Pcitf iiw10

PCI TFPayment Card Industry

Trust FrameworkA Case Study of a Monetized Identity System

Sid Sidner (TooTallSid)Ping Identity

[email protected]@TooTallSid

ConsumerMerchant

Cash

ConsumerMerchant

Acquirer Issuer

Payment Networks

Payment Card: Payment Flow (Settlement)

PCI – Payment Card Industry

• Brands (aka Associations)– Visa– MasterCard– American Express– Discover– JCB

• Issuer oriented• Operating rules• Risk management: On-us vs. Not on-us

Visa EU Ecosystem - 2006

ConsumerMerchant

Acquirer Issuer

Payment Networks

Payment Card: Identity Flow (Authorization)

5558 0101 0000 0001

5558 0101 0000 0001

5558 0101 0000 0001 5558 0101 0000 0001

The Identity Transaction• Identifier

– PAN – Personal Account Number (PAN)• Scheme and BIN (Bank Id Number) embedded in PAN to allow

routing

• Claim– Authorize transaction for payment?

• Authorized or Declined

• A Bob Blakley Identity Oracle – no identity data leakage

• Consumer has privacy• Issuer can monetize being an IdP

EMV Payment Cards• EMV – Europay, MasterCard, Visa• Chip

– Tamper Resistant Security Module– Contains secrets and crypto to use them

• Secures all aspects of a purchase– Authenticates Card– Authenticates User– Ensures Integrity of Transaction

• Chip & PIN– PIN (Personal Id Number) verified on card

• Online Chip– PIN verified at issuer

• Contact & Contactless

OITF

PCITFPCI Brand (e.g . Visa)

Operating RulesIssuers

Merchants

Consumers

PCI DSS AssessorsBrand certifiers

Acquirers

Consumer/TaxpayerMerchant

Acquirer Issuer

Payment Networks

EMV Value Propositions

• Issuer fraud reduction

• Peace of mind

• Malware protection

• Identity theft protection

• User centered identity

• PCI compliance cost reduction

• Avoidance of end-to-end encryption cost

• Fraud reduction

• Reduced interchange fees

• Higher spend

• National security protection

• Identity provider fees

• Online enrollment

12