Layering Secure Technologies to Strengthen Payment Card Environments Webinar 21 January 2015 Visa Public Disclaimer The information or recommendations contained herein are provided "AS IS" and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. When implementing any new strategy or practice, you should consult with your legal counsel to determine what laws and regulations may apply to your specific circumstances. The actual costs, savings and benefits of any recommendations or programs may vary based upon your specific business needs and program requirements. By their nature, recommendations are not guarantees of future performance or results and are subject to risks, uncertainties and assumptions that are difficult to predict or quantify. Assumptions were made by us in light of our experience and our perceptions of historical trends, current conditions and expected future developments and other factors that we believe are appropriate under the circumstance. Recommendations are subject to risks and uncertainties, which may cause actual and future results and trends to differ materially from the assumptions or recommendations. Visa is not responsible for your use of the information contained herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any assumptions or conclusions you might draw from its use. Visa makes no warranty, express or implied, and explicitly disclaims the warranties of merchantability and fitness for a particular purpose, any warranty of non-infringement of any third party's intellectual property rights, any warranty that the information will meet the requirements of a client, or any warranty that the information is updated and will be error free. To the extent permitted by applicable law, Visa shall not be liable to a client or any third party for any damages under any theory of law, including, without limitation, any special, consequential, incidental or punitive damages, nor any damages for loss of business profits, business interruption, loss of business information, or other monetary loss, even if advised of the possibility of such damages. 2 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Agenda • Data Breach Landscape • Demystifying Tokenization • U.S. EMV Migration • Point-to-Point Encryption • Questions and Answers 3 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Data Breach Landscape 4 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Brick & Mortar Ecommerce Se p14 -1 4 Ju l ay -1 4 M ar -1 4 M Ja n14 -1 3 No v Se p13 -1 3 Ju l ay -1 3 M ar -1 3 M Ja n13 -1 2 No v Se p12 -1 2 Ju l ay -1 2 M ar -1 2 M Ja n12 Visa Inc. CAMS Compromise Events – Entity Type by Month Processor / Agent Source: Compromised Account Management System (CAMS) – Original ‘IC’ and ‘PA’ Alerts for Visa Inc. *Reporting as of September 2014 5 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Visa Inc. CAMS Compromise Events Top Market Segment* (MCC) • Restaurants and retailers are leading market segments in 2014 • Insecure remote access and poor credential management continue to be attack vectors RESTAURANTS OTHER RETAIL QSR'S 2011 B2B 2012 2013 SUPERMARKETS LODGING 2014 * Market Segment based on Acceptance Solutions MCC ”Market Segment” category Source: Compromised Account Management System (CAMS) – Original “IC” and “PA” Alerts 6 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Visa Public 6 Demystifying Tokenization 7 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Payment Token Definition Tokenization involves the replacement of the cardaccount number with a “non-financial identifier” which may be used in its stead to initiate payment activity Uses for Tokens • Conduct payment transactions over online and mobile payment channels • Provide a method for third-party payment enablement – – – – 8 Wallet Near Field Communication (NFC) Quick Response (QR) Codes Other Emerging Technologies | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Demystifying Tokenization - Payment Token Processing 1. Token Request Process Token Requestor Visa Token Service Issuer Card # Token Request Token Issuer Assurance, Identity and Verification (ID&V) 2. Token Authorization Process Authorization Request Merchant Acquirer Visa Token Service Issuer 1 2 3 Token Token Card # 6 5 4 Authorization Response 9 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Demystifying Tokenization – Benefits for Ecosystem Participants Common tokenization standard minimizes impact by ensuring compatibility with current payment technologies and enabling support for emerging payment innovations Cardholder • Card re-issuance not required if merchant database