Security proposal on mobile paymentSecurity proposal on mobile payment
Yan Liu , [email protected], atsec ChinaYan Liu , [email protected],�atsec China
CISSP,�CC�Evaluator,�ISO/IEC�27001�LA,
CNAS Auditor, PCI QSA, PA DSS QSA, ASV
atsec public
CNAS�Auditor,�PCI�QSA,�PA�DSS�QSA,�ASV
Sep�2012,�13ICCC,�Paris
Content
What�is�mobile�payment�and�why�security�is�important
Introduction�on�the�payment�card�industry
• Payment�industry�terminology�and�rolesy y gy• Information�sharing�about�Mobile�payment�security�
atsec�proposal�on�mobile�paymentp p p y
• Physical�and�network�environment�security• Payment�application�security• Organizational�security
Conclusion
atsec public ©�atsec information�security,�2012 2
E perience on Mobile Pa mentExperience�on�Mobile�Payment
The convenience and fast of mobile paymentThe�convenience�and�fast�of�mobile�payment
atsec public ©�atsec information�security,�2012 3
The�Definition�– From�WikipediaMobile payment also referred to as mobile money mobile bankingMobile�payment,�also�referred�to�as�mobile�money,�mobile�banking,�mobile�money�transfer,�and�mobile�wallet�generally�refer�to�payment�services�operated�under�financial�regulation�and�performed�from�or�via�a�mobile�device.mobile�device.Financial institutions and�credit card companies as�well�as�Internet�companies�such�as�Google�and�a�number�of�mobile�communication�companies such as mobile network operators and majorcompanies,�such�as�mobile�network�operators�and�major�telecommunications�infrastructure�and�handset�multinationals�such�as�Ericsson�have�implemented�mobile�payment�solutions.Mobile payment is an alternative payment method Instead of paying withMobile�payment�is�an�alternative�payment�method.�Instead�of�paying�with�cash,�check,�or�credit�cards,�a�consumer�can�use�a�mobile�phone�to�pay�for�a�wide�range�of�services�and�digital�or�hard�goods.Th f i d l f bil t P i SMSThere�are�four primary models for�mobile�payments:�Premium�SMS�based�transactional�payments,�Direct�Mobile�Billing,�Mobile�web�payments�(WAP),�Contactless�NFC�(Near�Field�Communication).�
atsec public ©�atsec information�security,�2012 4
Why�Mobile�Payment?�y y-- Common�arguments�from�literature
Agility
CostSecurity
Location�Sustainability
Wait – Security???Wait – Security???
independenceSustainability
ReliabilityScalability
atsec public ©�atsec�information�security,�2012 5
Why�Securing�Mobile�Payments
• Current�mobile�devices�have�limited�security�safeguards�for�payment�acceptance. More�and�more�vulnerabilities�were�found�on�mobile�device�like�Andriod�system.�y
• Responsibilities�for�security�in�the�mobile�infrastructure�span�multiple�participants.
P t ti t d d t i i d d t t ll• Protecting�payment�card�data�is�required�and�protects�all�entities�in�the�payment�ecosystem.
• Secure�mobile�acceptance�supports�customer�confidence.
atsec public ©�atsec�information�security,�2012 6
Payment�Card�Industry�and�Its�Related�RolesRoles
PCI (Payment Card Industry)PCI�(Payment�Card�Industry)PCI� roles– Cardholders
– Issuers
– Merchants
i– Acquirers
– Payment�or�Card�Brands
Service Providers– Service�Providers
Payment�processingAuthorizationClearingSettlement
atsec public ©�atsec�information�security,�2012 7
Key�PCI�Standards
Information�Source�from�PCI�SSC
atsec public ©�atsec�information�security,�2012 8
o at o Sou ce o C SSC
Mobile�payment�– from�PCI�SSC
Since�June�2011,�PCI�SSC�announced��related�guideline�on�"Mobile�payment�Acceptance�Application�and�PA�DSS”.�
Three�defined�categories�of�mobile�payment�applications�(see�also�next�page.�)
Mobile�Task�Force�is�a�forum�for�PCI�SSC�collaboration�and�consultation�with�industry�groups,�including�OWASP�Mobile�Project,�Global�platform,�GSMA,�BITS,�NIST�and�ANSI/ISO.�
March,�2012,�workshop�“The�Future�of�Money:�How�Mobile�Payments�Could�Change�Financial�Services”
May�2012,�“Accepting�mobile�payments�with�a�Smartphone�or�tablet�"was�announced.���P2PE�solutions�may�help�to�protect�the�communication.
