Security proposal on mobile paymentSecurity proposal on mobile payment

Yan Liu , yan@atsec.com, atsec ChinaYan Liu , yan@atsec.com,�atsec China

CISSP,�CC�Evaluator,�ISO/IEC�27001�LA,

CNAS Auditor, PCI QSA, PA DSS QSA, ASV

atsec public

CNAS�Auditor,�PCI�QSA,�PA�DSS�QSA,�ASV

Sep�2012,�13ICCC,�Paris

Content

What�is�mobile�payment�and�why�security�is�important

Introduction�on�the�payment�card�industry

• Payment�industry�terminology�and�rolesy y gy• Information�sharing�about�Mobile�payment�security�

atsec�proposal�on�mobile�paymentp p p y

• Physical�and�network�environment�security• Payment�application�security• Organizational�security

Conclusion

atsec public ©�atsec information�security,�2012 2

E perience on Mobile Pa mentExperience�on�Mobile�Payment

The convenience and fast of mobile paymentThe�convenience�and�fast�of�mobile�payment

atsec public ©�atsec information�security,�2012 3

The�Definition�– From�WikipediaMobile payment also referred to as mobile money mobile bankingMobile�payment,�also�referred�to�as�mobile�money,�mobile�banking,�mobile�money�transfer,�and�mobile�wallet�generally�refer�to�payment�services�operated�under�financial�regulation�and�performed�from�or�via�a�mobile�device.mobile�device.Financial institutions and�credit card companies as�well�as�Internet�companies�such�as�Google�and�a�number�of�mobile�communication�companies such as mobile network operators and majorcompanies,�such�as�mobile�network�operators�and�major�telecommunications�infrastructure�and�handset�multinationals�such�as�Ericsson�have�implemented�mobile�payment�solutions.Mobile payment is an alternative payment method Instead of paying withMobile�payment�is�an�alternative�payment�method.�Instead�of�paying�with�cash,�check,�or�credit�cards,�a�consumer�can�use�a�mobile�phone�to�pay�for�a�wide�range�of�services�and�digital�or�hard�goods.Th f i d l f bil t P i SMSThere�are�four primary models for�mobile�payments:�Premium�SMS�based�transactional�payments,�Direct�Mobile�Billing,�Mobile�web�payments�(WAP),�Contactless�NFC�(Near�Field�Communication).�

atsec public ©�atsec information�security,�2012 4

Why�Mobile�Payment?�y y-- Common�arguments�from�literature

Agility

CostSecurity

Location�Sustainability

Wait – Security???Wait – Security???

independenceSustainability

ReliabilityScalability

atsec public ©�atsec�information�security,�2012 5

Why�Securing�Mobile�Payments

• Current�mobile�devices�have�limited�security�safeguards�for�payment�acceptance. More�and�more�vulnerabilities�were�found�on�mobile�device�like�Andriod�system.�y

• Responsibilities�for�security�in�the�mobile�infrastructure�span�multiple�participants.

P t ti t d d t i i d d t t ll• Protecting�payment�card�data�is�required�and�protects�all�entities�in�the�payment�ecosystem.

• Secure�mobile�acceptance�supports�customer�confidence.

atsec public ©�atsec�information�security,�2012 6

Payment�Card�Industry�and�Its�Related�RolesRoles

PCI (Payment Card Industry)PCI�(Payment�Card�Industry)PCI� roles– Cardholders

– Issuers

– Merchants

i– Acquirers

– Payment�or�Card�Brands

Service Providers– Service�Providers

Payment�processingAuthorizationClearingSettlement

atsec public ©�atsec�information�security,�2012 7

Key�PCI�Standards

Information�Source�from�PCI�SSC

atsec public ©�atsec�information�security,�2012 8

o at o Sou ce o C SSC

Mobile�payment�– from�PCI�SSC

Since�June�2011,�PCI�SSC�announced��related�guideline�on�"Mobile�payment�Acceptance�Application�and�PA�DSS”.�

Three�defined�categories�of�mobile�payment�applications�(see�also�next�page.�)

Mobile�Task�Force�is�a�forum�for�PCI�SSC�collaboration�and�consultation�with�industry�groups,�including�OWASP�Mobile�Project,�Global�platform,�GSMA,�BITS,�NIST�and�ANSI/ISO.�

March,�2012,�workshop�“The�Future�of�Money:�How�Mobile�Payments�Could�Change�Financial�Services”

May�2012,�“Accepting�mobile�payments�with�a�Smartphone�or�tablet�"was�announced.���P2PE�solutions�may�help�to�protect�the�communication.

