Download The Payment Device - Verifone Support Portal

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Net neutrality law wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Transcript
The Payment Device – An
Exploration Into New
Technologies and
Methodologies
Chris Lomax
Head of Marketing - EMEA
Agenda
- Focus on Security
- Contactless Solutions
- Internet Communications
- SEPA
- Next Generation Consumer Devices
2
Focus on Security
Sources of Point of Card Fraud
 Card Fraud
 Transaction logs and database hacks
 Device and line tapping
 Data Communications
3
Card Fraud
 Protecting Customers
• In 2005 UK Card Fraud, excluding Card Not Present reduced
by 28% (£98M). Chip and PIN / EMV
• In 2005 UK Card Fraud, Card Not Present increased by 21%
(£33M)
• US - “Credit card fraud (28%) was the most common form of
reported identity theft….” - 2004 Federal Trade Commission
4
Transaction Logs or Database Hack
ePOS software can contain mag-stripe data.
"01/01/05 18:26:04",">> ATV1Q0<CR>"
"01/01/05 18:26:04","<< <CR><LF>OK<CR><LF>"
"01/01/05 18:26:05",">> ATE0V1<CR>"
"01/01/05 18:26:05","<< <CR><LF>OK<CR><LF>"
"01/01/05 18:26:52",">>
<STX>D4.99999599999999991100119911QR8408403141932620
07055999Y103954@D5473500000000014=051210199998888777
76<FS><FS><FS>100<FS><FS><FS>Phantom Auto Parts
Huntsville AL<FS><FS><FS>000<ETX>N <CR><LF>ContentType: x-VISA-II/x-auth<CR><LF>"
"01/01/05 18:26:53",">> Connected ssl.pgs.wcom.net 443"
"01/01/05 18:26:54","<<
<STX>E4.A001199115103900VITAL8051705182654APPROVAL
862445 0513722502322 0000123456789 <FS>
<FS>000<ETX>;"
5
Tapping
A device is inserted into a payment device or
attached to the line and card information is collected
and either later retrieved or immediately transmitted
Surface mount
assembly, with
removable
storage media
Wireless device
transmitting data
over a range of 200m
6
Street Prices
7
Contributed by AmbironTrustWave 2005
Proactive Industry Stance
 PCI – Payment Card Industry Standards
• Physical Security of Pin Accepting devices – PCI PED
• Data Center Security – PCI DSS
• Internet and Wireless Communication Standards
8
PED Certification Timeline
1 January 2004
VISA-PED approval of
all newly deployed
POS PED devices
1 October 2004
PCI PED process
required for ALL
new devices
2004
2006
Next Scheduled Review Process
December 2004
Completion date for old
VISA PED process
certifications
July 2010
All installed PEDs
must be Visa PED or
PCI Approved
2005
2006
Approved devices list found at www.visa.com/PIN
9
PCI Data Security Standard
All merchants Must Comply
10
MasterCard IP-Enabled POS Security
 Security standards for IP-Enabled POS devices Encryption of transaction data between POS device and
acquire
 Vendors and acquirers required to provide compliant
solutions
 MasterCard introducing Internet Protocol POS Terminal
Compliance Testing Program
 Acquirer responsible for obtaining MasterCard approved
solution
 MasterCard Reference documents:
• Internet/IP-Enabled POS Terminals, Security Guidelines – Oct 05
• Internet/IP-Enabled POS Terminals, SSL/TLS Implementation
Guidelines – Oct 05
11
Timelines
1st April 06
 Acquirers ensure new wireless and IP-enabled terminals
are submitted for evaluation and approval
1st Sept 06
 All newly deployed wireless and IP-enabled terminals
support encryption and comply with mandate
3rd Jan 07
 Acquirers must upgrade all non-compliant wireless and IPenabled terminals
12
Security Leadership
VeriFone has lead representation on industry
security forums defining and driving many
security features and innovation
