Documente Academic
Documente Profesional
Documente Cultură
Visa Public
Agenda
Financial Institutions Security Environment Impact of a Data Security Breach on Banks Is Your Bank a Target? How PCI Security Requirements Apply? PIN Security and Key Management Controls
Acquirer Issuer
Key Learnings
Visa Public
Banks that drive ATMs directly Banks that support Debit card processing
PIN Validations PIN Changes / Updates PIN Offset tables Use of stale Single-DES PIN Verification Keys (PVKs)
1. 2. 3.
Cardholder awareness of security issues at record high levels Concerns permeate all facets of their financial life and could impact their usage at ATMs Maintaining consumer confidence in electronic payments is mutually beneficial
Visa Public
Visa Public
Debit Processor
Processor performs PIN translation decrypts PIN using Bank AWK and encrypts PIN with Network AWK
Network performs PIN translation decrypts PIN using processor AWK and encrypts PIN with Issuer Working Key
1. Are you driving your own ATMs directly using a: a) Hardware Security Module (HSM) performing PIN
translations?
b) Third-Party processor? 2. Do you have multiple systems connected with any having
Internet access?
3. 4. 5. 6. 7.
Does the bank have web-facing applications? Do your ATMs have remote access? How old is your single-DES PIN Verification Key (PVK)? How do you change cardholder PINs? How is your HSM configured?
Visa Public
Based on compromises of PIN and cardholder data, Visa has found the following common issues:
1. 2. 3. 4. 5. 6. 7.
Vulnerable payment applications (e.g., inappropriate storage of full track, CVV2 and PIN data, insecure remote access) Inadequate perimeter security (e.g., improperly managed firewall) Out-of-date system security patches Vendor default settings and passwords (e.g., unsecured wireless) Poorly coded web-facing applications (e.g., no input validation) resulting in SQL injection attack Poor cryptographic key management used for PIN encryption Weak controls over production HSM environment
Visa Public 9
How Banks Can Protect Their On-Us And Not On-Us Transactions
Know what payment applications you use within Host and ATM environments and ensure they are not storing inappropriate data and never allow software encryption of PINs Determine if payment application vendors or other parties have remote access to your ATMs and host systems and ensure that secure methods of access are used Be aware of how the Payment Card Industry PIN Security Requirements, PCI Data Security Standard (PCI DSS) and PCI PA-DSS apply to you
Visa Public 10
1. 2. 3.
Visa PIN Security and Key Management Compliance Program: Acquirer Requirements
Payment Card Industry PIN Entry Device (PED) security (all five card brands)
PCI Encrypting PIN Pad (EPP) Security Requirements PCI POS PIN Entry Device Security Requirements
Visa
Visa PIN Security Program: Auditors Guide Cryptographic Key Injection Facility: Auditors Guide TDES Member Implementation Guide Visa Payment Technology Standards Manual
Visa Public 12
Validation
Visa field review Self attestation
Visa Public
13
1/1/2003
10/1/2005
12/31/2007
1/1/2004 1/1/2009 Newly purchased POS PEDs must be Visa-approved (prePCI) and support TDES All US Visa endpoints must be using TDES Newly deployed US AFDs must be PCI approved
Visa Public
14
Encryption keys must be used only for the purpose they were intended
Key encryption key must not be used as a PIN encryption key Must have separate key hierarchies for test and production systems Limits the magnitude of exposure should any key be compromised
Visa Public 15
Verify that core ATM processing applications do not store sensitive authentication data:
Full magnetic-stripe data, PANs, and PIN-blocks PCI DSS or PCI PA-DSS compliant
Visa Public
16
Key Learnings
Security breaches can be prevented if participants comply with:
PCI PIN Security Requirements PCI Data Security Standard (PCI DSS) PCI Payment Application DSS (PCI PA-DSS) PCI Encryption PIN PAD (EPP) PIN Security Requirements
www.visa.com/cisp
Has PCI PIN, PCI DSS and PCI PA-DSS information:
PIN security related bulletins Workshop registration information Compromised POS PED Bulletin Presentations from PIN Security related Visa webinars
Visa Public 20
PCI Data Security Standard (PCI DSS) PCI Payment Application DSS (PCI PA-DSS)
Visa Public 21
Visa Public
22
Questions?
Visa Public