Layering Secure Technologies to Strengthen Payment Card

Layering Secure
Technologies to
Strengthen Payment Card
Environments
Webinar
21 January 2015
Visa Public
Disclaimer
The information or recommendations contained herein are provided "AS IS" and intended
for informational purposes only and should not be relied upon for operational, marketing,
legal, technical, tax, financial or other advice. When implementing any new strategy or
practice, you should consult with your legal counsel to determine what laws and
regulations may apply to your specific circumstances. The actual costs, savings and
benefits of any recommendations or programs may vary based upon your specific
business needs and program requirements. By their nature, recommendations are not
guarantees of future performance or results and are subject to risks, uncertainties and
assumptions that are difficult to predict or quantify. Assumptions were made by us in
light of our experience and our perceptions of historical trends, current conditions and
expected future developments and other factors that we believe are appropriate under
the circumstance. Recommendations are subject to risks and uncertainties, which may
cause actual and future results and trends to differ materially from the assumptions or
recommendations. Visa is not responsible for your use of the information contained
herein (including errors, omissions, inaccuracy or non-timeliness of any kind) or any
assumptions or conclusions you might draw from its use. Visa makes no warranty, express
or implied, and explicitly disclaims the warranties of merchantability and fitness for a
particular purpose, any warranty of non-infringement of any third party's intellectual
property rights, any warranty that the information will meet the requirements of a client,
or any warranty that the information is updated and will be error free. To the extent
permitted by applicable law, Visa shall not be liable to a client or any third party for any
damages under any theory of law, including, without limitation, any special,
consequential, incidental or punitive damages, nor any damages for loss of business
profits, business interruption, loss of business information, or other monetary loss, even if
advised of the possibility of such damages.
2
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Agenda
• Data Breach Landscape
• Demystifying Tokenization
• U.S. EMV Migration
• Point-to-Point Encryption
• Questions and Answers
3
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Data Breach Landscape
4
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Brick & Mortar
Ecommerce
Se
p14
-1
4
Ju
l
ay
-1
4
M
ar
-1
4
M
Ja
n14
-1
3
No
v
Se
p13
-1
3
Ju
l
ay
-1
3
M
ar
-1
3
M
Ja
n13
-1
2
No
v
Se
p12
-1
2
Ju
l
ay
-1
2
M
ar
-1
2
M
Ja
n12
Visa Inc. CAMS Compromise Events –
Entity Type by Month
Processor / Agent
Source: Compromised Account Management System (CAMS) – Original ‘IC’ and ‘PA’ Alerts for Visa Inc. *Reporting as of September 2014
5
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Visa Inc. CAMS Compromise Events
Top Market Segment* (MCC)
•
Restaurants and retailers are leading market segments in 2014
•
Insecure remote access and poor credential management continue to
be attack vectors
RESTAURANTS
OTHER RETAIL
QSR'S
2011
B2B
2012
2013
SUPERMARKETS
LODGING
2014
* Market Segment based on Acceptance Solutions MCC ”Market Segment” category
Source: Compromised Account Management System (CAMS) – Original “IC” and “PA” Alerts
6
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Visa Public
6
Demystifying Tokenization
7
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Payment Token Definition
Tokenization involves the replacement of the cardaccount number with a “non-financial identifier” which
may be used in its stead to initiate payment activity
Uses for Tokens
• Conduct payment transactions over online and
mobile payment channels
• Provide a method for third-party payment
enablement
–
–
–
–
8
Wallet
Near Field Communication (NFC)
Quick Response (QR) Codes
Other Emerging Technologies
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Demystifying Tokenization - Payment Token Processing
1. Token Request Process
Token Requestor
Visa Token Service
Issuer
Card #
Token Request
Token
Issuer Assurance, Identity and
Verification (ID&V)
2. Token Authorization Process
Authorization Request
Merchant
Acquirer
Visa Token Service
Issuer
1
2
3
Token
Token
Card #
6
5
4
Authorization Response
9
| Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Demystifying Tokenization – Benefits for Ecosystem
Participants
Common tokenization standard minimizes impact by ensuring compatibility with current
payment technologies and enabling support for emerging payment innovations
Cardholder
• Card re-issuance not
required if merchant
database is compromised
Merchant/
Wallet Provider
Acquirer
• Reduced threat of
sensitive cardholder
data being
compromised
• Increased data protection
as sensitive card number
(PAN) is not passed
through the ecosystem
• A common approach to
tokenization simplifies
the process for merchants
for contactless, online or
emerging payments
10 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Issuer
• Reduces overall cost of fraud
by minimizing card
re-issuance
• Reduced risk of subsequent
fraud in the event of
merchant data breach
• Issuers benefit from new and
more secure ways
to pay
Demystifying Tokenization – Key Activities
Industry Standard
• Donated to EMVCo by Visa
• A new EMVCo task force established to govern the standard
going forward
VisaNet Processing
• November 2013 Technical Letter
• April 2014 Business Enhancements Release
Visa Payment Token Service
• Mid-2014 limited deployment in United States
11 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Demystifying Tokenization – Key Takeaways
1 Tokenization has two main components: standard and service
2 Token replaces account number with a non-financial identifier
Issuers, acquirers/merchants, wallet providers and OEMs can be
3 potential token requestors
A single PAN can have multiple tokens based on number of token
4 requestors and channel
Limited deployment of Visa Token Service started in later half of
5 2014
12 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
U.S. EMV Migration
13 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Currently 83% of payment card fraud in the U.S. is
counterfeit or card not present fraud
83%
of fraud in U.S.