is compromised Merchant/ Wallet Provider Acquirer • Reduced threat of sensitive cardholder data being compromised • Increased data protection as sensitive card number (PAN) is not passed through the ecosystem • A common approach to tokenization simplifies the process for merchants for contactless, online or emerging payments 10 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Issuer • Reduces overall cost of fraud by minimizing card re-issuance • Reduced risk of subsequent fraud in the event of merchant data breach • Issuers benefit from new and more secure ways to pay Demystifying Tokenization – Key Activities Industry Standard • Donated to EMVCo by Visa • A new EMVCo task force established to govern the standard going forward VisaNet Processing • November 2013 Technical Letter • April 2014 Business Enhancements Release Visa Payment Token Service • Mid-2014 limited deployment in United States 11 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Demystifying Tokenization – Key Takeaways 1 Tokenization has two main components: standard and service 2 Token replaces account number with a non-financial identifier Issuers, acquirers/merchants, wallet providers and OEMs can be 3 potential token requestors A single PAN can have multiple tokens based on number of token 4 requestors and channel Limited deployment of Visa Token Service started in later half of 5 2014 12 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public U.S. EMV Migration 13 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Currently 83% of payment card fraud in the U.S. is counterfeit or card not present fraud 83% of fraud in U.S. EMV chip, tokenization, and encryption are technologies designed to reduce risk from payment data being stolen and devalue the data if stolen ! Source: Visa Fraud Reporting System (FRS) and Enterprise Data Warehouse (EDW); CY 2013; U.S. domestic Visa debit and credit 14 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Fighting fraud with layers of security EMV chip • Creates a unique cryptogram for each transaction • Not a silver bullet 83% of fraud in the U.S. Card not present REAL-TIME PREDICTIVE ANALYTICS ENCRYPTION Counterfeit Tokenization • Token replaces account number with unique digital token • If payment token is used as the account number, it will be identified as stolen and rejected PIN • Fraudster must know PIN for card to work at the point of sale • Static data set Lost and stolen Source: Visa Fraud Reporting System (FRS) and Enterprise Data Warehouse (EDW); CY 2013; U.S. domestic Visa debit and credit 15 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public How does EMV chip technology work? Because the cryptogram changes with every transaction, even if the card data is stolen, the information can’t be used to create counterfeit cards because the cryptogram would have already “expired” 4 0 0 0 1 2 3 4 5 6 7 ^ J O H N D O E ^ 0 1 2 0 1 2 ^ 1 0 1 ^ 2 1 7 ^… Card number Name Expiry Service code CVV (STATIC) 4 0 0 0 1 2 3 4 5 6 7 ^ J OH N D O E^ 0 1 2 0 1 2^ 2 0 1 ^ 3 8 6 ^ 5 98 8 1 2 4 3 23 1 5 3 6 4 06 6 8 1 7 9 88 3 4 0 2 9 1 71 1 3 4 5 32 0 8 6 5 2 97 4 0 8 1 3 1 ^… 4 2 3 9 0 8 Card number Name Expiry Service code iCVV Cryptogram (DYNAMIC) 4 0 0 0 1 2 3 4 5 6 7 ^ J OH N D O E^ 0 1 2 0 1 2^ 2 0 1 ^ 3 8 6 ^ 7 93 8 1 2 4 3 22 1 5 6 4 05 6 8 1 7 9 86 6 3 4 0 2 9 1 70 8 1 3 4 5 30 1 8 6 5 2 23 9 4 8 1 3 1 ^… 4 2 7 9 0 8 Card number Name 16 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Expiry Visa Public Service code iCVV Cryptogram (DYNAMIC) The benefits of EMV chip Security, innovation and acceptance 1 2 3 4 5 Enhanced security – fraud reduction Enhanced international acceptance Paves the way for secure mobile payments – tokenization Moves U.S. closer to dynamic data authentication – devaluing data Cardholders still protected with zero liability 17 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Visa U.S. EMV chip roadmap • In August 2011, Visa led the industry by setting a plan to move the U.S. to EMV chip technology • Successful globally, liability shifts have been the primary incentive used to encourage both issuers and merchants to adopt EMV chip technology April 2013 Acquirer EMV Chip POS Processing Mandate April 2015 Acquirer EMV Chip ATM Processing Mandate October 2017 POS Liability Shift AFD Liability Shift U.S. domestic and cross-border ATM Liability Shift U.S. domestic and cross-border Note: AFD = automated fuel dispenser 18 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 October 2015 Visa Public The counterfeit fraud liability shift • Today: Issuer has card-present POS and ATM liability • After liability shift: Liability shifts to the acquirer if counterfeit fraud occurs on a contact EMV chip-capable card and the merchant is not contact EMV chip capable • Does not cover contactless, card-not-present transactions or lost/stolen fraud1 Counterfeit fraud liability shifts • Rewards EMV chip investment • POS: Oct 1, 2015 • AFD and ATM: Oct 1, 2017 • Covers domestic and cross-border transactions Transaction examples 1 Counterfeit liability • Chip-on-chip transactions • Issuer holds the limited exposure that still exists • Mag-stripe cards at EMV terminals • Issuer holds liability (same as today) • Contact EMV chip card at mag-stripe terminals • Acquirer holds liability • Contactless EMV chip card at magstripe terminals • Issuer holds liability (same as today) Lost/stolen liability shift does apply for chip-on-chip transactions at unattended terminals (i.e., AFD) 19 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Point-to-Point Encryption (P2PE) 20 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Point-to-Point Encryption (P2PE) Overview • Point-to-Point Encryption is the process of encrypting payment data in a secure terminal and transmitting it through a network to a secure decryption point • Protects cardholder data from the point of data entry to the payment card processor • Shields against malware that “sniffs” sensitive payment data Sample Architecture Payment Network Merchant %$#^43@!&s* 4000123456789010 PAN: 4000123456789010 Sensitive payment data encrypted at POS 21 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Issuer Data decrypted in secure environment Visa Public Point-to-Point Encryption and EMV EMV Only Dynamic authentication, but account number and sensitive data remains exposed Mitigates fraud at the pointof-sale but does not affect cross-channel fraud 4000121234569010 5000121234569010 340012123458901 Visa: 4000123456789010 MC: 5000123456789010 Amex: 340012345678901 Payment Network Data in the Clear EMV and Encrypted Transactions Chip is used for real-time card authentication Account number and sensitive data are encrypted in transit Mitigates the risk of point-ofsale and cross-channel fraud 400012XXXXXX9010 500012XXXXXX9010 340012XXXXX8901 Visa: 4000123456789010 MC: 5000123456789010 Amex: 340012345678901 22 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Encrypted Data Payment Network Leveraging Technology Payment Security Taskforce Recommendations • PST is comprised of leading U.S. issuers, acquirers, merchants, payment networks and other electronic payment participants • PST recommends a multi-layered approach to security that includes compliance with PCI standards and use of robust technologies like – EMV Chip – Point-to-Point Encryption (P2PE) – Tokenization • PST has released their recommendations in a white paper which can be found here: http://usa.visa.com/newsroom/media-kits/assets/US-Payments-Security-Evolutionand-Strategic-Road-Map-for-Release.pdf While many current “best practices” center on securing system periphery with the intent of preventing breaches, the PST urges a focus on devaluing or eliminating sensitive data as it moves within and between systems 23 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public P2PE, Tokenization and EMV Card Present Card Not Present Mobile EMV + P2PE Tokenization EMV + Tokenization 24 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Security Solutions End State Hacker Chip Card PAN Mag-stripe Merchant Payment Network 4000123456789010 %$#^43@!&s* 4123456789101112 4123459876543212 PAN 4987654321012345 Token Token 4123456789101112 4123459876543212 4987654321012345 Offline Token storage 25 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Upcoming Events and Resources Upcoming Webinars – Training tab on www.visa.com/cisp • • • Data Breach Findings for Large Merchants ‒ 28 January 2015, 10 am PST Cyberlocker Merchant Overview & Enhanced Due Diligence ‒ 24 February 2015, 7 pm PST (Asia Pacific / Central Europe, Middle East, Africa audience) Cyberlocker Merchant Overview & Enhanced Due Diligence ‒ 25 February 2015, 10 am PST (North America, Latin America audience) Visa Data Security Website – www.visa.com/cisp • • • Alerts, Bulletins Best Practices, White Papers Webinars PCI Security Standards Council Website – www.pcissc.org • • • Data Security Standards – PCI DSS, PA-DSS, PTS Programs – ASV, ISA, PA-QSA, PFI, PTS, QSA, QIR, PCIP, and P2PE Fact Sheets – ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing, and many more… 26 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015 Visa Public Questions? Visa Public
© Copyright 2024