webinar pin security

8/13/2019 Webinar Pin Security

1/23


2/23

2Visa Public

Agenda

Financial Institutions Security Environment

Impact of a Data Security Breach on Banks

Is Your Bank a Target?

How PCI Security Requirements Apply?

PIN Security and Key Management Controls

Acquirer

Issuer

Key Learnings


3/23

3Visa Public

Security Environment

Hackers are attacking:

Small Financial Institutions

Credit Unions are increasingly targeted

Banks that drive ATMs directly

Banks that support Debit card processing

PIN Validations

PIN Changes / Updates

PIN Offset tables

Use of stale Single-DES PIN Verification Keys (PVKs)

Hackers are looking for:Applications that stores sensitive cardholder data

Personal information to perpetrate identity theft

PINs, track data, payment account numbers


4/23

4Visa Public

Security: A Customer POV

1.2.

3.

Cardholder awareness of security issues

at record high levels

Concerns permeate all facets of their financial life andcould impact their usage at ATMs

Maintaining consumer confidence in electronicpayments is mutually beneficial


5/23

5Visa Public

Impact of a Data Security Breach

on Banks

Damaged reputation to your Bank and Brand

Potential loss of client goodwill

Financial liability for fraud

Potential legal liability

Fines and penalties

Increased regulatory compliance


6/23

6Visa Public

How Banks Can Protect PIN and

Cardholder Data

Know exactly what you NEED to store and store ONLYthat. Most banks dont need to store PIN and payment

card data

Know what your Host and ATM applications are storing, ifanything

Know what your vendors are storingNEVER store clear text PIN data, not even encrypted

NEVER store clear text KEYs

Dont Store It If

You Dont Need It!1.

2.

3.4.

5.


7/23

7Visa Public

PIN Flow Bank with HSM

Bank drives their ownATMs and performs PINvalidation on their own

Debit card portfolio not-on-us traffic translated toAWK

Bank validates andupdates PINs at branchand via VRU

Processor performsPIN translation decrypts PIN usingBank AWK andencrypts PIN withNetwork AWK

Network performsPIN translation decrypts PIN usingprocessor AWK and

encrypts PIN withIssuer Working Key

DebitProcessorATMs

Issuer decrypts PINusing IWK and thenvalidates PIN

ESO Loads Keysinto ATMs

ESO has ATM KEKsto perform Keyloading services

Bank

withHSM


8/23

8Visa Public

Is Your Bank a Target?

ASK YOURSELF:

1. Are you driving your own ATMs directly using a:

a) Hardware Security Module (HSM) performing PINtranslations?

b) Third-Party processor?

2. Do you have multiple systems connected with any having

Internet access?3. Does the bank have web-facing applications?

4. Do your ATMs have remote access?

5. How old is your single-DES PIN Verification Key (PVK)?

6. How do you change cardholder PINs?

7. How is your HSM configured?


9/23

9Visa Public

Top 7 PCI DSS and PCI PIN Violations

Based on compromises of PIN andcardholder data, Visa has found

the following common issues:

1. Vulnerable payment applications (e.g., inappropriate storage of fulltrack, CVV2 and PIN data, insecure remote access)

2. Inadequate perimeter security (e.g., improperly managed firewall)

3. Out-of-date system security patches

4. Vendor default settings and passwords (e.g., unsecured wireless)

5. Poorly coded web-facing applications (e.g., no input validation)resulting in SQL injection attack

6. Poor cryptographic key management used for PIN encryption

7. Weak controls over production HSM environment


10/23

10Visa Public

How Banks Can Protect Their On-Us

And Not On-Us Transactions

Know what payment applications you use within Hostand ATM environments and ensure they are notstoring inappropriate data and never allow softwareencryption of PINs

Determine if payment application vendors or otherparties have remote access to your ATMs and hostsystems and ensure that secure methods of accessare used

Be aware of how the Payment Card Industry PINSecurity Requirements, PCI Data Security Standard(PCI DSS) and PCI PA-DSS apply to you

1.

2.

3.


11/23

11Visa Public

PCI DSS and PA-DSS

PCI Data Security Standard (PCI DSS)

12 security requirements

Demonstration of compliance is tiered for merchants and serviceproviders based on volume

Annual compliance verification cycle

PCI Payment Application Data Security Standard (PCI PA-DSS)

The PA-DSS applies to all payment application providers

Based on PCI DSS; for purposes of PA-DSS, a payment application isdefined as one that stores, processes, or transmits cardholder data aspart of authorization or settlement, where the payment applications is

sold, distributed, or licensed to third parties

PA-DSS does apply to payment applications that are typically sold andinstalled off the shelf without material customization by softwarevendors


12/23

12Visa Public

Visa PIN Security and Key Management

Compliance Program: Acquirer Requirements

Payment Card Industry PIN Entry Device (PED) security(all five card brands)

PCI Encrypting PIN Pad (EPP) Security Requirements PCI POS PIN Entry Device Security Requirements

Visa, MasterCard and JCB

EMV (offline PIN and key management)

