Download Adopting-Industry

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Adopting Industry Standards
EMV
 EMV is the international standard for any chip
payment card.
 Its accepted and is being installed all over the world.
 Fraud protection:
 Algorithmic checks on the card, terminal and Issuer
 Velocity checks
 ATC checking
 Protection of data
 Etc.
 It is also mandated by all major schemes
August 17
Caribbean Electronic Payments LLC
2
PCI DSS
PCI DSS
 It is recommended that all ATM
operators abide by Payment
Card Industry (PCI) security
standards, especially PCI DSS.
 In this process, it is important to
follow implementation guides
drawn up by ATM
Manufacturers and ATM
Software Developers, where
available.
ATMs and PCI
 PCI SSC (PCI Security Standard Council)
– PCI SSC formed and endorsed by five card brands:
AmEx, Discover, JCB, MasterCard, Visa
 Independent, tiered organisation
ATMs and PCI
 PCI SSC manages the security requirements for the payment
card industry
 Publishes the standards
 Approves QSA’s and PED Labs
 Hosts lists of compliant products
 Manages the working groups
 See www.pcisecuritystandards.org
 PCI DSS
=
Payment Card Industry
Data Security Standard
 All merchants, processors, and Acquirers must comply
 Designed to protect Card Holder Data (CHD)
 Account number
 Track data
– PIN
ATMs and PCI
 ATMs process, transmit (and may store) cardholder data
 Therefore ATMs are in scope of PCI DSS
 ATMs have been (logically) attacked and compromised ‘in the
wild’
 PCI DSS helps prevent such attacks
 Visa bulletin published June 2009 stresses the need for security
around ATMs
ATMs and PCI
 PCI DSS Six Security Tenants:
 Build and Maintain a Secure Network
 Protect Cardholder Data
 Maintain a Vulnerability Management Program
 Implement Strong Access Controls
 Regularly Monitor and Test Networks
 Maintain an Information Security Policy
 PCI DSS Golden Rules:
 Do not store Sensitive Authentication Data post authorisation



PIN / PIN block
Track data
CVV(2) / CVC(2)
 Rules pre-Authorisation are per scheme Op Regs
 Do not email unencrypted credit card numbers
ATMs and PCI
 PCI DSS Audits will require the following
 Test samples of (various types) of ATM(s)
Perform test transactions and determine
communications options
 Analyse the hard disk storage
 An image of the hard disk can be used
 Confirm management/maintenance interface
 Access levels (physical and remote)
 Logging
 Card data storage and access
 ATM(s) configuration, management, and maintenance
information

