For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 1

Secure mobile payments getting the balance right

Richard MartinPayment System Security Visa Europe

7 September 2013

Royal Holloway University of London

Visa Europe 2Mobile POS & Acceptance

Owned and operated by over 3,745 European member banks

In October 2007 Visa Europe became independent of the new global Visa Inc. with an exclusive, irrevocable and perpetual licence in Europe

Almost 466 million Visa cards have been issued in Europe

In the 12 months ending September 2012 point of sale spending totalled over €1.3 trillion

Fraud continues to decline and has fallen to €40 in every €10,000 as at September 2012 (0.04%)

Visa Europe

Visa Europe 3Mobile POS & Acceptance

1in every

650%

of Visa transactions

European commerce is changing

Consumer spend on Visa cards

25%Visa spend

Ecommerce +200% vs face-to-face

Mobileby 2020

Visa cards in Europecontactless

€1in every

€6.75

Visa Europe 4Mobile POS & Acceptance 4

Striking the balance

Acquirers Issuers

CardholderMerchants

Visa Europe 5Mobile POS & Acceptance

The Visa Europe Payment System Risk Strategy

Focus our protection efforts on

residual risks

Design solutions that are secure from the outset

Reinvigorate the data security

debate

Understand the level of

complexity

Provide cost effective

solutions for all stakeholders

For data security to be meaningful, it must be applied sensiblyFor data security to be meaningful, it must be applied sensibly

A security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectivesA security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectives

Visa Europe 6Mobile POS & Acceptance

Manage Evolving Risks

Enhanced Authentication

DataDevaluation

Dataprotection

• Protect cardholder data• Continue deployment and use of robust authentication platforms -key to

the stability of the payment systems of the future

• Protect cardholder data by limiting its availability• Visa Europe instrumental in defining global practices for complimentary

security technologies

• Additional protection required for data which can be reused and cannot be devalued

• The Payment Card Industry Data Security Standard (PCI DSS)has been fundamental in raising awareness and fighting fraud

Visa Europe 7Mobile POS & Acceptance

Visa Europe 8Mobile POS & Acceptance

Visa’s mobile payment services

Contactless

Visa Paywave for Mobile

Use a mobile device to shop conveniently, quickly and securely in a face-to-face

environment

Person to Person

Visa Personal Payments

Send money from a Visa card to any Visa card, anywhere in

the world, using mobile phone number or PAN

Mobile POS

Visa Europe 9Mobile POS & Acceptance

Making payments vs. Accepting payments

Making payments

A Cardholder uses her phone to:

• Enter her card details into a web form

• Store her card details (or a token) in a wallet

• Store her card details on a secure element (e.g. contactless)

Accepting payments

A Merchant uses his phone to:

• Accept and process payments from customers

• He will handle many card payments from many customers

Visa Europe 10Mobile POS & Acceptance

Threat Axes Vulnerabilities

Over the channel:• SMS / USSD• Voice• Data: GPRS / Wifi /

Bluetooth…

Embedded

The OwnerThe Owner

• Operating System• Hidden processes

and applications• User behaviour• User interface• Complexity• User awareness• Mobile registration

and ownershipMobile Network Provider

Threat Axes and Vulnerabilities

Visa Europe 11Mobile POS & Acceptance

Recent news

• 76% of Android malware profit motivated (Q1 2013)

• HTML5 Framework hacks

• Android Security Squad and Bluebox Security – “Master Key” attacks

• SIM hack, Security Research Labs

Visa Europe 12Mobile POS & Acceptance

What exactly are we trying to protect?

Basically any data whose theft or modification could cause financial

or reputational harm to Visa, its Members and users

Key assets at risk:

• Cardholder data (CHD): PAN, Expiry date, CVV, CVV2

• Sensitive authentication Data: PIN, cryptograms

****

Visa Europe 13Mobile POS & Acceptance

Q. What can we do to secure the mobile phone?

A.Not a lot• Issuers and acquirers need to cater for hundreds of millions of

cardholders and millions of merchants

• Mobile Device Management?

• User policies - Enforced AV, restrictive Ts & Cs?

• Enforce certification of handsets against security standards?