atsec public ©�atsec information�security,�2012 9

Mobile�Payment�Applications

Applications�for�category�1�and�2�

Applications�for�category�3�devices�

di d l tcategory�1�and�2�devices�are�eligible�for�

PA-DSS

pending�development�of�further�guidance�

and/or�standards

Category 2:Purpose�Built�POS�

Devices

Category 3:General�Purpose�Smart�

Device

Category 1:PTS�Approved��PED�

Devices Devices DeviceDevices

atsec public 10©�atsec information�security,�2012

Brief  Introduction on Our Proposal on Mobile Paymenton Mobile Payment

atsec public ©�atsec�information�security,�2012 11

New�/key��Technologies�on�Mobile�y gPayment

WirelessEncryptionTokenization yp

EMV Virtualization Mobile

atsec public

Some�figures�in�this�page�are�source�from�PCI�SSC

IT�Base�Infrastructure

Web and Client Application Security

Unix Base Applications

IISWindowsA li ti

SQLServerdd

lew

are

Apache, Netscape

UnixOracleDatabase

MySQLDatabase

Windows Base Applications

se O

S

Rec

over

y

SuSE Linux

ApplicationsDatabaseMi Unix

Applications

anag

emen

t

S S l i

MicrosoftWindows

Bas NT

acku

p an

d RSuSE Linux

Firewalls Secure Administrationecur

itySyst

em M

a Sun Solaris

BaFirewalls

Network and ProtocolsTerminal Server

Secure AdministrationSeC

onne

ctiv

ity

Physical Infrastructure

atsec public

Idea�source�from�atsec�Germany

©�atsec�information�security,�2012 13

Physical�and�Network�Environment�ySecurity

PCI DSS as a best practice.PCI�DSS�as�a�best�practice.Sensitive�data�should�be�encrypted�using�industry-standard�methods�when�stored�on�disk�or�transmitted�over�public�networks.Cryptographic protocols (such as SSL v3 0) for data transmission; the website andCryptographic�protocols�(such�as�SSL�v3.0)�for�data�transmission;�the�website�and�interface�are�accessible�via�certificates�issued�by�authorized�parties.�Strong�cryptographic�algorithms�and�well-design�and�implemented�key�management�(FIPS�140-2�could�be�considered�during�the�implementation)g ( g p )Installs�security�updates�and�patches�on�all�system�components.Security�hardening,�settings�of�applications�and�devices�are�tuned�to�ensure�appropriate�levels�of�protection.app op ate e e s o p otect o .Networks�are�strictly�segregated�and�strong�access�controls�are�in�place,�e.g.�restrictive�firewalls�protect�all�connections�between�networks.Audit management and security monitorAudit�management�and�security�monitorAuthentication:�password�complexity,�two-factor�authentication�for�remote�access,�etc.�Physical security

atsec public

Physical�security

©�atsec�information�security,�2012 14

Prioritized ApproachPrioritized�ApproachMS1: Remove 

sensitive authentication d d li i

MS3: Secure d

MS5: Protect stored dh lddate and limit 

datapayment card applications

cardholder data

MS2: Protect the perimeter, i l d

MS4: Monitor and control 

MS6: Finalize remaining 

liinternal, and wireless 

networks

access to your systems

compliance efforts, and ensure all 

controls are in placep

31 Mar 2012l

12-Oct-2012

Estimated date of completion by milestone - Sample

MS 1MS 280.00%

90.00%100.00%

Percent Complete by Milestone – Sample

31-Mar-201230-Jan-2012

8-Sep-2011

17-Dec-2011

26-Mar-2012

4-Jul-2012 MS 2MS 3MS 4MS 5MS 6

10 00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%

atsec public ©�atsec information�security,�2012 15

31-May-20110.00%

10.00%

MS 1 MS 2 MS 3 MS 4 MS 5 MS 6

Some�text�are�source�from�PCI�SSC

Payment�Application�Security

PCI�Payment� Prohibit the Applications�yApplication�Data�

Security�Standard�(PA-

DSS)�Pin�

Prohibit�the�storage�of�card�

numbers,�magnetic�stripe�

data and

ppdevelopment�is�subject�to�strict�quality�testing�

and�security�

Industry-standard�secure�

coding�guidelines,�

Implementation�guide�on�how�to�

install�and�)Transaction�

Security�(PTS)�could�be�

considered�as�

data�and�security�codes�

on�payment�application�and�mobile devices

yreview�(CC�assurance�

requirement�ALC�could�be�

g ,especially�web�

application�(OWASP�could�be�considered).

configure�the�application�in�

secure�manner.

best�practice.� mobile�devices. considered).

