Unattended Payment Terminal

Transcription

1 UPT Vendors Terminal vendors Merchants Unattended Payment Terminal Best Practice: Unattended Payment Terminal - Ver D Final Type: Security 31 October 2011 In brief In (Payment Card Industry (PCI) PIN Tansaction Security (PTS) Point of Interaction (POI), Modular Security Requirements, Version ) the following two definitions are found: POS POI Terminal - A general description of any terminal used to perform a card-based payment transaction when a PIN is required to confirm cardholder authentication. UPT - A POS POI device where the transaction is initiated by the cardholder, and there is no immediate merchant support available. These include terminals such as: Automated fuel dispensers; Kiosks; and Self-service devices ticketing/vending or car parking terminals. In this document the following additional definitions are used: Non-PIN UPT A POS device where the transaction is initiated by the cardholder, and there is no immediate merchant support available and no CVM is performed. These are primary intended for low value payments and includes terminals such as: Self-service devices for ticketing/vending, road tolls and car parking. Card Interface The interface the ECR or UPT vendor integrate its Payment Application against. This is often delivered by the terminal vendor and can either be part of the terminal or be a separate software, for example a DLL. This document presents the PAN-Nordic Security Advisory Committee (PNC SAC) Best Practices for fulfilling the PCI, EMV and brand requirements for Unattended Payment Terminal (UPT) solutions. It also presents recommendations for anti-skimming equipment for UPTs as [Best practice: D13-D19]. Action required The UPT vendor is to make sure that the UPT solution fulfils the best practice requirements, is both self assessed and third party assessed and that the signed reports of the assessments are provided to PNC together with supporting documentation. The UPT vendor is also requested to consider the recommendations for anti-skimming and to complete the Anti-skimming Questionnaire. Version history Date Version Description Issued/revised by 22/06/2010 A Final A new document PNC SAC 14/09/2010 B Final Anti-skimming recommendations added. PNC SAC Example text added in the form fields. [Appendix A and Appendix B] Instructions added to Template: UPT Solution Description. [Appendix A] A link to PNC recognised labs added. [Page 13] 01/11/2010 C Final New notation for identifying best practice requirements implemented. Please PNC SAC see chapter 2 for details. Best practice: C:1 New tamper responsive option added. Best Practice: C:3 A reference added. Best Practice: C:11 One new option added. 31/10/2011 D Final Self Assessment - No cardholder data handling has replaced PA-DSS Self Assessment in requirement D:11 and requirement D:12 Requirement C:5, C:6 and C:7 are now requirement D:5. The document rewritten. PNC SAC PNC SAC Classification: General Page: 1 (9)

2 1 Table of contents 1 TABLE OF CONTENTS SCOPE PNC BEST PRACTISE UPT EXTERNAL REQUIREMENTS TYPICAL SOLUTIONS RISKS AND COUNTERMEASURES SHORT DESCRIPTION OF THE EVALUATION PROCESS THE THIRD PARTY SECURITY ASSESSOR THE THIRD PARTY SECURITY ASSESSMENT PNC SAC VALIDITY Scope This document describes the PNC Best Practices for Unattended Payment Terminals, UPTs. It defines the requirements for a security level that acquirers in the Pan-Nordic market find acceptable that vendors assess their UPT solutions against. 2.1 Target audience The target audience for this document is UPT vendors who are willing to base the design of their UPT solution on UPT components that are validated by PNC to fulfil (VISA BEST PRACTICES - Data Field Encryption, Version ). All other solutions are out of the scope for this document and these are to be validated by a PCI SSC-recognised lab. 2.2 Definitions PNC SAC uses in this document the PCI PTS Definitions from the documents: (Payment Card Industry (PCI) PIN Tansaction Security (PTS) Point of Interaction (POI), Modular Security Requirements, Version ) (VISA BEST PRACTICES - Data Field Encryption, Version ); and (Unattended Payment Terminals (UPT) v ). It is recommended that the Definitions and Scope section on page 4 to page 7 in the document (Unattended Payment Terminals (UPT) v ) is studied in detail since it presents the different concepts and the definitions that are used in this document. PNC SAC Classification: General Page: 2 (9)