Powerful products engineered specifically to meet
the most demanding security requirements:
 Terminal hardware
 Software architecture
 Communications security
13
VeriFone Security Model
POS Terminal Hardware
 Application separation assured by secure memory
management unit
 EMV Level 1 Certified hardware
 High security for PIN entry with DES, 3DES, RSA and AES
• PED certifications: Infogard, TNO and T-Systems
 Tamper evident mechanisms
 Tamper proof mechanisms
 Security PED fence / mesh
14
VeriFone Security Model
POS Terminal Software
 Application separation by multi-application OS – Verix V
 EMV Level 2 certified
 VeriShield digital certification for files and applications
 TLS 1.0 and SSL 3.0 (RSA, MD5, SHA-1, 3DES, RC4)
• Full client and server side mutual authentication - addresses WiFi
and GPRS security weaknesses
 Client digital certificate authentication (SSL VPN)
15
Future Threat – AntiVirus
 The threat from software viruses is no
longer confined to the PC market
 The IP-enabled terminal market is
growing at a rapid pace
 Although no immediate risks are
evident utilising cost effective, secure
and efficient Internet communications
may have future risks
 Hackers are always working to be
malicious or to steal
 Before viruses existed for personal
computers no one had virus protection
16
Preventative Measures
 Industry’s first anti-virus security for POS terminals
 Aims at minimising business impact from potential
future unknown risks
 Leverages on the McAfee malware detection
engine for embedded systems
17
Agenda
- Focus on Security
- Contactless Solutions
- Internet Communications
- SEPA
- Next Generation Consumer Devices
18
Contactless Technology in Payments
 Transponders (sub $1.00 COGS)
• Low Bandwidth, no read/write
• Automated Toll collection systems
• Mobile Speed Pass
 Contactless Chip Cards ($2-$3)
• 1356 MHz ISO 14443 A & B
– more security and complex applications
– MIFARE, MasterCard, Amex
• FeliCa (14443 C non-ISO)
– Proprietary Sony protocol popular in ASPAC
– Not fully accepted as international standard (with controls)
19
Near Field Communication (NFC)
 Next stage technology migration for contactless
 Developed and endorsed by all key constituents (Phillips, Sony, Nokia,
MasterCard…)
 Key to enabling personal devices to become payment devices
 Merchants still need ISO 14443 readers (today’s can be SW upgraded)
20
Merchant Value Proposition
21
VeriFone’s Market Commitment
Roadmap to leverage emerging opportunities
 Multi-Lane, Consumer facing
 Unattended Environments
 Integrated with Handover Devices
 Peripheral to Countertop Devices
22
Agenda
- Focus on Security
- Contactless Solutions
- Internet Communications
- SEPA
- Next Generation Consumer Devices
23
Internet and the IP Revolution
 IP has changed how business is conducted
• E-Commerce
• Entertainment/Movies/Music
• Telecom industry
• Payment industry
 Via IP & IP technologies, it is now possible to have
ACCESS to services that were not previously accessible
 We are no longer bound to “traditional” transaction
networks
 We can leverage the “Internet” to provide services to
customers around the globe
24
The IP Value Proposition
 Faster, Better, Cheaper
 Long term infrastructure cost reduction through multiple
advanced communications options
 More secure transactions
 Improved merchant retention via
best use of new technologies
 Potential for multiple new business
models
 Rapid time to market
 Verifone is well positioned in this space
25
IP Based Payment In Action
And the list goes on and on….
