication
Panel 8-The future of authentication
 
Mk9500
Mk9500Mk9500
Mk9500
 
Computer science ppt
Computer science pptComputer science ppt
Computer science ppt
 
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
ISSA-UK - Securing the Internet of Things - CIO Seminar 13 May 2014
 
Palm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentationPalm Vein Technology ppt.pptx IEEE presentation
Palm Vein Technology ppt.pptx IEEE presentation
 
Mobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile TicketingMobile Commerce meets the Real World - Mobile Ticketing
Mobile Commerce meets the Real World - Mobile Ticketing
 
Ptcl presentation
Ptcl presentationPtcl presentation
Ptcl presentation
 
aps Test Socket Technologies
aps Test Socket Technologiesaps Test Socket Technologies
aps Test Socket Technologies
 
Tokenization
TokenizationTokenization
Tokenization
 
Industrial application on online banking
Industrial application on online bankingIndustrial application on online banking
Industrial application on online banking
 
Merging fraud in a full IP environment
Merging fraud in a full IP environmentMerging fraud in a full IP environment
Merging fraud in a full IP environment
 
FMCG Anti-Counterfeit Solution
FMCG Anti-Counterfeit SolutionFMCG Anti-Counterfeit Solution
FMCG Anti-Counterfeit Solution
 
Wireless Point-of-Sale 1999
Wireless Point-of-Sale 1999Wireless Point-of-Sale 1999
Wireless Point-of-Sale 1999
 
Internet Of things (IoT) ppt
Internet Of things (IoT) pptInternet Of things (IoT) ppt
Internet Of things (IoT) ppt
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Mobile payments v1 1