atsec public ©�atsec information�security,�2012 9
Mobile�Payment�Applications
Applications�for�category�1�and�2�
Applications�for�category�3�devices�
di d l tcategory�1�and�2�devices�are�eligible�for�
PA-DSS
pending�development�of�further�guidance�
and/or�standards
Category 2:Purpose�Built�POS�
Devices
Category 3:General�Purpose�Smart�
Device
Category 1:PTS�Approved��PED�
Devices Devices DeviceDevices
atsec public 10©�atsec information�security,�2012
Brief Introduction on Our Proposal on Mobile Paymenton Mobile Payment
atsec public ©�atsec�information�security,�2012 11
New�/key��Technologies�on�Mobile�y gPayment
WirelessEncryptionTokenization yp
EMV Virtualization Mobile
atsec public
Some�figures�in�this�page�are�source�from�PCI�SSC
IT�Base�Infrastructure
Web and Client Application Security
Unix Base Applications
IISWindowsA li ti
SQLServerdd
lew
are
Apache, Netscape
UnixOracleDatabase
MySQLDatabase
Windows Base Applications
se O
S
Rec
over
y
SuSE Linux
ApplicationsDatabaseMi Unix
Applications
anag
emen
t
S S l i
MicrosoftWindows
Bas NT
acku
p an
d RSuSE Linux
Firewalls Secure Administrationecur
itySyst
em M
a Sun Solaris
BaFirewalls
Network and ProtocolsTerminal Server
Secure AdministrationSeC
onne
ctiv
ity
Physical Infrastructure
atsec public
Idea�source�from�atsec�Germany
©�atsec�information�security,�2012 13
Physical�and�Network�Environment�ySecurity
PCI DSS as a best practice.PCI�DSS�as�a�best�practice.Sensitive�data�should�be�encrypted�using�industry-standard�methods�when�stored�on�disk�or�transmitted�over�public�networks.Cryptographic protocols (such as SSL v3 0) for data transmission; the website andCryptographic�protocols�(such�as�SSL�v3.0)�for�data�transmission;�the�website�and�interface�are�accessible�via�certificates�issued�by�authorized�parties.�Strong�cryptographic�algorithms�and�well-design�and�implemented�key�management�(FIPS�140-2�could�be�considered�during�the�implementation)g ( g p )Installs�security�updates�and�patches�on�all�system�components.Security�hardening,�settings�of�applications�and�devices�are�tuned�to�ensure�appropriate�levels�of�protection.app op ate e e s o p otect o .Networks�are�strictly�segregated�and�strong�access�controls�are�in�place,�e.g.�restrictive�firewalls�protect�all�connections�between�networks.Audit management and security monitorAudit�management�and�security�monitorAuthentication:�password�complexity,�two-factor�authentication�for�remote�access,�etc.�Physical security
atsec public
Physical�security
©�atsec�information�security,�2012 14
Prioritized ApproachPrioritized�ApproachMS1: Remove
sensitive authentication d d li i
MS3: Secure d
MS5: Protect stored dh lddate and limit
datapayment card applications
cardholder data
MS2: Protect the perimeter, i l d
MS4: Monitor and control
MS6: Finalize remaining
liinternal, and wireless
networks
access to your systems
compliance efforts, and ensure all
controls are in placep
31 Mar 2012l
12-Oct-2012
Estimated date of completion by milestone - Sample
MS 1MS 280.00%
90.00%100.00%
Percent Complete by Milestone – Sample
31-Mar-201230-Jan-2012
8-Sep-2011
17-Dec-2011
26-Mar-2012
4-Jul-2012 MS 2MS 3MS 4MS 5MS 6
10 00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%
atsec public ©�atsec information�security,�2012 15
31-May-20110.00%
10.00%
MS 1 MS 2 MS 3 MS 4 MS 5 MS 6
Some�text�are�source�from�PCI�SSC
Payment�Application�Security
PCI�Payment� Prohibit the Applications�yApplication�Data�
Security�Standard�(PA-
DSS)�Pin�
Prohibit�the�storage�of�card�
numbers,�magnetic�stripe�
data and
ppdevelopment�is�subject�to�strict�quality�testing�
and�security�
Industry-standard�secure�
coding�guidelines,�
Implementation�guide�on�how�to�
install�and�)Transaction�
Security�(PTS)�could�be�
considered�as�
data�and�security�codes�
on�payment�application�and�mobile devices
yreview�(CC�assurance�
requirement�ALC�could�be�
g ,especially�web�
application�(OWASP�could�be�considered).
configure�the�application�in�
secure�manner.
best�practice.� mobile�devices. considered).
