Post on 04-Jun-2018
transcript
8/13/2019 Webinar Pin Security
1/23
8/13/2019 Webinar Pin Security
2/23
2Visa Public
Agenda
Financial Institutions Security Environment
Impact of a Data Security Breach on Banks
Is Your Bank a Target?
How PCI Security Requirements Apply?
PIN Security and Key Management Controls
Acquirer
Issuer
Key Learnings
8/13/2019 Webinar Pin Security
3/23
3Visa Public
Security Environment
Hackers are attacking:
Small Financial Institutions
Credit Unions are increasingly targeted
Banks that drive ATMs directly
Banks that support Debit card processing
PIN Validations
PIN Changes / Updates
PIN Offset tables
Use of stale Single-DES PIN Verification Keys (PVKs)
Hackers are looking for:Applications that stores sensitive cardholder data
Personal information to perpetrate identity theft
PINs, track data, payment account numbers
8/13/2019 Webinar Pin Security
4/23
4Visa Public
Security: A Customer POV
1.2.
3.
Cardholder awareness of security issues
at record high levels
Concerns permeate all facets of their financial life andcould impact their usage at ATMs
Maintaining consumer confidence in electronicpayments is mutually beneficial
8/13/2019 Webinar Pin Security
5/23
5Visa Public
Impact of a Data Security Breach
on Banks
Damaged reputation to your Bank and Brand
Potential loss of client goodwill
Financial liability for fraud
Potential legal liability
Fines and penalties
Increased regulatory compliance
8/13/2019 Webinar Pin Security
6/23
6Visa Public
How Banks Can Protect PIN and
Cardholder Data
Know exactly what you NEED to store and store ONLYthat. Most banks dont need to store PIN and payment
card data
Know what your Host and ATM applications are storing, ifanything
Know what your vendors are storingNEVER store clear text PIN data, not even encrypted
NEVER store clear text KEYs
Dont Store It If
You Dont Need It!1.
2.
3.4.
5.
8/13/2019 Webinar Pin Security
7/23
7Visa Public
PIN Flow Bank with HSM
Bank drives their ownATMs and performs PINvalidation on their own
Debit card portfolio not-on-us traffic translated toAWK
Bank validates andupdates PINs at branchand via VRU
Processor performsPIN translation decrypts PIN usingBank AWK andencrypts PIN withNetwork AWK
Network performsPIN translation decrypts PIN usingprocessor AWK and
encrypts PIN withIssuer Working Key
DebitProcessorATMs
Issuer decrypts PINusing IWK and thenvalidates PIN
ESO Loads Keysinto ATMs
ESO has ATM KEKsto perform Keyloading services
Bank
withHSM
8/13/2019 Webinar Pin Security
8/23
8Visa Public
Is Your Bank a Target?
ASK YOURSELF:
1. Are you driving your own ATMs directly using a:
a) Hardware Security Module (HSM) performing PINtranslations?
b) Third-Party processor?
2. Do you have multiple systems connected with any having
Internet access?3. Does the bank have web-facing applications?
4. Do your ATMs have remote access?
5. How old is your single-DES PIN Verification Key (PVK)?
6. How do you change cardholder PINs?
7. How is your HSM configured?
8/13/2019 Webinar Pin Security
9/23
9Visa Public
Top 7 PCI DSS and PCI PIN Violations
Based on compromises of PIN andcardholder data, Visa has found
the following common issues:
1. Vulnerable payment applications (e.g., inappropriate storage of fulltrack, CVV2 and PIN data, insecure remote access)
2. Inadequate perimeter security (e.g., improperly managed firewall)
3. Out-of-date system security patches
4. Vendor default settings and passwords (e.g., unsecured wireless)
5. Poorly coded web-facing applications (e.g., no input validation)resulting in SQL injection attack
6. Poor cryptographic key management used for PIN encryption
7. Weak controls over production HSM environment
8/13/2019 Webinar Pin Security
10/23
10Visa Public
How Banks Can Protect Their On-Us
And Not On-Us Transactions
Know what payment applications you use within Hostand ATM environments and ensure they are notstoring inappropriate data and never allow softwareencryption of PINs
Determine if payment application vendors or otherparties have remote access to your ATMs and hostsystems and ensure that secure methods of accessare used
Be aware of how the Payment Card Industry PINSecurity Requirements, PCI Data Security Standard(PCI DSS) and PCI PA-DSS apply to you
1.
2.
3.