The reality is that card issuers and acquirers will need to take mobile devices as they come

Our security strategy must take this into account

Visa Europe 14Mobile POS & Acceptance

Innovation with tradition Criteria for mobile POS & acceptance

Benefits for allVisa Trusted Brand

Familiar & trustworthy

User experienceHonour all cards

Chip & magstripe

Security

Lowering standards would threaten the system

Visa Europe 15Mobile POS & Acceptance

Visa Europe’s position on mobile acceptance devices

Mobile environment Processor / Point of Decryption

Secure

Hardware

Accessory

Protected in line with Visa’s Encryption & Tokenisation Guidelines

Visa Europe 16Mobile POS & Acceptance

Mobile solutions not permitted by Visa Europe (1/4)

Software only solutions with no hardware accessory

App downloaded on merchant phone

Card data keyed on merchant phone– transactions processed as

e-comm or MOTO

“App” with manual key entry of card data on merchant owned mobile device

Entry of data on a merchant mobile device cannot be PCI certified at this time

This also includes PIN entry

Visa Europe 17Mobile POS & Acceptance

Mobile solutions not permitted by Visa Europe (2/4)

Hardware accessory with a magstripe only reader(Used with a merchant owned mobile device)

Solutions with a magstripe only reader:

– no chip reader– no PIN pad– transactions sent as a

magstripe transaction or as a MOTO or e-comm transactions

Europe is a region where chip is required so this type of solution is not suitable

Visa Europe 18Mobile POS & Acceptance

Mobile solutions not permitted by Visa Europe (3/4)

Hardware accessory with a chip reader but no PIN pad (used with a merchant owned mobile device)

PIN pad required in Europe so this solution is not suitable

“Honour All Cards” is a must– key entry of card data on a merchant phone not

permitted: magstripe support required

Solutions with a chip reader:

– no PIN pad– with or without magstripe– transactions sent as chip trs.

Visa Europe 19Mobile POS & Acceptance

Mobile solutions not permitted by Visa Europe (4/4)

Contactless only acceptance

An acceptance device must “Honour All Cards”

As not all cards support contactless, it is not possible at this time to allow contactless only devices

Visa Europe 20Mobile POS & Acceptance

Two mobile acceptance solutions permitted (1/2)

20For Visa Europe internal use only

Hardware accessory with chip, magstripe & PIN pad (merchant owned mobile device)

Chip & PIN must be supported Magstripe must be supported Contactless optional but

recommended Key entry of data on secure PED

allowed when no other option

Physical (audio jack, mini USB etc.) or Bluetooth connection to mobile device

Security is ensured by PCI SRED (Secure Read Exchange Data) and point-to-point encryption)

or

Visa Europe 21Mobile POS & Acceptance

Anatomy of mobile card reader security

• Security standards

• PCI PIN Transaction Security (PCI PTS)

• Secure PIN entry

• Device hardened against physical & logical hacking

• Encryption – SRED* module

SRED

* SRED = Secure Read and Encryption of Data. SRED is a hardware module for secure key storage & encryption functions

Visa Europe 22Mobile POS & Acceptance

Processor/acquirer system

PCI DSS compliant environment

Encryption on the reader removes the mobile device from the key areas of risk

Telco / ISP

SRED HSM

Secure host

Visa Europe 23Mobile POS & Acceptance

Mobile solutions permitted by Visa Europe (2/2)

23For Visa Europe internal use only

Software based solution/ M-commerce app (cardholder mobile device)

Card details never entered on merchant mobile device

– Secure if back end, registration process and permission to use protected

– Refer to Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 – published in Sept. 2012

http://www.visaeurope.com/ais

Visa Europe 24Mobile POS & Acceptance

Benefits

• Consistent and familiar experience for cardholders and merchants

• Increased likelihood that cardholders and merchants will use mPOS

• Maintains and reinforces the trust in the brand

• Maintains Visa’s security profile

• Ensures that an exciting new method of payment starts secure

• Bringing new players to market

• Innovative new ideas and concepts

• Reduced costs

Visa Europe 25Mobile POS & Acceptance

Working with industry providers

mPOS solutions

10 European markets

7 live

implementations

Mobile devices allowing low cost and easy access

payments Balancing security and integrity with ease of deployment

200k+ merchants by

2014

For Visa Europe Confidential. This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities. 26

Thank you