Visa and MasterCard

PCI PIN Security Requirements, V2.0, January 2008

Visa

Visa PIN Security Program: Auditors Guide

Cryptographic Key Injection Facility: Auditors Guide

TDES Member Implementation Guide

Visa Payment Technology Standards Manual


13/23

13Visa Public

Visa PIN Security and Key Management

Compliance Program

Types of Acquiring Participants:

VisaNet Endpoints

Acquirers / ISO Agents with ATMs

Third Party Agents (Downstream Processors)

Certificate Authorities

Encryption and Support Organizations (ESOs)

Validation

Visa field review

Self attestation

Follow-up actions are monitored by Visa globally


14/23

14Visa Public

Global TDES and PED Testing Timeline

Newly

deployedATMS must

support TDES

Newlydeployed

ATMS musthave a Visa-

approved EPP

All US ATMSmust be usingTDES end-to-

end

All PEDs mustbe using

TDES. AllAttended POS

PEDs must bepre-PCI / PCI

approved

Newly purchasedPOS PEDs must beVisa-approved (pre-

PCI) and supportTDES

All US Visa

endpointsmust be

using TDES

Newly

deployedunattendedPOS PEDs

must have PCIapproved EPP

1/1/2004

12/31/2007

Newly

deployed USAFDs must

be PCIapproved

1/1/2003 10/1/2005 7/1/201010/1/2007

1/1/2009


15/23


16/23

16Visa Public

Review ATM Environment

Validate that:

PIN Blocks are not stored in ATM log files

Sensitive cardholder data (e.g., PANs) is properly protected in ATMs

Proper controls for remote access of ATMs are in place

ATM anti-virus mechanisms are current and actively running

ATM applications are PCI DSS or PCI PA-DSS compliant

ATM vendor-supplied defaults have been changed

Verify that core ATM processing applications do not storesensitive authentication data:

Full magnetic-stripe data, PANs, and PIN-blocks

PCI DSS or PCI PA-DSS compliant


17/23

17Visa Public

Issuer PIN Security and Fraud

Management ControlsUse the PCI PIN Security Requirements as a best practice for issuer

key management

Validate the Card Verification Value (CVV) results for ATMtransactions

Apply risk factors to POS spending, cash-back and quasi-cash to ATMwithdrawal limit assignments

Review and update velocity monitoring parameters for PIN transactions(POS and ATM) and HSM activity from VRU / branches

Implement enhanced fraud monitoring and queuing strategies

Incorporate Visa Advanced Authorization risk scores and condition

codes in risk decision management systems [email protected]

Register and use Visas Compromised Account Management System(CAMS) alerts - [email protected]


18/23

18Visa Public

Issuer Critical Applications and Key

Management Controls

The issuer core processing application should not store sensitiveauthentication data or expose keys in software:

Full magnetic-stripe data, CVV, CVV2, PIN-blocks

Properly segment production HSM activities

Recommend hardware encryption for calculating PIN, CVV, CVV2

Recommend HSM use for storage of critical keys

Recommend separate HSM for VRU

Review how branch PIN pads are managed / secured

Review how cardholder PIN changes are made

Manage offset tables securely

Migrate to new double-length PIN Verification Key (PVK)

What is the history of your current PVK? Normal re-issue cycle?

Use only payment applications that adhere to PA-DSS


19/23

19Visa Public

Key Learnings

Security breaches can be prevented if participantscomply with:

PCI PIN Security Requirements


PCI Payment Application DSS (PCI PA-DSS)

PCI Encryption PIN PAD (EPP) PIN Security Requirements

And adhere to:

Compliant issuer key management practices for CVV, CVV2 andPVK keys

Properly configured production HSM with adequate access controls

Dont store data, if you dont need to!


20/23

20Visa Public

For More Information

www.visa.com/pin

www.visa.com/pinsecurity

PCI PIN Security Requirements v2 Jan. 2008 PCI PIN Entry Device Testing and Approval Program Guide

Visa PIN Security Program: Auditors Guide

Frequently Asked Questionswww.visa.com/cisp

Has PCI PIN, PCI DSS and PCI PA-DSS information:

PIN security related bulletinsWorkshop registration information

Compromised POS PED Bulletin

Presentations from PIN Security related Visa webinars


21/23

21Visa Public

For More Information

Visa Online www.us.visaonline.com

PIN Fraud Management Issuer Quick Reference Guide

Visa Issuer Risk Management Guide - Tools and Best Practices forcontrolling Debit and Credit Card Fraud Losses

PCI Security Standards Council www.pcisecuritystandards.org

PCI POS PIN-Entry Device Security Requirements

PCI EPP PIN-Entry Device Security Requirements

PCI Approved PIN Entry Devices List

List on www.pcisecuritystandards.org/pin


PCI Payment Application DSS (PCI PA-DSS)


22/23

22Visa Public

One Day Visa Key Management Workshop

October 9, 2008 Foster City, CA

Three Day Visa PIN Security Compliance Validation Training

October 28 - 30, 2008 Foster City, CA

Upcoming Visa PIN Security Trainings

To receive information on PIN Security trainingscontact: [email protected]


23/23

Visa Public

Questions?

webinar pin security

Documents