It�is�suggested�to�develop�a�Protection�Profile�with�respect�to�the�mobile�payment application which is accepted by the industry

atsec public ©�atsec�information�security,�2012 16

payment�application,�which�is�accepted�by�the�industry.�

Organizational�Security�- Exampleg y p

LEVEL 1（Policy）

Managem

ent�

Netw

ork�infsecurity�m

apol

Physical�enm

anageme

Encryptio

Software�d

developme

Security�tes

Change�con

Log�secur

Data�protec

Access con

Netw

ork�m

anageme

Anti-viru

Account and pa

Vulnerability mpoli

Log manage

Roles and re

Third-parties mpoli

Asset m

anage

Information�e

media�m

anagsystem�policy

frastructure�anagem

ent�icy

vironment�

ent�policy

on�Policy

design�and�ent�policy

sting�policy

ntrol��policy

rity�policy

ction�policy

ntrol policy

security�ent�policy

s policy

assword policy

managem

ent icy

ement policy

esponsibility

managem

ent icy

ement P

olicy

exchange�and�em

ent�policy

Level 2 （Procedures）Level 2 （Procedures）

Paymen

desc

Hum

anproc

Docum

enco

Security co

Informattr a

Risks as

Incident

System

c

Media m

proc

Asset�m

aproc

Accoun

Log security

Third-partiesproc

Log�security

Vulnerability

Physical�em

ana

Third-parties

Managem

Softw

are d

Firewall c

Anti-virus

Vulnerab

Software�sent business

cription

n�resource�cedure

nt and record ontrol

oding guideline

ion�security�aining

ssessment

t response

configuration

managem

ent cedure

anagement�

cedure

nt security

y managem

ent

s managem

ent cedure

y�managem

ent

y managem

ent

environment�

agement�

s managem

ent

ment review

development

configuration

s procedure

bility ranking

ecurity�require

atsec public ©�atsec�information�security,�2012 17

atsec methodology: Integrated andatsec�methodology:�Integrated�and�unified�Management�System

Establish�common�management system

The�use�of�cryptographic�algorithmsmanagement�system�

(Configuration�Management),�perform�

assets/business�oriented�risk�assessment

algorithmsKey�Management Introducing�CC�

standard�secure�development�idea,�risk�

assessment processassessment assessment�process�and�also�the�idea�of�PP

ISO/IEC 27001 ISMS

FIPS 140-2Cryptographic security

Improve�quality�management

ISO 9001Quality 

Common CriteriaSecure 

y

Mobile payment 

dQ y

management

development

data security

PCI & PA 

PCI�DSS�and�PA�DSS�to�protect�cardholder�and�

DSSPayment 

application i

Supply chain 

securitySupply�chain�

security

atsec public ©�atsec�information�security,�2012 18

sensitive�datasecurity

Sensitive�Data�Discovery

• Commercial�or�open�source�toolsPenetration�testing�methodology�and�forensic�

tools

• Database,�flat�files,�log�files,�debug�filesSensitive�data�could�be�stored�in�different�

locations Typical location includes:g

• Paper�receptslocations.�Typical�location�includes:�

• POS systems POS serversPOS�systems,�POS�servers,�Authorization�servers.�Typical�system�that�store�track�data:�

If�an�environment�does�not�have�card�swip readers�or�receive�data�from�face-to-face�merchants�with�a�card�swip reader,�it�is�unlikely�(but�

not impossible) that they will have the track data.

atsec public

not�impossible)�that�they�will�have�the�track�data.�

©�atsec information�security,�2012 19

Affected areas

IT Infrastructure

Affected�areas

Central Server

Intranet / Remote Connection

Internet

NetworkApplications

Local Server

Firewall FirewallWebApp Mail

FirewallSecuity

SMS

IT Infrastructure IT Process Organization Documentation

atsec public

Source�from�atsec�Germany

©�atsec information�security,�2012 20

atsec’s�Place�in�Mobile�Payment

Our knowledge

Technical�expertise

VirtualizationEncryption�/�

key�management

Security�monitoring

Other�expertise

Security�architecture

Large�scale�risk�analysis

Penetration�testing

In-depth�security�analysis

Independent�third�party�

dit

External�security�

scanning

Security�assessment

audit scanning

atsec public

Conclusion

The affected business areas for the security solutions on mobileThe�affected�business�areas�for�the�security�solutions�on�mobile�payment�cover�IT�infrastructure,�IT�process,�Organization�and�also�documentation.�A�standards-combined�approach�is�used�for�the�overall�security�proposal�including�standards�like�CC�(introduced�security�development�and�risk�management�methodology),�FIPS�140�p g gy)(cryptographic�module�and�key�management),�PCI�DSS�(payment�industry�best�practice),�ISO/IEC�27001�(Information�security management system), etc.security�management�system),�etc.�Various�technical�expertise�and�services�are�required,�including�virtualization,�encryption/key�management,�security�monitor,�

it hit t l l i k t t tisecurity�architecture,�large�scale�risk�assessment,�penetration�testing,�and�in-depth�security�analysis.�

atsec public ©�atsec�information�security,�2012 22

Conclusion�– count.�

Independent�security�audit,�testing�and�evaluation�are�important,�nevertheless�different�validation�requirements�p , qcould�be�considered�for�different�security�levels.�

A�protection�profile�on�mobile�payment�application�could�be drafted based on this paper and proposed further bybe�drafted�based�on�this�paper,�and�proposed�further�by�the�CC�and�payment�industry.�

atsec public ©�atsec�information�security,�2012 23

ThanksThanks

http://www.atsec.cn/p // /

atsec public ©�atsec�information�security,�2012 24