Security proposal on mobile payment Security proposal on mobile payment Yan Liu , [email protected], atsec China Yan Liu , [email protected], atsec China CISSP, CC Evaluator, ISO/IEC 27001 LA, CNAS Auditor, PCI QSA, PA DSS QSA, ASV atsec public CNAS Auditor, PCI QSA, PA DSS QSA, ASV Sep 2012, 13ICCC, Paris
24
Embed
Security proposal on mobile paymentSecurity proposal on ... and New Techniqu… · Security proposal on mobile paymentSecurity proposal on mobile payment Yan Liu ,Yan Liu , [email protected],
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security proposal on mobile paymentSecurity proposal on mobile payment
The�Definition�– From�WikipediaMobile payment also referred to as mobile money mobile bankingMobile�payment,�also�referred�to�as�mobile�money,�mobile�banking,�mobile�money�transfer,�and�mobile�wallet�generally�refer�to�payment�services�operated�under�financial�regulation�and�performed�from�or�via�a�mobile�device.mobile�device.Financial institutions and�credit card companies as�well�as�Internet�companies�such�as�Google�and�a�number�of�mobile�communication�companies such as mobile network operators and majorcompanies,�such�as�mobile�network�operators�and�major�telecommunications�infrastructure�and�handset�multinationals�such�as�Ericsson�have�implemented�mobile�payment�solutions.Mobile payment is an alternative payment method Instead of paying withMobile�payment�is�an�alternative�payment�method.�Instead�of�paying�with�cash,�check,�or�credit�cards,�a�consumer�can�use�a�mobile�phone�to�pay�for�a�wide�range�of�services�and�digital�or�hard�goods.Th f i d l f bil t P i SMSThere�are�four primary models for�mobile�payments:�Premium�SMS�based�transactional�payments,�Direct�Mobile�Billing,�Mobile�web�payments�(WAP),�Contactless�NFC�(Near�Field�Communication).�
PCI DSS as a best practice.PCI�DSS�as�a�best�practice.Sensitive�data�should�be�encrypted�using�industry-standard�methods�when�stored�on�disk�or�transmitted�over�public�networks.Cryptographic protocols (such as SSL v3 0) for data transmission; the website andCryptographic�protocols�(such�as�SSL�v3.0)�for�data�transmission;�the�website�and�interface�are�accessible�via�certificates�issued�by�authorized�parties.�Strong�cryptographic�algorithms�and�well-design�and�implemented�key�management�(FIPS�140-2�could�be�considered�during�the�implementation)g ( g p )Installs�security�updates�and�patches�on�all�system�components.Security�hardening,�settings�of�applications�and�devices�are�tuned�to�ensure�appropriate�levels�of�protection.app op ate e e s o p otect o .Networks�are�strictly�segregated�and�strong�access�controls�are�in�place,�e.g.�restrictive�firewalls�protect�all�connections�between�networks.Audit management and security monitorAudit�management�and�security�monitorAuthentication:�password�complexity,�two-factor�authentication�for�remote�access,�etc.�Physical security
The affected business areas for the security solutions on mobileThe�affected�business�areas�for�the�security�solutions�on�mobile�payment�cover�IT�infrastructure,�IT�process,�Organization�and�also�documentation.�A�standards-combined�approach�is�used�for�the�overall�security�proposal�including�standards�like�CC�(introduced�security�development�and�risk�management�methodology),�FIPS�140�p g gy)(cryptographic�module�and�key�management),�PCI�DSS�(payment�industry�best�practice),�ISO/IEC�27001�(Information�security management system), etc.security�management�system),�etc.�Various�technical�expertise�and�services�are�required,�including�virtualization,�encryption/key�management,�security�monitor,�
it hit t l l i k t t tisecurity�architecture,�large�scale�risk�assessment,�penetration�testing,�and�in-depth�security�analysis.�
A�protection�profile�on�mobile�payment�application�could�be drafted based on this paper and proposed further bybe�drafted�based�on�this�paper,�and�proposed�further�by�the�CC�and�payment�industry.