Human Factors of XR: Using Human Factors to Design XR Systems
2016_07_22_can_you_protect_my_cc_data
1. 08/18/16, Nova Southern University, Fort Lauderdale, FL
Can you protect my Credit Card data? It is 2016 after all!
South Florida Information Systems Security Association (ISSA)
2. Can you protect my Credit Card data?
It is 2016 after all!
Emerging technologies, PCI-DSS Compliance & scope reduction
Mr. Kelvin Medina, QSA,CISSP, CISA, GCIH, SEC+, ITIL
3. Presenter
Mr. Kelvin Medina, QSA, CISSP, CISA, GCIH, SEC+, ITIL
Sr. Security Consultant, Trustwave
Contact Information
561-330-5757
kmedina@trustwave.com
https://www.linkedin.com/in/kelvinmedina
4. Presenter (Who is this guy anyway!?)
• Senior Security Consultant
– Emphasis around secure application development, source-code review, application testing and
cryptography in alignment with both the PCI Point-to-point Encryption (P2PE) & the Payment Application
Data Security Standard (PA-DSS).
• Information Security Engineer (ISE) at the University of Miami (UM)
– Internal consultant for IT enterprise compromised of more than 25k users, 700 plus applications, and
over $160 millions in credit card transactions per year across different facilities in South Florida
• Previously, Information Systems Security Officer (ISSO) at the US Navy
• Recent public engagements
– “Your biggest cyber threat? Naïve end-users”, United States Cybersecurity Magazine, January 2015
– Panelist, “Network Security and PCI-DSS”, South Florida Technology Alliance (SFTA), February 2015
• Education
– BS Computer Science, University of Puerto Rico
– MS Technical Management, Johns Hopkins University
– Global Pre-MBA Leadership Program, Yale University
6. PA-DSS, validation of payment applications
Initialization
Kick-off
Meeting
Information
Gathering
Application
Testing
Forensic
Review
Reporting
Submission
to PCI SSC
• Applicable to payment applications that
– Perform Authorizations
– Perform Settlements
• Changes to listed payment applications
– No-impact change
• Change of application description for
marketing purposes
– Low-impact change
• Changes that have minor impact to PA-DSS
reqs.
– High-impact change
• A new OS is added, changes to the
encryption mechanism, etc.
11. Emerging technologies and its challenges
• Naturally, technology moves fast
– In contrast to standards and
frameworks
• From startups to the typical
organization
– They are all creating new
ways to accept payments
• US FinTech Financing Activity
– Topped $12.21 billion in 2014
12. Moving toward a data centric approach
• Data centric approach
– Cell level security (e.g. Transparent Data Encryption (TDE) in Azure SQL)
– Encryption (e.g. P2PE)
– Security containers (e.g. MobileIron MDM)
• Social, Mobile, Analytics, and Cloud (SMAC)
14. Point to Point Encryption (P2PE) • Encryption of Cardholder Data
elements starting at POI
• End-to-End encryption (E2EE) is
not equal to P2PE
– Only a validated P2PE solution
has been accepted and listed
by PCI SSC
• Merchant-Managed Solution, ideal
for BIG merchant not looking to
give up their control
• P2PE SAQ includes only 26 PCI-
DSS Reqs.
15. Business Case: Achieving PCI-DSS compliance along with EHR?
• How to balance the
requirements of the
Electronic Health
Record (EHR) system
along with PCI-DSS?
