The Evolution of Payments on Campus

Transcription

1 The Evolution of Payments on Campus Mark Lucas, VP, Managed Services Senior Strategist, Higher Education CISSP, CISA, ASV, CGEIT, QSA, MCSD January 2014

2 Agenda I. About Coalfire II. III. IV. Campus Card and Payments Evolution What happened to the wallet? Crash Course: Mobile Payment Hardware I. Mobile device compliance, risks and security action plan II. Q and A

3 COALFIRE SERVICES Coalfire offers demonstrated leadership in all key areas of IT GRC auditing, assessment and validation.

4 CERTIFICATIONS & AFFILIATIONS

5 HIGHER EDUCATION

6 LOCATIONS

7 Campus Cards and Payments Evolution

8 In the beginning there were campus cards

9 The evolution of campus cards Today Amsec developed and installed the first known card-based campus electronic card access system using magnetic stripe technology at California State Polytechnic University. The first campus-wide system debuted at Duke University. The card was engineered as a four-year card with a durable magnetic stripe designed to prevent accidental data erasure. Florida State University became the first public university to link their campus card with a bank. In 1993, Northwestern University became the first private university to link its campus card with a bank. Campus cards are fairly ubiquitous and support a wide array of features and functions. While One card adoption may have not found a way onto all campuses, most 4 year universities either have or would like a solution.

10 The evolution of campus payments Card Imprints 1970s Small transaction volume, large dollar transactions Dial-Out Terminals Late 1980s-90s Replacement for Imprints; Faster transactions for administrative services. Point-of-Sale 1990s-Present Specialized applications for retail and dining, parking, ticketing, and more. Quick transactions, higher transaction volume, lower dollar amount. Campus OneCard Late 1990s-Present Could be integrated with SIS, physical access control systems, and campus electronic payments systems; but only certain systems! ecommerce 2000s-Present Consumer directed and initiated; convenient. No campus presence required. Used mainly for campus giving, OneCard valuing, and specialized retail

11 Campus payments on the move Payment solutions are bringing more convenience for both merchants and customers New mobile payment solutions are creating new opportunities for merchants and customers Allows your campus to reach more customers in new situations Backend merchant solutions can provide customer database, marketing, and communications

12 What happened to the wallet?

13 No other technology adoption trend compares 4 BILLION mobile phones in use among 7 billion people. By 2014, mobile use will overtake desktop and laptop use. By 2015, there are expected to be 500 million mobile banking users worldwide. 40% of consumers say losing their mobile phone is worse than losing their wallet.

14 Sensitive data goes mobile Payment data Healthcare ephi Home automation Car automation Corporate Corporate apps VPN credentials Banking data Social media Dropboxes/cloud storage

15 Payment Processes go Mobile Mobile Payments can generally be divided into two camps: Consumer Wallets- Consumer applications that store payment details (sometimes in the cloud) to enhance convenience of payment process. Includes Retail Loyalty Payments, like Starbucks Merchant Mobile Point-of-Sale (mpos)- Merchant solutions to facilitate rapid transactions in transient or mobile locations

16 Who are the players? Consumer Wallets Google Wallet PayPal MasterCard PayPass Venmo Isis LevelUp Mobile Point-of-Sale Square PayPal Here VeriFone Mobile Pay Bank of America MobilePay Pogo

17 Drivers for Mobile Payments If you are considering mobile payments, you are not alone this is a burning issue for campus finance and IT security professionals today. Merchant entities want to improve convenience and simplicity of payment process for students and patrons. University merchant environments can be physically fluid and dynamic e.g., remote fund raising events, mobile concessions, and temporary sales and registration events. Customers just expect you to facilitate a mobile payment, especially in certain venues!

18 Drawbacks for Mobile Payments There is risk. Mobile payments are similar to proven, fixed POS technology- except that they use a different OS geared towards consumers, not enterprises. Consumer-based mobile platforms typically lack strong security features of their PC/laptop cousins You can use mobile payment technologies to process payments, but you own the risk of the transaction. Is your community asking for better payment processes with clear-cut advantages over their current approach? What is the risk? How do I be PCI compliant?