ATMs and PCI
 ‘Flat’ network – everything is in scope
ATMs and PCI
 ‘Segmented’ network – only systems that
store/process/transmit card data are in scope
ATMs and PCI
 PCI DSS is not the only PCI standard!
 PCI PIN standard covers PIN security
 Audit standard covers 32 different requirements
 Checks that cryptographic keys are stored and managed correctly
 PCI PTS standard covers security of ATM Encrypting PIN Pad
 Checks the physical and logical security of PIN entry devices
 PCI PA DSS standard covers software security
 Confirms security of third party software and development lifecycles
ATMs and PCI
= In scope of PCI PTS
Ref: Witham Laboratories 2009
PA-DSS
 Comprehensive requirements for payment application
software vendors to enable their customers’ compliance
 Aligned with PCI DSS
 Applies to 3rd payment applications
 Authorization
 Settlement
Confidential - LiquidNexxus Limited
PA-DSS
 Applicable to 3rd party payment applications used by
merchant/service provider  authorization and settlement
 In-house applications are assessed against PCI DSS
 Not Database/Web Server Software
 Not Dumb terminals
Confidential - LiquidNexxus Limited
PA-DSS
Payment Application
“Off-the-shelf” standard payment applications
without much customization
…………………………………….
Module based software (at least one module before
authorization and settlement
functions)…………………..
Hardware
terminals………………………….…………………......
Bespoke Custom Software for one
customer……….…….
Custom In-house Software (merchant/service
provider)…………………………………………………………………
…
Confidential - LiquidNexxus Limited
PA-DSS
Applicable?
PA-DSS: Hardware Terminals
 HARDWARE TERMINALS: PA-DSS may
not apply if:
 Terminal has no connections
merchant’s systems or networks
 Terminal ONLY connects to acquirer
or processor
 Provides secure remote Access ,
Updates, Troubleshooting,
Maintenance
 Sensitive authentication data is NOT
STORED after authorisation.
Confidential - LiquidNexxus Limited
PIN Transaction Security
 Purpose: providing security guidelines for payment devices
that handle PIN data and Keys
Related mainly to:
 Online/offline POS Devices
 Encrypting PIN Pads (POS, ATMs, Kiosks...)
Confidential - LiquidNexxus Limited
18
PIN Transaction Security
Confidential - LiquidNexxus Limited
19
PIN Transaction Security Requirements
 Security Requirements
 Point of Interaction Modular Security Requirements (POI)
 Encrypting PIN Pad Devices (EPP) - ATM
 Point of Sale Devices (POS) - Shop
 Hardware Security Module (HSM) -Hardware that stores
encryption keys
 Unattended Payment Terminals (UPT) – eg. Parking
Payments, Cinema Tickets, Transport Ticket Machines
Confidential - LiquidNexxus Limited
Links
 PCI PTS Compliant devices:
 https://www.pcisecuritystandards.org/approved_companies_provider
s/approved_pin_transaction_security.php
 PCI PA DSS compliant applications:
 https://www.pcisecuritystandards.org/approved_companies_provider
s/vpa_agreement.php
 PCI Council – ATM Security Guidelines:
 https://www.pcisecuritystandards.org/pdfs/PCI_ATM_Security_Guide
lines_Info_Supplement.pdf
Know Your Customer
Know Your Business
 KYC and KYB
 Basic checks against documents
 Passport
 Address
 Utility Bill
 Etc:
 Proves to an extent you are who you claim to be.
August 17
Caribbean Electronic Payments LLC
22
Acquirer Compliance Programs
• Acquirer Fraud Compliance
• Merchant Fraud Compliance
• Cross border compliance programs
• Merchant Chargeback compliance
• Data Security Compliance
• Reporting compliance
• High Risk Merchants
• Gambling compliance
• Transaction monitoring
• AML
Acquirer Monitoring Program
 Card schemes monitor an Acquirer to determine




disproportionate fraud-to-sales ratios.
An Acquirer exceeding 3 times the worldwide or regional
fraud-to-sales ratio for more than one quarter will be
considered non-compliant and may be subject, but not
limited, to the following fines and penalties:
Monetary fines specified in the applicable Visa Regional
Operating Regulations
Temporary suspension of contracting with new Merchants
Termination of membership
Visa Merchant Fraud Performance Program
 The Merchant Fraud Performance Program measures






Merchant Outlet activity and identifies
Merchant Outlets requiring performance improvement
when fraud thresholds are met or exceeded
continues to meet or exceed the fraud performance
thresholds:
The Acquirer will be liable under Chargeback Reason Code
93, "Merchant Fraud Performance
Program," for fraudulent Transactions at Merchant Outlets
in the program
Visa will apply escalating financial penalties to the Acquirer
Visa may ultimately disqualify the Merchant Outlet from the
Visa payment system
Visa Merchant Chargeback Programs
 Card Schemes monitor international transactions to identify
Merchant Outlets that generate excessive Chargebacks in
relation to International Transactions. A Merchant is placed
in the Global Merchant Chargeback Monitoring Program if
any of its Merchant Outlets meets or exceeds all of the
following monthly performance activity levels for
International Transactions:
 200 Chargebacks
 200 Transactions
 2.0% ratio of Chargebacks to Transactions
Visa Acquirer Chargeback Programs
 An Acquirer is identified in the Global Merchant Chargeback





Monitoring Program if it meets or exceeds all of the
following monthly performance activity levels:
Visa International Operating Regulations
500 international Chargebacks
500 International Transactions
1.5% ratio of international Chargebacks to International
Transactions
One or more Merchants in the program during the reporting
month
MasterCard Merchant Audit Program (GMAP)
 The Global Merchant Audit Program (GMAP) is a fraud
monitoring
 and management program that identifies merchants
that exceed an
 acceptable level of fraud in any one month based on an
established
 set of program criteria.
 Merchants have a specific period of time to address
performance
 issues, after which, chargeback liability and fines may
be applied.
MasterCard Excessive Chargeback Program (ECP
 ECP is designed to closely monitor, on an ongoing basis,




