EMV Migration Forum. How EMV Significantly Lessens the Impacts of Data Breaches. David Worthington, Principal Consultant// 12th March 2014

Transcription

1 EMV Migration Forum How EMV Significantly Lessens the Impacts of Data Breaches David Worthington, Principal Consultant// 12th March 2014

2 Agenda In the Beginning and then came The Business Basics What Merchants Want? What Issuers Want? What the Brands Want? The Technical Basics Channel Segregation Unique Transactions CNP Options and Opportunities

3 A Brief History of (or how we got in this mess)

4 A Brief History of Cheques Early 1900s Closed loop paper cards 1940s Biggins Bank Charg-It card (Brooklyn) 1950s Closed loop; Diners, Amex, BankAmericard 1960s ICA (MasterCard) v BankAmericard(Visa) 1970s Name changes and international growth 1980s Discover (no annual fee, cashback) 1990s Chip (Mondex, VisaCash, EMV) 2000s Acquisitions, Spin-offs & IPOs PCI! 2010s EMV Migration Forum, US EMV

5 History - Technology Vouchers Zip-zaps (Embossing) MOTO POS ATMs E-commerce M-commerce Chip Contactless NFC

6 Historical Problems and Solutions? Cheques- Expensive to process Handling of pieces of paper Signatures to be checked Timeliness clearing of funds = authorisation Vouchers Different (PAN) clearing process to reduce costs Handling of pieces of paper Don t check the signature? POS Electronic authorisation(bank Risk) Leave paper at the Merchant Don t check the signature

7 Historical Problems and Solutions? ATMs This is Cash, This is Serious! Electronic Authorisation(Bank Risk) PIN E-commerce (Card Not Present) Entered Human Readable Card Data (PAN, etc.) Too insecure to give Merchants PIN Scan Customer Signatures? Address checks, etc. (Merchant Risk)

8 Historical Problems and Solutions? Magnetic Stripe Counterfeit Neural Networks? Chip Lost, Stolen, Bad Cardholder Fraud NOT Signature! PIN

9 Business Basics

10 What Merchants Want Easy transactions for their customers Don t lose a sale Don t upset the customer; repeat business & referral Guaranteed payment Immediate authorisation Issuer liability Minimal chargeback/claims processing Minimum Costs Not paper Not signature capture & storage Not PCI and No Data Breaches!

11 What Issuers Want Easy transactions for their customers Don t lose customer loyalty and the interchange fees Stay/become top of wallet Security of payment/minimise damage from fraud Reputational damage Financial loss Card replacement (time and cost) Claims & Chargeback (operations and cost) Loss of cardholders (and wider relationship)

12 What the Brands Want? Provide value for all of their stakeholders Provide ongoing innovation in payments Ensure interoperable and secure payments can be made worldwide to stay in business and show value in their brand and services

13 Technical Basics (How it should work)

14 Channel Segregation Card payments can be made over multiple channels with differing risk profiles associated with each A breach in one channel should not allow for fraud to be possible in another channel Even with static data channels can be securely segregated Outside the actual transaction details, what do I need?

15 Channel Segregation Routing Data Integrity (Static) Channel Check PAN Luhn, Expiry, etc. CVC/CVV each channel Address (CNP) Static Password v PIN

16 Channel Segregation Channel Routing Data Integrity Channel Check Magnetic Stripe PAN Stripe Data CVC/CVV, etc. Chip (inc NFC) AID, PAN Chip Data CVC3/iCVV, etc. CNP PAN PAN, Expiry Name Address CVC2, CVV2, etc. This is the entry point check before Risk Management starts so long as it is supported? If there is no channel check for CNP by the Merchant, it becomes the lowest common denominator for attack from a data breach in any channel! 16//Bell ID title of presentation // Bell ID

17 Unique Transactions By making each transaction include unique secure authorisation data Exposure of one transaction in a channel doesn t allow counterfeit of new transactions Just basic replay attack, which are easy to identify and prevent. Not possible for Magnetic Stripe But is for everything else! Should be combined with Channel Segregation

18 Both Together Channel Routing Data Integrity Channel Check Magnetic Stripe PAN Stripe Data CVC/CVV, etc.? Chip AID, PAN Chip Data CVC3/iCVV, etc. CNP PAN PAN, Expiry Name Address CVC2, CVV2, etc. Mobile HCE PAN* Chip Data Mobile CVC/CVV, etc Unique Transaction EMV cryptograms Dynamic Challenge, OTP, Token (3D Secure!) Dynamic PAN, EMV Cryptogram

19 Tokenisation (Hot off the Press)

20 Tokenisation EMVCo( EMV Payment TokenisationSpecification Technical Framework v1.0, March 2014 The purpose of this document is to provide a detailed technical specification for industry-aligned and interoperable Payment Tokenisationsolutions that will benefit Acquirers, Merchants, Card Issuers, and Cardholders. Payment Tokens replace PAN Non-Payment Tokens Loyalty, etc

21 Tokenisation Still uses the same basic security mechanisms, e.g. Token Domain Channel Segregation/Closed Loop Introduces standardised new functionality/players Token Service Provider Token Vault PCI! Allows for multiple flows/models for where Tokens may be introduced and de-tokenised back to PANs Potential for multiple new Tokenisationproducts and Token Service Providers

22 Thank you Bell ID // Stationsplein 45 A6.002 // 3013 AK Rotterdam P.O. Box // 3001 GC Rotterdam // The Netherlands //