3 2.3 For more information If you have any questions regarding this best practice document please contact PNC on mail (at) pan-nordic.org 3 Related Documents Information Supplement: Skimming Prevention Best Practices for Merchants. PCI SSC. August (accessed October 25, 2011). Payment Card Industry (PCI) PIN Tansaction Security (PTS) Point of Interaction (POI), Modular Security Requirements, Version 3.1. October (accessed October 31, 2011). Unattended Payment Terminals (UPT) v1.0. April (accessed October 25, 2011). VISA BEST PRACTICES - Data Field Encryption, Version October (accessed October 25, 2011). 4 PNC Best Practise UPT PNC SAC has defined a model for approving new UPT solutions for Unattended Self-Service Devices, USSDs, based on EPPs and tamper evident card readers that are validated by PNC to fulfil (VISA BEST PRACTICES - Data Field Encryption, Version ). The model is based on that: Pre-validated UPT components are handling the cardholder data and no cardholder data in clear is handled in the rest of the solution. The UPT vendor makes sure that the UPT solution fulfils the best practice requirements in this document The UPT vendor selects and involves a third party security assessor who fulfils the requirements in Chapter 7. The UPT vendor makes sure that the UPT solution fulfils the requirements and is third party security-assessed and that the signed reports of the assessments are provided to PNC together with supporting documentation. The UPT vendor considers the recommendations for anti-skimming and completes the Antiskimming Questionnaire. The requirements are defined in the self assessment questionnaire in the Forms section of this document. The notation for identifying a best practise requirement in this document is as follows: [Document version letter: Index]. An example: [D: 5] describes best practice requirement number 5 in the document with version D. 5 External requirements UPT solutions are to meet PCI, EMV, acquirer and payment brand requirements. PNC SAC Classification: General Page: 3 (9)

4 The relevant PCI requirements are the: PTS requirements. PA-DSS requirements These are presented on: The EMV requirements are presented on: The requirements of the international payment brands say that UPT solutions must support PIN. The only exception is if the UPT solution is used exclusively in a non-pin environment. The definitions of non-pin environments are: MCC 7523 Parking Lots, Parking Meters and Garages o If non contactless technology Transaction value less than 50 Authorised online o If contactless technology May be authorised offline MCC Tolls and Bridge Fees o If non contactless technology Authorised online o If contactless technology May be authorised offline. Vending o The goods or service must not have an age limit for sale according to local laws, such as gambling and cigarettes. o If non contactless technology Authorised online. o If contactless technology May be authorised offline For further details please see the actual schemes regulations. The experience of PNC SAC is that these external requirements for UPT solutions can be reduced to a smaller number of best practice requirements if the UPT is constructed with components that are PCI PTS approved and the connections between the units are encrypted. The units must have been validated by PNC to fulfil (VISA BEST PRACTICES - Data Field Encryption, Version ). PNC SAC has decided to allow UPT vendors to validate UPT product compliance with the best practice requirements that are presented in this document. An UPT solution that fulfils the requirements in this document meets all the above-mentioned organisations requirements. Other types of UPT solutions, for example self-contained UPT Solutions, can also meet the above-mentioned organisations requirements, but these UPT solutions are to be validated by a PCI SSC recognised lab. Please note: Before a UPT solution that has been approved by a PCI SSC lab is installed a routine for daily external inspections has to be presented to the acquirer. The PNC SAC Best Practices presents a security level that is acceptable for most PNC acquirers. It shall be noted that an acquirer might have additional security requirements. PNC SAC Classification: General Page: 4 (9)