  • 1. Securing Mobile Payments v1.1 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Witham Laboratories Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 1 Building Confidence in Payment Systems
  • 2. Defining Mobile Payments • What is “mobile”? – Paying on a phone? Paying with a phone? Accepting payments with a phone? – What about other mobile devices: • Tablets, laptops, e-readers, PMDs? Witham Laboratories 1/842 High Street East Kew 3102 – What about internet banking on a phone? Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 • ‘Mobile’ is often defined by the vendor Rambla de Catalunya 38, 8 planta 08007 Barcelona – Be aware that there are different meanings Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Let’s look at some examples … PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 2 Building Confidence in Payment Systems
  • 3. Defining Mobile Payments Mobile payment examples Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 3 Building Confidence in Payment Systems
  • 4. Defining Mobile Payments • Contactless / NFC often used for mobile – NFC = Near Field Communications – Contactless NFC != RFID – Provides processing on card • RFID is just a contactless bar-code Witham Laboratories 1/842 High Street East Kew 3102 – Cards require ‘active’ EM field to operate • Draw power from the field itself Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya • Limits range of independent access to card(s) 38, 8 planta – Collision resistance and time-delays built in 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com to prevent accidental purchases PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 4 Building Confidence in Payment Systems
  • 5. Why is Mobile Different • Aspires to be everything to everyone – Card, bank, cash, Point of Sale register • Mobile presents new sets of problems – Different operating systems and vulns • 400% increase in mobile virii since 2010* Witham Laboratories 1/842 High Street – Zeus and Spyeye specifically target financial data East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 • Keyboard auto-complete caches and location Fax: +61 3 9857 0350 logging a potential for compromise Rambla de Catalunya 38, 8 planta 08007 Barcelona • Rapid OS development and lack of knowledge Spain Ph: +34 93 184 27 88 / visibility to approval bodies Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS * Android platform, “Malicious Mobile Threats Report 2010/2011” , Juniper Witham Laboratories Slide No. 5 Building Confidence in Payment Systems
  • 6. Why is Mobile Different • Introduces new market players – Google, Apple, Square, Intel • New market dynamics – Is security still a main customer concern? • Mobile often seen as a cash replacement • ‘As good as cash’ for security may be enough, if Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 coupled with increased convenience – Customer interface changes Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • Does the customer interface to the issuer or Email: lab@withamlabs.com the phone company? Who is the issuer? PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 6 Building Confidence in Payment Systems
  • 7. Why is Mobile Different • Card data stored in ‘Secure Element’ – But how is the data transmitted? Mobile Network Modem Payment Network Network User Interface Witham Laboratories 1/842 High Street East Kew 3102 Application Melbourne Australia Ph: +61 3 9846 2751 Operating System Fax: +61 3 9857 0350 Perso / Rambla de Catalunya Update Secure Element 38, 8 planta POS / 08007 Barcelona Server POI Spain Ph: +34 93 184 27 88 NFC Controller Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 7 Building Confidence in Payment Systems
  • 8. PCI SSC and Mobile • PCI taking a three pronged approach to mobile payments – PCI PTS approved add-on devices • Must be approved to SRED requirements • Can accept MSR and/or ICC, with/without PIN Witham Laboratories 1/842 High Street – PA DSS approved applications on certain East Kew 3102 Melbourne Australia types of mobile devices Ph: +61 3 9846 2751 – Working with mobile vendors for further Fax: +61 3 9857 0350 Rambla de Catalunya solutions around mobile payments 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com • Expect more from PCI on mobile in the future PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 8 Building Confidence in Payment Systems
  • 9. PCI PTS v3 - SRED • PCI PIN Transaction Security program – Secure Reading and Exchange of Data (SRED) module introduced in v3 – Non-PIN device class approvals in v3.1 • Secure Card Reader (SCR), non-PED Witham Laboratories 1/842 High Street East Kew 3102 • Allows for secure mobile transactions – Approval of physically & logically secure Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta encrypting card acceptance devices – PIN / Chip / Stripe acceptance supported 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com with external hardware devices PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 9 Building Confidence in Payment Systems
  • 10. PA DSS and Mobile • PCI SSC is cautious about approval of mobile applications – Three types of mobile apps defined – PA DSS approval only for two types – Work on-going regarding type 3 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Category 1 Category 2 Category 3 Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 PCI PTS Device Dedicated All other mobile Rambla de Catalunya Payment Device payment software 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Can be approved to PA DSS Cannot currently be Email: lab@withamlabs.com approved to PA DSS PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 10
  • 11. Mobile Payments Stats Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 11 Building Confidence in Payment Systems
  • 12. Mobile Events 2011 • Visa invest in Square (April) • Visa release mobile best practice (April) • PCI define 3 types of mobile apps (June) • Google Wallet released in conjunction Witham Laboratories with MasterCard (Sept) 1/842 High Street • PCI release PCI PTS v3.1 as a facilitator East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya to secure mobile add-on devices (Sept) 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • MasterCard / Intel co-operation (Nov) • GSMA support for SIM based NFC (Nov) Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 12 Building Confidence in Payment Systems
  • 13. Visa Mobile Best Practices • Provide secure code loading & updates – Using known chain of trust • Use secure coding best practices • Protect encryption keys Witham Laboratories – PCI PTS and PA DSS referenced 1/842 High Street East Kew 3102 Melbourne Australia • Allow for remote disablement Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya – Reduce risk & threat of stolen device(s) 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 • Log and track sensitive operations Email: lab@withamlabs.com – Store remotely where possible PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 13 Building Confidence in Payment Systems
  • 14. Visa Mobile Best Practices • Encrypt all public transmissions of data • Protect account data from other apps – Encrypting reader recommended (SRED) • Provide truncation and/or tokenisation Witham Laboratories – Minimize storage of account data 1/842 High Street East Kew 3102 Melbourne Australia • Protect stored PAN and sensitive Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya account data – By using encryption 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Only store SAD prior to authorisation PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 14 Building Confidence in Payment Systems
  • 15. Contactless Security Lots of press on ‘Contactless pickpockets’ Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com Is this a problem? PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 15 Building Confidence in Payment Systems
  • 16. Contactless Security • CVV3 / CVC3 is used to dislocate data on contactless card with MSR / ICC data – Provides a unique value per transaction – Uses information from the terminal • Prevents replay attacks Witham Laboratories 1/842 High Street East Kew 3102 – Uses unique secret keys in card • Mitigates card cloning Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta • Contactless data can be intercepted, 08007 Barcelona Spain Ph: +34 93 184 27 88 but PAN/expiry only provides little value Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 16 Building Confidence in Payment Systems
  • 17. Security without CVM • But there’s no PIN / signature! – Contactless floor limits prevent large-scale fraud using stolen card – Scheme rules reduce cardholder liability – Reduction in PIN use and CVV3/CVC3 Witham Laboratories 1/842 High Street reduces incentives for skimming East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 – Other scheme incentives reduce value of PAN / expiry only data Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta • Documented fraud on contactless cards 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com in Australia very low PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 17 Building Confidence in Payment Systems
  • 18. Mobile Payments Security • ‘Secure element’ used in phones – To protect the cryptographic keys and data – Current approvals to requirements such as MasterCard CAST / EMV chip security – Protects against side channel and physical Witham Laboratories 1/842 High Street attacks East Kew 3102 • Secure element like a physical card chip Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta on your phone 08007 Barcelona Spain Ph: +34 93 184 27 88 – Integration may expose new vulns – Understand risks when assessing mobile Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 18 Building Confidence in Payment Systems
  • 19. What’s the Future for Mobile? • Mobile payments will not disappear – An area of growth, not a fad • Contactless / NFC will play a big part – Co-existence of other wireless interfaces possible for the short term • Mobile payments likely to push secure Witham Laboratories 1/842 High Street East Kew 3102 Melbourne elements into phones Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 – Lead to other possible uses Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com – Certification requirements may expand PCI PTS PCI PIN PCI DSS PA-DSS beyond current CAST / EMV chip Witham Laboratories Slide No. 19 Building Confidence in Payment Systems
  • 20. What’s the Future for Mobile? • Understand what ‘mobile’ means to your business – Payment, banking, acceptance, other (?) – Risk mitigations are different • Look past the hype for the real story Witham Laboratories 1/842 High Street East Kew 3102 Melbourne – Both in benefits and risks Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 • Be aware of emerging standards Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain – OK today may not be OK tomorrow Ph: +34 93 184 27 88 Email: lab@withamlabs.com • Ensure CHD remains protected … PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 20 Building Confidence in Payment Systems
  • 21. Questions? Witham Laboratories 1/842 High Street For further information please contact East Kew 3102 Melbourne Australia Andrew Jamieson Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Technical Manager Rambla de Catalunya 38, 8 planta 08007 Barcelona Witham Laboratories Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com Email: andrew.jamieson@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Phone: +61 3 9846 2751 Witham Laboratories Slide No. 21 Building Confidence in Payment Systems