19 Crash Course: Mobile Payment Hardware

20 The Three Categories From a data security perspective, PCI Security Standards Council divides mobile point-of-interaction payment devices into three categories: 1. PTS Devices 2. Purpose Built Mobile Devices 3. Consumer Devices

21 Category 1: Pin Transaction Security (PTS) Devices Mobile hardware swipe devices that accept entry of a PIN for debit/credit transactions These devices utilize special security modules for secure read and ex- change of data (SRED) Contain strong controls for hardware Tamper detection and resistance Can work via Ethernet, dial-out, cellular or Wi-Fi networks

22 Category 2: Purpose-Built Mobile Devices They only act as payment application, integrated into hardware Can t use them for games, surfing the web, etc. Locked down; device functions are limited to payments and related POS application functions only Examples include handheld POS devices for dining, parking Because they are purpose-built, they can lack extensibility, limiting ability to integrate with other retail/ business processes

23 Category 3: Multi-Use Mobile Devices Functions as a payment application and is used for other purposes. Relates to an application that is running on top of a consumer handheld device If it runs on ios or Android, it s a likely a Category-3 device. Category-3 devices can t be validated as payment applications under the PA-DSS This means that merchants are responsible for the security and compliance of these implementations

24 Mobile Device Compliance, Risks and a Security Action Plan

25 Compliance Strategies Part 1 PCI Special Interest Groups Mobile Task Force Working Group Guidance Published Mobile Payment Acceptance Security Guidelines for Developers (Sept 2012) Mobile Payment Acceptance Security Guidelines for Merchants (Feb 2013)

26 Compliance Strategies Part 2 Mobile Guidance Link: Category 1 PTS approved device Category 2 Single-Use device Category 3 Multi-Use device

27 Compliance Strategies Part 3 Visa Ready Link: The program provides innovators a path for the certification of devices, software and solutions used to initiate or accept Visa payments as well as guidance and best practices to access the power of the Visa network. Acquirers Ultimately, it s up to the acquirer to determine what is acceptable. Third-party evaluation may be acceptable in the interim.

28 PCI compliance concerns for merchants Are you using (or thinking of using) an unvalidated mpos solution? Understand your responsibilities for PCI DSS compliance Do you have a merchant identification number or formal merchant agreement in place covering the transactions? Do you have to submit an SAQ that covers the mobile transaction environment? Does your payment vendor contract identify specific PCI DSS responsibilities? Understand the payment hardware used and the risks to that hardware introduced from your environment. Consult with a knowledgeable QSA to pinpoint risks to compliance and data security.

29 What Mobile can Payment you do? Trends, Risks & Security Action Items Select your vendors wisely. Just because a technology is convenient for customers doesn t mean it s convenient for your operations. Limit deployment scenarios. Understand where and why the devices will be deployed. Low transaction environments, in limited crowdspaces, may be ideal candidates for early deployments. Manage configuration. Ensure that mobile platform security is a factor in your vendor decision. Does the platform experience frequent zero-day or critical security issues? Can applications access other application s data? Can the device be easily tracked and remotely wiped? How can you limit or enforce an known running configuration and application whitelist? Manage inventory. Who is approved to use the device and under what circumstances? Can inventory be tracked? Can disposition and location be tracked? Use Secure Card Readers (SCRs)/SRED and P2PE certified solutions, if possible. Know as much about your vendor solution as you possibly can, especially in regards to how card data is encrypted in flight and at rest. Perform a mobile risk assessment at least annually. Know the threats, vulnerabilities, and risks to your mobile assets and assess regularly. Mobile technologies are rapidly developing and changing!

30 Mobile Payments Trends, Secure Risks & or Security not? Action Items Security is in the eye of the beholder, so it depends! You can achieve a relatively secure mobile payment technology on your campus, but good controls must be present. Refer to guidance from the PCI SSC, but know that this is only part of the story and formal standards and enforcement have not been developed! Consult with a QSA firm knowledgeable in mobile payment solution designs and controls. Thoroughly vet solutions for alignment with business objectives, operations, and security.

31 Questions

32 Contact Info Mark Lucas, Coalfire ext. 7508