5 6 Typical solutions There are three types of typical single-component UPT solutions that meet the PNC SAC Best Practices. These are shown in Figure 1, Figure 2 and Figure 3. The three types can be divided into PIN and non-pin solutions. For PIN solutions all cardholder data and the PIN are encrypted in the EPP or the card reader and are decrypted at the PSP Host. No cardholder data is handled in clear text outside the card reader and EPP environment. The card reader and the EPP are both PCI PTS certified and PA-DSS certified. For non-pin solutions the EPP is excluded from the solution and the requirements. This is shown in Figure 2 and Figure 3 where the EPP can be excluded for non PIN solutions. Figure 1 - The UPT Controller is a part of the EPP Figure 2 - The UPT Controller is a part of the card reader PNC SAC Classification: General Page: 5 (9)

6 Figure 3 -The UPT Controller is a separate unit The rest of the solution is PA-DSS Self Assessed. Please note that the touch display and the receipt printer etc can be replaced with other similar components. 7 Risks and Countermeasures The main risks connected to UPT solutions are that PIN is noticed together with the card data or the card is stolen. The five main attack scenarios are described below together with proposed countermeasures. 1. Sniffer device inside the UPT A sniffer device is used to intercept and to log the traffic from the UPT. 2. Shoulder-surfing A pickpocket notices the PIN and pickpockets the card. 3. Overlay attack - Additional card reader together with camera An additional card reader is installed on top of the original card reader. The additional reader reads the card while it is dragged into the original reader. A camera is also installed in the PIN shield or in the roof. 4. Overlay attack - Additional card reader together with additional PIN keyboard Like above, an additional card reader is installed on top of the card reader. An extra PIN keyboard is installed on top of the original PIN-keyboard. 5. Malware in the PC Malware is installed within the PC s UPT software. General countermeasures Much fraud can be avoided if the cardholder and the merchant staff are vigilant and have got information on how to distinguish modified UPTs from the original UPT and if the cardholder is informed to protect the PIN. To make it easier for the cardholder to find modifications, it is recommended that the original solution is presented to the cardholder, for example by presenting a picture of the original solution on the display of the UPT while the card is being inserted to the card reader. If the surface is smooth around the card reader it is suggested that is shown on the displayed picture. It is also recommended that the cardholder is informed to protect PIN, for example by covering the PIN-entering with the other hand or with the body. This to make sure that a pickpocket cannot see the PIN. PNC SAC Classification: General Page: 6 (9)

7 Countermeasures for Scenario 1 Make sure that end-to-end encryption is used. Countermeasures for Scenario 2 Equip the EPP with a PIN shield fulfilling the PCI PTS requirements and the applicable domestic scheme requirements Make sure that the surface of the visual shield is non-reflecting Install the PIN keyboard in a way that the cardholder protects the PIN-entering with the body. Request the cardholder to protect the PIN-entering Countermeasures for Scenario 3 Level the card reader with the surrounding surface. This to make it more difficult to install an additional card reader. Use anti-skimming equipment that sends out jamming signals while the card is inserted into the card reader. This to make sure that the additional reader installed on top of the original reader does not work. Equip the UPT with metal pegs on the surface to make sure that it is difficult to install an additional card reader. Make sure that the design of the visual shield makes it easy to discover that a small camera is installed in the visual shield. The easiest way to do this is to use a thin visual shield. Use a smooth solid surface on the visual shield. This to make it easy to discover holes that are circa 2 mm in diameter that can be used for cameras. Countermeasures for Scenario 4 Level the keyboard with the surrounding surface. This to make it more difficult to install an additional keyboard. Use a PIN keyboard with an eccentric appearance to avoid that an additional standard keyboard easily can be fitted on top of the original keyboard. Use a PIN keyboard that is uneven. This since it is more difficult to install an additional keyboard on an uneven surface than on a flat surface. Countermeasures for Scenario 5 Make sure that no cardholder data is handled within the PC environment and protect the access to the PC. 8 Short description of the evaluation process The process is described below: 1. The UPT vendor checks with the UPT component vendor(s) that all the UPT components that will be used for the solution fulfil Best practice D:6-D:10. completes together with the UPT Component vendor(s) Part 1, Part 2, Part 3, Part 4, Part 5 and Part 6 of Unattended Payment Terminal Form - Ver D Final and provides it to PNC SAC before the third party assessment is started. designs the solution and writes the solution description. Please find a template in the templates section of this document. presents the blueprints and the solution description to the third party security assessor to make sure that the final solution is expected to meet all the best practice requirements. The design of the visual shield should be checked at this stage to ensure that the final solution fulfils the visual shield requirements. This to prevent modifications later on. considers the recommendations for anti-skimming. develops the solution and makes sure that all best practice requirements are in place. makes sure that the UPT solution is both self assessed and third party assessed and PNC SAC Classification: General Page: 7 (9)