26
Wireless Industry Technologies
Local Area
Network (LAN)
Bandwidth (Mb/s)
Metropolitan Area
Network (MAN)
100
10
4G
WIMAX
WI-FI
1
Wide Area Network
(WAN)
3G - EDGE/WCDMA/CDMA2000 1x EV
0.1
Bluetooth
2.5G - GPRS/CDMA2000 1X
2G - GSM/CDMA/TDMA
0.01
Personal Area
Network (PAN)
0.01
0.1
1
10
100
Mobility (Km)
27
Enablers And Facilitators
 Internet revolution - mass adoption of Broadband
• Low cost IP connectivity
• Always-on high speed transactions
• Eliminate need for dedicated dial-up lines and low speed private networks
 Wireless connectivity - IP everywhere
• Mobile payments – WiFi and GPRS
• No fixed cabling – dynamic stores layout
 Standardised platforms
• Multi-application support
–
–
–
–
–
–
–
Credit
Debit
Pre-Authorised / Pre-Paid Debit
Loyalty
Gift Card
Mobile top-up
etc
28
IP Enabled - Value Added Services
Internet meets POS browser based services






Complementary to terminal based payment applications
Web hosted applications
Reduce time to market for new applications
No limit to number of applications at point of sale
Software development costs are reduced
No terminal migration issues
29
IP Enabled - Value Added Services
IP network
Database
Web Server
Terminal
running thinclient browser
Application
Hosting
Service
Business Logic
30
Enhanced Communication Leadership
 The first modular design with multiple communications options
 The first Ethernet solution
 The first CDMA solution
 The first Wi-Fi solution
 The first Micro-Browser solution
 The first SSL based security solution
 And we keep raising the bar…
31
Agenda
- Focus on Security
- Contactless Solutions
- Internet Communications
- SEPA
- Next Generation Consumer Devices
32
SEPA and Payment Terminals
 Single European Payments Area (SEPA)
 The objective of SEPA is for a single market payments area
• Open, competitive market
• Coherent legislation and regulation
• Preventing fraud
• Standardisation
 It covers retail payment instruments:
• Cash (the €uro notes and coins are already in circulation)
• Direct debits and bank giros
• ATM cash transactions
• Credit and debit cards
 SEPA standards are to be implemented
• Starting in 2008 through to 2010
S
PA
33
SEPA Card Framework (SCF)
 The Framework is aimed at building an environment in
which there are no technical, legal or commercial barriers to
stand in the way of cardholders, banks and merchants
choosing and using SCF compliant payment and ATM
access card products
 Approved Framework published 8 March 2006 as version 2
S
PA
34
Implications for Terminal Solutions
 Single security standard
• Endorse the use of PCI PED
• Or one standard approval across all SEPA region
• Elimination of multiple national standards – GIE CB, UK CC, ZKA, C-TAP,
SAKO-I…..
 Standardised cardholder interface process
• The keying / transaction sequence to be standardised
• Display language based on card issuer ISO code
 European Payments Council (EPC) to provide SEPA Governance
 EPC membership to be open to vendors (associate members)
• Standards Working Groups
 Out of Scope
• Standard host interface message
– All data elements already in most national / proprietary formats
– Forcing this will delay implementation
– Encourage gradual migration to a standard interface
• No TMS, or File Transfer standards needed
35
Agenda
- Focus on Security
- Contactless Solutions
- Internet Communications
- SEPA
- Next Generation Consumer Devices
36
Evolution of the PIN Pad
 Today’s PIN pad has evolved to tomorrow’s
“client-facing terminal”
 Enhanced communications allows
individualized messaging
to each client
 Content Driven
Grab attention with animations or video
with Screen Savers, Videos, Banners,
Pop-ups and multi-media content and
commercial images to uplift your brand
37
Content Evolution
What content?
38
Present your message brilliantly
 Move away from the limitations of static images and leverage
the same attention-getting dynamic messaging you used on
television, plasma displays, digital signage, the Web and in
print right where the consumer is
• Reinforce Brand image using
– Special Promotions
– Screen Saver
– Customised product
 Revenue Generation Potential
 Communicate with the
consumer without slowing
transactions using video
and animations
39
VeriFone - Track Record of Innovation
VeriFone Wins Frost & Sullivan 2005
Product Line Strategy Leadership Award



Innovative payment transaction solutions
Value added services at the point of sale
Superior insight into customer needs
Frost & Sullivan, founded in 1961, is recognized as a global marketing research
and solution leader, with offices located worldwide.
40
Questions
41