It�is�suggested�to�develop�a�Protection�Profile�with�respect�to�the�mobile�payment application which is accepted by the industry
atsec public ©�atsec�information�security,�2012 16
payment�application,�which�is�accepted�by�the�industry.�
Organizational�Security�- Exampleg y p
LEVEL 1(Policy)
Managem
ent�
Netw
ork�infsecurity�m
apol
Physical�enm
anageme
Encryptio
Software�d
developme
Security�tes
Change�con
Log�secur
Data�protec
Access con
Netw
ork�m
anageme
Anti-viru
Account and pa
Vulnerability mpoli
Log manage
Roles and re
Third-parties mpoli
Asset m
anage
Information�e
media�m
anagsystem�policy
frastructure�anagem
ent�icy
vironment�
ent�policy
on�Policy
design�and�ent�policy
sting�policy
ntrol��policy
rity�policy
ction�policy
ntrol policy
security�ent�policy
s policy
assword policy
managem
ent icy
ement policy
esponsibility
managem
ent icy
ement P
olicy
exchange�and�em
ent�policy
Level 2 (Procedures)Level 2 (Procedures)
Paymen
desc
Hum
anproc
Docum
enco
Security co
Informattr a
Risks as
Incident
System
c
Media m
proc
Asset�m
aproc
Accoun
Log security
Third-partiesproc
Log�security
Vulnerability
Physical�em
ana
Third-parties
Managem
Softw
are d
Firewall c
Anti-virus
Vulnerab
Software�sent business
cription
n�resource�cedure
nt and record ontrol
oding guideline
ion�security�aining
ssessment
t response
configuration
managem
ent cedure
anagement�
cedure
nt security
y managem
ent
s managem
ent cedure
y�managem
ent
y managem
ent
environment�
agement�
s managem
ent
ment review
development
configuration
s procedure
bility ranking
ecurity�require
atsec public ©�atsec�information�security,�2012 17
atsec methodology: Integrated andatsec�methodology:�Integrated�and�unified�Management�System
Establish�common�management system
The�use�of�cryptographic�algorithmsmanagement�system�
(Configuration�Management),�perform�
assets/business�oriented�risk�assessment
algorithmsKey�Management Introducing�CC�
standard�secure�development�idea,�risk�
assessment processassessment assessment�process�and�also�the�idea�of�PP
ISO/IEC 27001 ISMS
FIPS 140-2Cryptographic security
Improve�quality�management
ISO 9001Quality
Common CriteriaSecure
y
Mobile payment
dQ y
management
development
data security
PCI & PA
PCI�DSS�and�PA�DSS�to�protect�cardholder�and�
DSSPayment
application i
Supply chain
securitySupply�chain�
security
atsec public ©�atsec�information�security,�2012 18
sensitive�datasecurity
Sensitive�Data�Discovery
• Commercial�or�open�source�toolsPenetration�testing�methodology�and�forensic�
tools
• Database,�flat�files,�log�files,�debug�filesSensitive�data�could�be�stored�in�different�
locations Typical location includes:g
• Paper�receptslocations.�Typical�location�includes:�
• POS systems POS serversPOS�systems,�POS�servers,�Authorization�servers.�Typical�system�that�store�track�data:�
If�an�environment�does�not�have�card�swip readers�or�receive�data�from�face-to-face�merchants�with�a�card�swip reader,�it�is�unlikely�(but�
not impossible) that they will have the track data.
atsec public
not�impossible)�that�they�will�have�the�track�data.�
©�atsec information�security,�2012 19
Affected areas
IT Infrastructure
Affected�areas
Central Server
Intranet / Remote Connection
Internet
NetworkApplications
Local Server
Firewall FirewallWebApp Mail
FirewallSecuity
SMS
IT Infrastructure IT Process Organization Documentation
atsec public
Source�from�atsec�Germany
©�atsec information�security,�2012 20
atsec’s�Place�in�Mobile�Payment
Our knowledge
Technical�expertise
VirtualizationEncryption�/�
key�management
Security�monitoring
Other�expertise
Security�architecture
Large�scale�risk�analysis
Penetration�testing
In-depth�security�analysis
Independent�third�party�
dit
External�security�
scanning
Security�assessment
audit scanning
atsec public
Conclusion
The affected business areas for the security solutions on mobileThe�affected�business�areas�for�the�security�solutions�on�mobile�payment�cover�IT�infrastructure,�IT�process,�Organization�and�also�documentation.�A�standards-combined�approach�is�used�for�the�overall�security�proposal�including�standards�like�CC�(introduced�security�development�and�risk�management�methodology),�FIPS�140�p g gy)(cryptographic�module�and�key�management),�PCI�DSS�(payment�industry�best�practice),�ISO/IEC�27001�(Information�security management system), etc.security�management�system),�etc.�Various�technical�expertise�and�services�are�required,�including�virtualization,�encryption/key�management,�security�monitor,�
it hit t l l i k t t tisecurity�architecture,�large�scale�risk�assessment,�penetration�testing,�and�in-depth�security�analysis.�
atsec public ©�atsec�information�security,�2012 22
Conclusion�– count.�
Independent�security�audit,�testing�and�evaluation�are�important,�nevertheless�different�validation�requirements�p , qcould�be�considered�for�different�security�levels.�
A�protection�profile�on�mobile�payment�application�could�be drafted based on this paper and proposed further bybe�drafted�based�on�this�paper,�and�proposed�further�by�the�CC�and�payment�industry.�
atsec public ©�atsec�information�security,�2012 23