• Over 300 points of
payment across
different cities
Physical Space Budget Constraints
Non-standardized Business
Processes
Lack of Executive Support
Challenges
Healthcare
Institution
16. Pilot project, hoping scope reduction!
• Use Desktop as a Service (DaaS) to reduce scope
EHR
17. What about… EHR and P2PE?
P2PE Credit Card Reader
Solution Provider
Data Decryption
Service
19. Magnetic Stripe Technology
• Virtually no changes since its introduction in the 1960s
• Prone to
– Skimming (capture the track data)
– Shoulder-surfing or HD Camera
• (watch the PIN as it is being entered)
20. Europay, Visa, Mastercard (EMV) Technology
• EVM or smart cards were patented by in the 1970’s by France, Germany, and Japan
• Started as a way to store bank account information securely on a card
22. EMV Deadline for the US
• Liability fraud
shift from Issuer
to Merchant
– Oct 2015
• Not an actual
PCI-DSS
requirement
23. VISA expand Technology Innovation Program (TIP) Expanded
• VISA TIP now includes merchants who
process at least 75% of their transactions
through a PCI-validated P2PE solution
– Effective on April 1st, 2015
• Annual PCI-DSS validation assessment might
be waived
24. What is tokenization?
As per PCI-DSS “a process by which the primary account number (PAN) is replaced with a
surrogate value called a ―token. De-tokenization is the reverse process of redeeming a token
for its associated PAN value.”
28. Mobile Payment Application (PA)
• 3 categories of Mobile Payment Applications
– Considered for PA-DSS
• Only Category 1 (PTS-approved) and 2 (purpose-built and bundled) devices
– Not considered for PA-DSS
• Category 3 devices (e.g. smartphones) not considered for PA-DSS PA
• This does not imply that not Category 3 applications cannot be used, but need to be custom built for
merchants or delivered as part of a service
• PCI SSC control does not extend to consumer applications
– PCI Mobile Payment Acceptance Security Guidelines
• Two guides: Merchants & Developers
– Secure devices and networks including segmentation
– Tokenization and data elimination
– Secure coding, etc.
Reference: https://www.pcisecuritystandards.org/documents/pa-dss_mobile_apps-faqs.pdf
29. Takeaways
• Whenever you consider a new product or service
– Weight pros and cons
• Use a security first approach
– Security is engaged as early as possible during the acquisition process
– See security as an integrated part of your business
• Clearly understand all the responsibilities
– Your responsibilities
– Your Vendor responsibilities
– Consult only with qualified organizations (e.g. QSA)
• Focus on security as an overall strategy for your business
• Read and understand the security requirements that apply to you!
• AND finally make informed, risk based decisions
Trustwave is one of the leaders in Managed Security Service Providers (MSSPs) according to Gartner Magic Quadrant.
During the past decade the focus of security has been around the infrastructure. What is the problem with this approach? Well, it is very labor intensive and more importantly, has proven to be very hard to scale at the enterprise landscape.
According to requirements from PCI-DSS, a workstation being used to process, transmit or storage Cardholder Data (CHD) needs to be dedicated for that sole purpose. In other words, you need to harden the systems by removing unnecessary ports, protocols, and services, isolate them in a VLAN, and explicitly control both inbound and outbound access. In simpler terms, you have to take a full fledge workstations and make it looks like a dumb terminal! How this affect business owners and their internal processes?
Enterprises of all types, are moving toward Social, Mobile, Analytics, and Cloud (SMAC) based architectures. This means that data is expected to reside across different technology stacks with their own unique security paradigms and control frameworks.
By now it should be obvious that securing the infrastructure, does not work for the most part and is very inefficient and ineffective.
Threats are constantly evolving, and traditional controls are insufficient or cannot appropriately scale.
Data centric approach:
Cell level security
Encryption in-transit
Security containers
This technology encrypts the PAN as soon as the credit card it is swiped/dipped, Point of Interaction (POI), so only encrypted data traverses the entire payment path.
The major difference here is that under the P2P2 standard, only the transaction processor or other third party is allowed to perform cryptographic operations to include key management. In other words, only the solution provider can decrypt the cardholder data (CHD).
PCI PIN Transaction Security (PTS) standard, added Secure Reading & Exchange of Data (SRED), this technology minimize the exposure of cardholder data elements protecting POS memory scraping malware.
After some brainstorming in the IT Department, the idea of using Desktop as a Service (DaaS) to assist us in achieving PCI-DSS compliance was born. The concept was simple, the local workstation would be locked down and dedicated for the sole purpose of processing cardholder and patient data while.
