PIN Security and Key Management Best Practices for Debit Issuers with ATMs

Payment System Risk September 2008

Visa Public

Agenda

Financial Institutions Security Environment Impact of a Data Security Breach on Banks Is Your Bank a Target? How PCI Security Requirements Apply? PIN Security and Key Management Controls
Acquirer Issuer

Key Learnings

Visa Public

Security Environment Hackers are attacking:

Small Financial Institutions
Credit Unions are increasingly targeted

Banks that drive ATMs directly Banks that support Debit card processing
PIN Validations PIN Changes / Updates PIN Offset tables Use of stale Single-DES PIN Verification Keys (PVKs)

Hackers are looking for:

Applications that stores sensitive cardholder data Personal information to perpetrate identity theft PINs, track data, payment account numbers
Visa Public 3

Security: A Customer POV

1. 2. 3.

Cardholder awareness of security issues at record high levels Concerns permeate all facets of their financial life and could impact their usage at ATMs Maintaining consumer confidence in electronic payments is mutually beneficial

Visa Public

Impact of a Data Security Breach on Banks

Damaged reputation to your Bank and Brand Potential loss of client goodwill Financial liability for fraud Potential legal liability Fines and penalties Increased regulatory compliance

Visa Public

How Banks Can Protect PIN and Cardholder Data

Dont Store It If You Dont Need It!

1.
Know exactly what you NEED to store and store ONLY that. Most banks dont need to store PIN and payment card data what your Host and ATM applications are storing, if 2. Know anything 3. Know what your vendors are storing 4. NEVER store clear text PIN data, not even encrypted 5. NEVER store clear text KEYs
Visa Public 6

PIN Flow Bank with HSM

ATMs

Debit Processor

Bank with HSM

Bank drives their own ATMs and performs PIN validation on their own Debit card portfolio noton-us traffic translated to AWK Bank validates and updates PINs at branch and via VRU

Processor performs PIN translation decrypts PIN using Bank AWK and encrypts PIN with Network AWK

Network performs PIN translation decrypts PIN using processor AWK and encrypts PIN with Issuer Working Key

ESO Loads Keys into ATMs

ESO has ATM KEKs to perform Key loading services
Visa Public

Issuer decrypts PIN using IWK and then validates PIN

7

Is Your Bank a Target?

ASK YOURSELF:

1. Are you driving your own ATMs directly using a: a) Hardware Security Module (HSM) performing PIN
translations?

b) Third-Party processor? 2. Do you have multiple systems connected with any having
Internet access?

3. 4. 5. 6. 7.

Does the bank have web-facing applications? Do your ATMs have remote access? How old is your single-DES PIN Verification Key (PVK)? How do you change cardholder PINs? How is your HSM configured?

Visa Public

Top 7 PCI DSS and PCI PIN Violations

Based on compromises of PIN and cardholder data, Visa has found the following common issues:
1. 2. 3. 4. 5. 6. 7.
Vulnerable payment applications (e.g., inappropriate storage of full track, CVV2 and PIN data, insecure remote access) Inadequate perimeter security (e.g., improperly managed firewall) Out-of-date system security patches Vendor default settings and passwords (e.g., unsecured wireless) Poorly coded web-facing applications (e.g., no input validation) resulting in SQL injection attack Poor cryptographic key management used for PIN encryption Weak controls over production HSM environment
Visa Public 9

How Banks Can Protect Their On-Us And Not On-Us Transactions
Know what payment applications you use within Host and ATM environments and ensure they are not storing inappropriate data and never allow software encryption of PINs Determine if payment application vendors or other parties have remote access to your ATMs and host systems and ensure that secure methods of access are used Be aware of how the Payment Card Industry PIN Security Requirements, PCI Data Security Standard (PCI DSS) and PCI PA-DSS apply to you
Visa Public 10

1. 2. 3.

PCI DSS and PA-DSS

PCI Data Security Standard (PCI DSS)
12 security requirements Demonstration of compliance is tiered for merchants and service providers based on volume Annual compliance verification cycle

PCI Payment Application Data Security Standard (PCI PA-DSS)

The PA-DSS applies to all payment application providers Based on PCI DSS; for purposes of PA-DSS, a payment application is defined as one that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment applications is sold, distributed, or licensed to third parties PA-DSS does apply to payment applications that are typically sold and installed off the shelf without material customization by software vendors
Visa Public 11

Visa PIN Security and Key Management Compliance Program: Acquirer Requirements
Payment Card Industry PIN Entry Device (PED) security (all five card brands)
PCI Encrypting PIN Pad (EPP) Security Requirements PCI POS PIN Entry Device Security Requirements

Visa, MasterCard and JCB

EMV (offline PIN and key management)

Visa and MasterCard

PCI PIN Security Requirements, V2.0, January 2008

Visa
Visa PIN Security Program: Auditors Guide Cryptographic Key Injection Facility: Auditors Guide TDES Member Implementation Guide Visa Payment Technology Standards Manual
Visa Public 12

Visa PIN Security and Key Management Compliance Program

Types of Acquiring Participants:
VisaNet Endpoints Acquirers / ISO Agents with ATMs Third Party Agents (Downstream Processors) Certificate Authorities Encryption and Support Organizations (ESOs)