EMV chip, tokenization, and encryption are
technologies designed to reduce risk from payment
data being stolen and devalue the data if stolen
!
Source: Visa Fraud Reporting System (FRS) and Enterprise Data Warehouse (EDW); CY 2013; U.S. domestic Visa debit and credit
14 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Fighting fraud with layers of security
EMV chip
• Creates a unique cryptogram for
each transaction
• Not a silver bullet
83% of
fraud in
the U.S.
Card not
present
REAL-TIME PREDICTIVE ANALYTICS
ENCRYPTION
Counterfeit
Tokenization
• Token replaces account number with
unique digital token
• If payment token is used as the account number,
it will be identified as stolen and rejected
PIN
• Fraudster must know PIN for card to work
at the point of sale
• Static data set
Lost and
stolen
Source: Visa Fraud Reporting System (FRS) and Enterprise Data Warehouse (EDW); CY 2013; U.S. domestic Visa debit and credit
15 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
How does EMV chip technology work?
Because the cryptogram changes with every transaction, even if
the card data is stolen, the information can’t be used to create
counterfeit cards because the cryptogram would have already
“expired”
4 0 0 0 1 2 3 4 5 6 7 ^ J O H N D O E ^ 0 1 2 0 1 2 ^ 1 0 1 ^ 2 1 7 ^…
Card number
Name
Expiry
Service
code
CVV
(STATIC)
4 0 0 0 1 2 3 4 5 6 7 ^ J OH N D O E^ 0 1 2 0 1 2^ 2 0 1 ^ 3 8 6 ^ 5
98
8
1
2
4
3
23
1
5
3
6
4
06
6
8
1
7
9
88
3
4
0
2
9
1
71
1
3
4
5
32
0
8
6
5
2
97
4
0
8
1
3
1 ^…
4
2
3
9
0
8
Card number
Name
Expiry
Service
code
iCVV
Cryptogram
(DYNAMIC)
4 0 0 0 1 2 3 4 5 6 7 ^ J OH N D O E^ 0 1 2 0 1 2^ 2 0 1 ^ 3 8 6 ^ 7
93
8
1
2
4
3
22
1
5
6
4
05
6
8
1
7
9
86
6
3
4
0
2
9
1
70
8
1
3
4
5
30
1
8
6
5
2
23
9
4
8
1
3
1 ^…
4
2
7
9
0
8
Card number
Name
16 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Expiry
Visa Public
Service
code
iCVV
Cryptogram
(DYNAMIC)
The benefits of EMV chip
Security, innovation and acceptance
1
2
3
4
5
Enhanced
security – fraud
reduction
Enhanced
international
acceptance
Paves the way
for secure mobile
payments –
tokenization
Moves U.S.