During the pilot we learned that one solution does not work for all. As the rollout started to take place, complains started to flourish on how these locked workstations were affecting their respective business processes. For example, the Pathology Department, needed their workstations to have their USB ports to be open; they take pictures to patients using a digital camera. After all this, the pilot was put to an end.
After the experience with the DaaS project… we turned the direction toward a P2PE solution that worked with the EHR. We learned right after that there only to service providers for our EHR.
Engagements with 3rd party companies started to find out about their product and how it could be implemented in our environment using the MagTek Dynamo Pro P2PE card readers for example.
SRED is an acronym for Secure Reading and Exchange of Data, and it refers to the Point of Interaction (POI) security standard as outlined in the PIN Transaction Security (PTS) requirements, version 3.1.
This mean, only PCI approved solutions will qualify you for scope reduction. Beware of this fact when shopping around!
A PCI P2PE validated solution, by a backend processor, no intermediaries, is the most secure solution. In a close second, is any PCI Validated P2PE solution.
You may be surprised to learn that patents were first filed for "smart cards" in France, Germany, and Japan in the 1970s. The concept started as a way to store bank account information securely on a card. Over time, people realized that this technology provided a way to store more data on the card than is possible to store on a magnetic stripe.
From the technical standpoint, the chip is like a microcomputer that contains a RAM, a CPU, and a ROM among other components. The chip technology enables dynamic authentication, meaning that the chip generate a unique code or a cryptogram with every transaction.
EMV Workflow:
If there is a match between Terminal and card’s Application ID, the Chip Card create an Authorization Request Cryptogram (ARQC).
ARQC’s algorithm create cryptogram by taking both the Card Master Key (unique value to the card) + Session Key (unique to the transaction) as parameters
ARQC is encrypted/hashed using the Card Master key
Result 16 characters HEC ARQC: 1A2B3C4D5E6F4321
Cryptogram is sent to Acquirer.
Acquirer sent cryptogram to Issuer.
Issuer validates the received ARQC by creating its own ARQC using a Hardware Security Module (HSM) to ensure transaction came from the chip card (and was not fraudulently introduced into the transaction request path) and makes authorization decision.
Issuer send response back to Acquirer.
Acquirer send response back to Terminal.
Terminal sends the Chip Card the ARPC plus any optional Issuer command (e.g. card block) which is known as the Application Protocol Data Unit (APDU).
The card then validates the ARPC by creating its own and approves any APDU sent to it.
Chip Card respond back to the Terminal indicating whether or not the command was executed successfully.
Chip & PIN VS Chip & Signature: You can think of these as verifying different aspects of the transaction.By verifying the PIN, the issuer is authenticating the cardholder who performed the transaction.
By verifying the request cryptogram in the chip transaction, the issuer is authenticating the card that performed the transaction.
PCI-DSS Definition: Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a ―token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.
• Types of Tokens
– Reversible – Irreversible – Cryptographic – Non-Cryptographic
• Token Objectives
• Use Cases
• Key Management • Glossary
The token can be stored in lieu of a PAN, reducing the risk of unauthorized disclosure of a PAN.
Token Generation:
Note that where token generation is based on a reversible encryption method (where the token is mathematically derived from the original PAN through the use of an encryption algorithm and cryptographic key), the resultant token is an encrypted PAN, and may be subject to PCI DSS considerations in addition to those included in this document.
TSP: As an example, if a merchant outsources their card data vault containing encrypted PANs to a TSP, the TSP would be responsible for ensuring that PCI DSS controls are applied and maintained in the environment where the vault is located. Before you start any engagement, as a client, you are responsible for performing your due diligence/TSP risk assessment.
On Premise: In an on-premise tokenization solution, the merchant maintains control over all components of the tokenization system. In this scenario, the merchant is fully responsible for complying with all applicable PCI DSS requirements. Merchants with on-premise solutions will also need to verify any segmentation controls that are implemented between their tokenization solution and any out- of-scope networks or systems