Validation
Visa field review Self attestation

Follow-up actions are monitored by Visa globally

Visa Public

13

Global TDES and PED Testing Timeline

Newly deployed ATMS must support TDES Newly deployed ATMS must have a Visaapproved EPP Newly deployed unattended POS PEDs must have PCI approved EPP 10/1/2007 All US ATMS must be using TDES end-toend All PEDs must be using TDES. All Attended POS PEDs must be pre-PCI / PCI approved 7/1/2010

1/1/2003

10/1/2005

12/31/2007

1/1/2004 1/1/2009 Newly purchased POS PEDs must be Visa-approved (prePCI) and support TDES All US Visa endpoints must be using TDES Newly deployed US AFDs must be PCI approved

Visa Public

14

Acquirer PIN Security and Key Management Controls

ATMs, point-of-sale PEDs, EPPs and Hardware Security Modules (HSM) must be securely loaded with encryption keys, when first initialized All keys used for the protection of PINs must be securely managed during all key life cycle stages creation through destruction Do not use unregistered Encryption and Support Organizations (ESOs) for the generation, storage, distribution and loading of keys
ESOs are required to be registered by the acquirer as agents with Visa before use of their services agentregistration@visa.com

Encryption keys must be used only for the purpose they were intended
Key encryption key must not be used as a PIN encryption key Must have separate key hierarchies for test and production systems Limits the magnitude of exposure should any key be compromised
Visa Public 15

Review ATM Environment

Validate that:
PIN Blocks are not stored in ATM log files Sensitive cardholder data (e.g., PANs) is properly protected in ATMs Proper controls for remote access of ATMs are in place ATM anti-virus mechanisms are current and actively running ATM applications are PCI DSS or PCI PA-DSS compliant ATM vendor-supplied defaults have been changed

Verify that core ATM processing applications do not store sensitive authentication data:
Full magnetic-stripe data, PANs, and PIN-blocks PCI DSS or PCI PA-DSS compliant

Visa Public

16

Issuer PIN Security and Fraud Management Controls

Use the PCI PIN Security Requirements as a best practice for issuer key management Validate the Card Verification Value (CVV) results for ATM transactions Apply risk factors to POS spending, cash-back and quasi-cash to ATM withdrawal limit assignments Review and update velocity monitoring parameters for PIN transactions (POS and ATM) and HSM activity from VRU / branches Implement enhanced fraud monitoring and queuing strategies Incorporate Visa Advanced Authorization risk scores and condition codes in risk decision management systems advancedauth@visa.com Register and use Visas Compromised Account Management System (CAMS) alerts - cams@visa.com
Visa Public 17

Issuer Critical Applications and Key Management Controls

The issuer core processing application should not store sensitive authentication data or expose keys in software:
Full magnetic-stripe data, CVV, CVV2, PIN-blocks

Properly segment production HSM activities

Recommend hardware encryption for calculating PIN, CVV, CVV2 Recommend HSM use for storage of critical keys Recommend separate HSM for VRU Review how branch PIN pads are managed / secured Review how cardholder PIN changes are made Manage offset tables securely

Migrate to new double-length PIN Verification Key (PVK)

What is the history of your current PVK? Normal re-issue cycle?

Use only payment applications that adhere to PA-DSS

Visa Public 18

Key Learnings
Security breaches can be prevented if participants comply with:

PCI PIN Security Requirements PCI Data Security Standard (PCI DSS) PCI Payment Application DSS (PCI PA-DSS) PCI Encryption PIN PAD (EPP) PIN Security Requirements

And adhere to:

Compliant issuer key management practices for CVV, CVV2 and PVK keys Properly configured production HSM with adequate access controls Dont store data, if you dont need to!
Visa Public 19

For More Information

www.visa.com/pin www.visa.com/pinsecurity
PCI PIN Security Requirements v2 Jan. 2008 PCI PIN Entry Device Testing and Approval Program Guide Visa PIN Security Program: Auditors Guide Frequently Asked Questions

www.visa.com/cisp
Has PCI PIN, PCI DSS and PCI PA-DSS information:
PIN security related bulletins Workshop registration information Compromised POS PED Bulletin Presentations from PIN Security related Visa webinars
Visa Public 20

For More Information

Visa Online www.us.visaonline.com

PIN Fraud Management Issuer Quick Reference Guide Visa Issuer Risk Management Guide - Tools and Best Practices for controlling Debit and Credit Card Fraud Losses

PCI Security Standards Council www.pcisecuritystandards.org

PCI POS PIN-Entry Device Security Requirements PCI EPP PIN-Entry Device Security Requirements PCI Approved PIN Entry Devices List
List on www.pcisecuritystandards.org/pin

PCI Data Security Standard (PCI DSS) PCI Payment Application DSS (PCI PA-DSS)
Visa Public 21

Upcoming Visa PIN Security Trainings

One Day Visa Key Management Workshop
October 9, 2008 Foster City, CA

Three Day Visa PIN Security Compliance Validation Training

October 28 - 30, 2008 Foster City, CA

To receive information on PIN Security trainings contact: pinusa@visa.com

Visa Public

22

Questions?

Visa Public