closer to
dynamic data
authentication –
devaluing data
Cardholders
still protected
with zero
liability
17 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Visa U.S. EMV chip roadmap
• In August 2011, Visa led the industry by setting a plan to move the U.S. to
EMV chip technology
• Successful globally, liability shifts have been the primary incentive used to
encourage both issuers and merchants to adopt EMV chip technology
April 2013
Acquirer
EMV Chip POS
Processing
Mandate
April 2015
Acquirer EMV Chip
ATM Processing
Mandate
October 2017
POS
Liability Shift
AFD
Liability Shift
U.S. domestic and
cross-border
ATM
Liability Shift
U.S. domestic and
cross-border

Note: AFD = automated fuel dispenser
18 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
October 2015
Visa Public
The counterfeit fraud liability shift
• Today: Issuer has card-present POS and ATM liability
• After liability shift: Liability shifts to the acquirer
if counterfeit fraud occurs on a contact EMV chip-capable
card and the merchant is not contact EMV chip capable
• Does not cover contactless, card-not-present transactions
or lost/stolen fraud1
Counterfeit fraud
liability shifts
• Rewards EMV chip investment
• POS: Oct 1, 2015
• AFD and ATM: Oct 1, 2017
• Covers domestic and cross-border transactions
Transaction examples
1
Counterfeit liability
• Chip-on-chip transactions
• Issuer holds the limited exposure
that still exists
• Mag-stripe cards at EMV terminals
• Issuer holds liability (same as today)
• Contact EMV chip card at mag-stripe
terminals
• Acquirer holds liability
• Contactless EMV chip card at magstripe terminals
• Issuer holds liability (same as today)
Lost/stolen liability shift does apply for chip-on-chip transactions at unattended terminals (i.e., AFD)
19 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Point-to-Point Encryption (P2PE)
20 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Point-to-Point Encryption (P2PE) Overview
• Point-to-Point Encryption is the process of encrypting payment data in a secure
terminal and transmitting it through a network to a secure decryption point
• Protects cardholder data from the point of data entry to the payment card
processor
• Shields against malware that “sniffs” sensitive payment data
Sample Architecture
Payment Network
Merchant
%$#^43@!&s*
4000123456789010
PAN:
4000123456789010
Sensitive payment data
encrypted at POS
21 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Issuer
Data decrypted in
secure environment
Visa Public
Point-to-Point Encryption and EMV
EMV Only
 Dynamic authentication, but
account number and sensitive
data remains exposed
 Mitigates fraud at the pointof-sale but does not affect
cross-channel fraud
4000121234569010
5000121234569010
340012123458901
Visa: 4000123456789010
MC: 5000123456789010
Amex: 340012345678901
Payment
Network
Data in the Clear
EMV and Encrypted Transactions
 Chip is used for real-time card
authentication
 Account number and sensitive
data are encrypted in transit
 Mitigates the risk of point-ofsale and cross-channel fraud
400012XXXXXX9010
500012XXXXXX9010
340012XXXXX8901
Visa: 4000123456789010
MC: 5000123456789010
Amex: 340012345678901
22 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Encrypted Data
Payment
Network
Leveraging Technology
Payment Security Taskforce Recommendations
• PST is comprised of leading U.S. issuers, acquirers, merchants, payment
networks and other electronic payment participants
• PST recommends a multi-layered approach to security that includes
compliance with PCI standards and use of robust technologies like
– EMV Chip
– Point-to-Point Encryption (P2PE)
– Tokenization
• PST has released their recommendations in a white paper which can be
found here:
http://usa.visa.com/newsroom/media-kits/assets/US-Payments-Security-Evolutionand-Strategic-Road-Map-for-Release.pdf
While many current “best practices” center on securing system periphery
with the intent of preventing breaches, the PST urges a focus on devaluing
or eliminating sensitive data as it moves within and between systems
23 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
P2PE, Tokenization and EMV
Card Present
Card Not Present
Mobile
EMV + P2PE
Tokenization
EMV + Tokenization
24 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Security Solutions End State
Hacker
Chip Card
PAN
Mag-stripe
Merchant
Payment Network
4000123456789010
%$#^43@!&s*
4123456789101112
4123459876543212
PAN
4987654321012345
Token
Token
4123456789101112
4123459876543212
4987654321012345
Offline Token storage
25 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Upcoming Events and Resources
Upcoming Webinars – Training tab on www.visa.com/cisp
•
•
•
Data Breach Findings for Large Merchants
‒ 28 January 2015, 10 am PST
Cyberlocker Merchant Overview & Enhanced Due Diligence
‒ 24 February 2015, 7 pm PST (Asia Pacific / Central Europe, Middle East, Africa audience)
Cyberlocker Merchant Overview & Enhanced Due Diligence
‒ 25 February 2015, 10 am PST (North America, Latin America audience)
Visa Data Security Website – www.visa.com/cisp
•
•
•
Alerts, Bulletins
Best Practices, White Papers
Webinars
PCI Security Standards Council Website – www.pcissc.org
•
•
•
Data Security Standards – PCI DSS, PA-DSS, PTS
Programs – ASV, ISA, PA-QSA, PFI, PTS, QSA, QIR, PCIP, and P2PE
Fact Sheets – ATM Security, Mobile Payments Acceptance, Tokenization, Cloud Computing,
and many more…
26 | Layering Secure Technologies to Strengthen Payment Card Environments | 21 January 2015
Visa Public
Questions?
Visa Public