chargeback performance at the merchant level and to
promptly determine when a merchant has exceeded or is
likely to exceed monthly chargeback thresholds.
The “chargeback-to-transaction ratio” or “CTR” is the
number of
MasterCard chargebacks received by a merchant in any
given calendar month divided by the number of MasterCard
sales transactions in the preceding month. You are
considered to be an “Excessive
Chargeback Merchant” (ECM) if in each of two consecutive
calendar months you have a minimum CTR of 1% and at
least 50 chargebacks in each month.
This designation is maintained until the ECM's CTR is below
1% for two consecutive months.
Illegal or Brand-damaging Transactions
 You must not accept card payment for any transaction that
is illegal, or in the sole discretion of the card brands, may
damage the goodwill of the card brands or reflect negatively
on the marks.
 The card brands consider any of the following activities to
be in violation of this rule:
 The sale or offer of sale of a product or service other than in
full compliance with the law then applicable to the acquirer,
issuer, merchant, cardholder, or the card brands.
 The sale of a product or service, including but not limited to
an image, which is patently offensive and lacks serious artistic
value (such as, by way of example and not limitation, images
of non-consensual sexual behaviour, sexual exploitation of a
minor, non-consensual mutilation of a person or body part,
and bestiality), or any other material that a card brand deems
unacceptable to sell in connection with its mark.
AML
Completing the Anti-Money Laundering/Anti-Terrorist
Financing
Compliance Questionnaire
 Guarding against Card issuance and Merchant acquiring in
circumstances that could facilitate money laundering or the
financing of terrorist activities
 Identifying circumstances of heightened risk and instituting
policies, procedures, controls, or other actions specified by
Visa to address the heightened risk
 Providing a copy of anti-money laundering plan if requested
 Ensuring the adequacy of the applicable controls
implemented by designated agents
Cardholder-Merchant Collusion (CMC) Program
 The Cardholder-Merchant Collusion (CMC) Program permits
an Issuer to file a claim against the Acquirer associated with
an identified fully collusive Merchant, and to seek partial
recovery for fraud losses attributable to Transactions on
Cardholder bust-out accounts conducted at a fully collusive
Merchant.
−
The lesser of
•
•
one-half of the credit limit in effect at the time that the Issuer closed
the Cardholder bust-out account, or
one-half of the actual amount of fraud losses
 The recovery eligibility and applicable conditions,
procedures, and limits are described in this section.
Issuer Compliance Programs
• Fraud Reporting
• Bust-out merchant
• Fraud Compliance
• Data Security Compliance
• Transaction monitoring
• AML
Issuer Fraud Reporting
• An Issuer must report Fraud Activity to Visa through
VisaNet when either a:
− Fraudulent User has obtained a Card or Account Number
− Card was obtained through misrepresentation of
identification or financial status
• Fraud Activity Reporting Time Limit - CEMEA Region
A CEMEA Member must report Fraud Activity upon
detection, but no later than:
− 60 days from the Transaction Date
− 30 calendar days following the receipt of the Cardholder's
dispute notification, if the notification is not received
within the 60-calendar-day period
Issuer Notification to MasterCard
 If an Issuer believes that a Merchant is a fully collusive
Merchant engaging in Transactions on a Cardholder bustout account, the Issuer must notify MasterCard via e-mail at
[email protected] within three calendar days of
having such reason to believe. Transactions that occurred up
to 180 calendar days before the date of the Issuer’s initial
notification may qualify as eligible for recovery under the
CMC Program.
Chargeback Management
• A Chargeback occurs when a credit or a payment for
which an authorization may have been provided is
reversed.
• It may result from a cardholder dispute, or when proper
acceptance or authorization procedures were not
followed.
•
Excessive number of chargeback may indicate that
there is an issue with the merchant..
Chargeback Management
MASTERCARD CHARGEBACK REASON CODES
VISA CHARGEBACK REASON CODES
01 Requested transaction information not received
02 Requested/required information illegible or missing
08 Requested/required authorization not obtained
12 Account number not on file
31 Transaction amount differs
34 Duplicate processing
35 Card not valid or expired
37 No cardholder authorization
40 Fraudulent processing of transactions
41 Cancelled recurring transaction
42 Late presentment
46 Correct transaction currency code not provided
49 Questionable merchant activity
50 Credit posted as a purchase
53 Not as described/defective merchandise
55 Non-receipt of merchandise
57 Credit card activated telephone transaction
59 Services not rendered
60 Credit not processed
62 Counterfeit transaction — magnetic stripe POS fraud
63 Cardholder does not recognize — potential fraud
33 Duplicate processing
35 Missing signature
38 Merchandise/services not received by the cardholder
or authorized person
39 Missing imprint
44 Transaction exceeds floor limit and not authorized/
declined authorization
45 Copy not received within the required timeframe
49 Other