8/13/2019 Webinar Pin Security
11/23
11Visa Public
PCI DSS and PA-DSS
PCI Data Security Standard (PCI DSS)
12 security requirements
Demonstration of compliance is tiered for merchants and serviceproviders based on volume
Annual compliance verification cycle
PCI Payment Application Data Security Standard (PCI PA-DSS)
The PA-DSS applies to all payment application providers
Based on PCI DSS; for purposes of PA-DSS, a payment application isdefined as one that stores, processes, or transmits cardholder data aspart of authorization or settlement, where the payment applications is
sold, distributed, or licensed to third parties
PA-DSS does apply to payment applications that are typically sold andinstalled off the shelf without material customization by softwarevendors
8/13/2019 Webinar Pin Security
12/23
12Visa Public
Visa PIN Security and Key Management
Compliance Program: Acquirer Requirements
Payment Card Industry PIN Entry Device (PED) security(all five card brands)
PCI Encrypting PIN Pad (EPP) Security Requirements PCI POS PIN Entry Device Security Requirements
Visa, MasterCard and JCB
EMV (offline PIN and key management)
Visa and MasterCard
PCI PIN Security Requirements, V2.0, January 2008
Visa
Visa PIN Security Program: Auditors Guide
Cryptographic Key Injection Facility: Auditors Guide
TDES Member Implementation Guide
Visa Payment Technology Standards Manual
8/13/2019 Webinar Pin Security
13/23
13Visa Public
Visa PIN Security and Key Management
Compliance Program
Types of Acquiring Participants:
VisaNet Endpoints
Acquirers / ISO Agents with ATMs
Third Party Agents (Downstream Processors)
Certificate Authorities
Encryption and Support Organizations (ESOs)
Validation
Visa field review
Self attestation
Follow-up actions are monitored by Visa globally
8/13/2019 Webinar Pin Security
14/23
14Visa Public
Global TDES and PED Testing Timeline
Newly
deployedATMS must
support TDES
Newlydeployed
ATMS musthave a Visa-
approved EPP
All US ATMSmust be usingTDES end-to-
end
All PEDs mustbe using
TDES. AllAttended POS
PEDs must bepre-PCI / PCI
approved
Newly purchasedPOS PEDs must beVisa-approved (pre-
PCI) and supportTDES
All US Visa
endpointsmust be
using TDES
Newly
deployedunattendedPOS PEDs
must have PCIapproved EPP
1/1/2004
12/31/2007
Newly
deployed USAFDs must
be PCIapproved
1/1/2003 10/1/2005 7/1/201010/1/2007
1/1/2009
8/13/2019 Webinar Pin Security
15/23
8/13/2019 Webinar Pin Security
16/23
16Visa Public
Review ATM Environment
Validate that:
PIN Blocks are not stored in ATM log files
Sensitive cardholder data (e.g., PANs) is properly protected in ATMs
Proper controls for remote access of ATMs are in place
ATM anti-virus mechanisms are current and actively running
ATM applications are PCI DSS or PCI PA-DSS compliant
ATM vendor-supplied defaults have been changed
Verify that core ATM processing applications do not storesensitive authentication data:
Full magnetic-stripe data, PANs, and PIN-blocks
PCI DSS or PCI PA-DSS compliant
8/13/2019 Webinar Pin Security
17/23
17Visa Public
Issuer PIN Security and Fraud
Management ControlsUse the PCI PIN Security Requirements as a best practice for issuer
key management
Validate the Card Verification Value (CVV) results for ATMtransactions
Apply risk factors to POS spending, cash-back and quasi-cash to ATMwithdrawal limit assignments
Review and update velocity monitoring parameters for PIN transactions(POS and ATM) and HSM activity from VRU / branches
Implement enhanced fraud monitoring and queuing strategies
Incorporate Visa Advanced Authorization risk scores and condition
codes in risk decision management systems -advancedauth@visa.com
Register and use Visas Compromised Account Management System(CAMS) alerts - cams@visa.com
8/13/2019 Webinar Pin Security
18/23
18Visa Public
Issuer Critical Applications and Key
Management Controls
The issuer core processing application should not store sensitiveauthentication data or expose keys in software:
Full magnetic-stripe data, CVV, CVV2, PIN-blocks
Properly segment production HSM activities
Recommend hardware encryption for calculating PIN, CVV, CVV2
Recommend HSM use for storage of critical keys
Recommend separate HSM for VRU
Review how branch PIN pads are managed / secured
Review how cardholder PIN changes are made
Manage offset tables securely
Migrate to new double-length PIN Verification Key (PVK)
What is the history of your current PVK? Normal re-issue cycle?
Use only payment applications that adhere to PA-DSS
8/13/2019 Webinar Pin Security
19/23
19Visa Public
Key Learnings
Security breaches can be prevented if participantscomply with:
PCI PIN Security Requirements
PCI Data Security Standard (PCI DSS)
PCI Payment Application DSS (PCI PA-DSS)
PCI Encryption PIN PAD (EPP) PIN Security Requirements
And adhere to:
Compliant issuer key management practices for CVV, CVV2 andPVK keys
Properly configured production HSM with adequate access controls
Dont store data, if you dont need to!
8/13/2019 Webinar Pin Security
20/23
20Visa Public
For More Information
www.visa.com/pin
www.visa.com/pinsecurity
PCI PIN Security Requirements v2 Jan. 2008 PCI PIN Entry Device Testing and Approval Program Guide
Visa PIN Security Program: Auditors Guide
Frequently Asked Questionswww.visa.com/cisp
Has PCI PIN, PCI DSS and PCI PA-DSS information:
PIN security related bulletinsWorkshop registration information
Compromised POS PED Bulletin
Presentations from PIN Security related Visa webinars
8/13/2019 Webinar Pin Security
21/23
21Visa Public
For More Information
Visa Online www.us.visaonline.com
PIN Fraud Management Issuer Quick Reference Guide
Visa Issuer Risk Management Guide - Tools and Best Practices forcontrolling Debit and Credit Card Fraud Losses
PCI Security Standards Council www.pcisecuritystandards.org
PCI POS PIN-Entry Device Security Requirements
PCI EPP PIN-Entry Device Security Requirements
PCI Approved PIN Entry Devices List
List on www.pcisecuritystandards.org/pin
PCI Data Security Standard (PCI DSS)
PCI Payment Application DSS (PCI PA-DSS)
8/13/2019 Webinar Pin Security
22/23
22Visa Public
One Day Visa Key Management Workshop
October 9, 2008 Foster City, CA
Three Day Visa PIN Security Compliance Validation Training
October 28 - 30, 2008 Foster City, CA
Upcoming Visa PIN Security Trainings
To receive information on PIN Security trainingscontact: pinusa@visa.com
8/13/2019 Webinar Pin Security
23/23
Visa Public
Questions?