PSC – Confidential – All Rights Reserved Tony Bates Mobile Payment Security The Good, the Bad and the Ugly.

PSC – Confidential – All Rights Reserved

Tony Bates

Mobile Payment Security The Good, the Bad and the Ugly


This Presentation

This Presentation is a discussion of the business issuesPose questions rather than provide answers

This Presentation is NOT a technical presentationNo techy twaddle


Payment : Security : Compliance

With offices in the USA, Canada, UK and Australia, PSC is a leading global PCI and PA-DSS Assessor and Approved Scanning Vendor.

One of a select few companies qualified worldwide to provide expert services and solutions to organizations that require specialist compliance or consulting support in the areas of Payments, Security or Compliance.

Our focus is exclusively on Clients that accept or process payments or technology companies in the payment industry.

To ensure Independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.


What is Mobile Payments ?

Payment Presentment ✔ - Digital Wallets ✔ - Mobile Web

payments ✔ - Online Wallets ✔ - NFC Contactless

✔ - Cash ✔ - Checks ✔ - Credit/Debit Card ✔ - FastTrack ✔ - Vehicle License Plate

Payment Acceptance ✔ - Mobile Point of Sale ✔ - Smart Phone ✔ - PDA ✔ - iPad/Tablet

? - Bus or Train ? - Laptop

✗- Desktop


Mobile Payment Software - Presentment

Security Card Holder’s responsibility

Card company’s Cardholder Agreement

No industry standards for digital wallets solutions

Wallet application security?

Wallet interoperability?

Multiple payment instruments in a single wallet?- Which one is “on top”?

What about release of personal data ?


Mobile Payment Software - Interoperability

Too many protocols- IP over 3G/4G- Bluetooth- NFC

Too few “true” standards

Solutions tend to be monolithic- Chicken and egg problems with adoption- Lack of compatibility with other solutions- Security models vary greatly in maturity


Mobile Payment Software - Acceptance

Payment Card Industry Security Standards Council - PCI Data Security Standard (PCI DSS)

- Applies to Services Providers and Merchants

- Payment Application Data Security Standard (PA-DSS)- Applies to Payment applications used by Services Providers and

Merchants

Card Company Regulations

State Regulations regarding Personal Information


OK for PADSS

Category 1- Payment application operates only on a PTS-approved mobile

device.

Category 2- Payment application meets ALL of the following criteria:

- Payment application is only provided as a complete solution “bundled” with a specific mobile device by the vendor

- Underlying mobile device is purpose-built (by design or by constraint) with a single function of performing payment acceptance

- Payment application, when installed on the “bundled” mobile device (as assessed by the Payment Application Qualified Security Assessor (PA-QSA) and explicitly documented in the payment application’s Report on Valication (ROV), provides an environment which allows the merchant to meet and maintain PCI DSS compliance.


NOT OK for PADSS

Category 3- Payment application operates on any consumer electronic handheld

device (e.g., smart phone, tablet, or PDA) that is not solely dedicated to payment acceptance for transaction processing


Visa Mobile Acceptance Best Practices

Consumer Mobile Device: - Any electronic handheld device (e.g., smart phone, tablet or PDA)

that is not solely dedicated to payment acceptance and that has the ability to wirelessly communicate account data (via GSM, GPRS, CDMA, etc.) for transaction processing.

Mobile Payment Acceptance Solution: - Consists of mobile payment application, a consumer mobile device

and, where account data is electronically read from a payment card, a hardware accessory capable of reading account data.

- Solutions that do not electronically read account data may not be acceptable in all territories or may face some restrictions. Clients must review local Visa Operating Regulations prior to providing mobile payment acceptance solutions to merchants.


MasterCard PADSS Mandate

Effective 1 July 2012, MasterCard will revise the MasterCard SDP Program Standards to require all merchants and Service Providers that use third party-provided payment applications to only use those applications that are compliant with the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS), as applicable.

The applicability of the PCI PA-DSS to third party-provided payment applications is defined in the PCI PA-DSS Program Guide.

In addition, MasterCard will establish a new PA-DSS compliance validation requirement for Level 1, Level 2, and Level 3 merchants as well as Level 1 and Level 2 Service Providers.


Mobile Payment Security Testing

Current solutions choose time-to market over security- E.g. Square – currently no encryption in readers

The usual “web” tools don’t do it

Much more technical and specialized than the web

A must- Complexity breeds security problems- Multiple protocols, devices, networks- Good penetration testing by experts


Apple “iWallet” patent – Parental Controls

Granted on Tuesday March 6- A method, comprising: defining one or more rules using a handheld

electronic device, wherein the one or more rules establish restrictions on transactions made using a financial account associated with an account holder other than the user of the handheld electronic device; and applying the one or more rules to the financial account.


Summary

Poor definition of marketplace- Hard to define security solutions and standards

Standards don’t fully apply – or protect

Card brand mandates cover what the way they would like to see the industry- Not the way the industry is

Risk based assessments and penetration testing poor in this area- Not enough experts


Questions

Questions

Tony Bates [email protected] +1 408-228-0961

PSC – Confidential – All Rights Reserved Tony Bates Mobile Payment Security The Good, the Bad and the Ugly.

Documents

mobile payment application

rights reserved payment

payment industry

psc confidential

payment applications

mobile payments

multiple payment instruments

bundled mobile device