This document discusses data security best practices for financial technology companies. It recommends using encryption techniques like RSA DUKPT and ECC to encrypt sensitive data during transmission and storage. Hardware-based true random number generation and tamper detection/proofing is advised. Logs should be kept of all actions, APIs should have authentication, and systems must be monitored for anomalies or attacks. Inside attacks are more difficult to detect than outside attacks, so special precautions are needed to guard against insiders compromising data.

1. Data Security
while disrupting fintech

2. 110,000,000
6 months of warning; 40 million cards stolen, $61 million spent; 46% drop in sales

3. MOTO: Card Number & Expiry Date
OTP or PIN, Track 2

4. Point of Capture
Transmission
Storage
© John David Guerra

5. RSA DUKPTUKPT
KeK(DeK(data))
ECC
3DES
AES 256

6. ☛ h/w
True Random Generation in an inaccessible,
tamper responsive location

7. ❎ Save Sensitive Data
❎ Mix Data
❎ Single Access

8. Log everything
Synchronize Time
Suppress Stacktrace!☛

9. Monitor > Alert > React
Pattern Analysis
☛

10. Outside in attacks are easy to
handle.
Inside out?☛

11. Tamper Proofing / Detection
API AAA
OWASP for Clients
Android specific things☛

12. ☛ h/w
Guard against non-execution of sensitive
functions

13. ☛ h/w
Compiled Code ⇶ Source Code
Optimization is not always good

14. ☛ h/w
Differential Power Analysis
attacks are possible!

15. ☯
Thank You