8 that the signed reports 1 of the assessments are provided to PNC SAC together with supporting documentation. completes the Anti-skimming Questionnaire as part of the self assessment. 2. PNC SAC checks the assessments and the supporting documentation and lists the product on the PNC website if the self assessment, the third party assessment and the supporting documentation provide evidence that the solution fulfils all the best practice requirements. It is recommended that the UPT vendor has a close dialogue with the third party security assessor and PNC SAC during the process to ensure that all requirements in this document have been interpreted correctly. 9 The third party security assessor The third party security assessor s role is to: Assure that the UPT solution is reviewed according to the best practice requirements. Work as a second opinion. Reduce the risk for insider crime. Give guidance to the UPT Vendor The third party security assessor s role is not to complete the form for the UPT vendor. The UPT vendor can select its third party security assessor. However, the assessor needs to be approved by PNC SAC before it is used. The selected third party security assessor shall present evidence to PNC SAC why he or she fulfils the following criteria: Shall be a company that is independent of and not commercially influenced by the UPT vendor Shall have documented experience as a security assessor/reviewer of UPT solutions. Shall have deep knowledge of the card industry and the terminal architecture. Shall be familiar with ISO27001 Shall have deep understanding of the PCI DSS, PA-DSS, PCI PTS and PCI PTS POI standards 10 The third party security assessment The Third Party Security Assessor is responsible for auditing the compliance with requirements D:1- D:12 in Unattended Payment Terminal Form - Ver D Final.. Unattended Payment Terminal Form - Ver D shall: Be signed by the third party security assessor and the terminal vendor Confirm that requirements D:1-D:12 are in place. No other report or form than the above-mentioned form is accepted. 1 The forms section of this document is to be completed and to be signed by both the UPT vendor and the third party security assessor. A scanned version of the forms pages with the signatures are to be provided to PNC SAC. The recommended process is that the UPT vendor completes his part of the forms section and sends it per to the third party security assessor for review. The third party makes the review, completes his part of the forms section, prints the forms section, signs it and sends it per post to the UPT vendor who signs it and sends it per post to the third party auditor. The third party auditor gathers the documentation and sends it electronically to PNC. PNC SAC Classification: General Page: 8 (9)

9 11 The Pan-Nordic Card Association Security Advisory Committee The Pan-Nordic Card Association Security Advisory Committee (PNC SAC): Performs quality assurance reviews of UPT reports to confirm report consistency and quality Lists validated UPT solutions on the PNC Website. Qualifies and trains the third party security assessors to perform UPT-reviews. Maintains and updates the UPT evaluation process. Note that PNC SAC does not approve reports from a validation perspective. The role of the third party security assessors is to document the terminal vendor s UPT compliance as of the date of the assessment. Additionally, PNC SAC performs quality assurance to assure that the third party security assessors accurately and thoroughly document results of E2EE assessments. 12 Validity The UPT approvals are valid as long as all the following approvals are valid: 1. The PA-DSS approvals for the product are valid. 2. The E2EE-validation for the product is valid. 3. The PCI PED or PCI PTS approvals for the product are valid. 4. Both the Card Interface and Payment Application are Self Assessed for Self Assessment No cardholder data handling and are listed on the PNC website or both the Card Interface and Payment Application have been PA-DSS certified by a PA-QSA and are listed on the PCI SSC website. PNC SAC Classification: General Page: 9 (9)