Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure mobile payments getting the balance right

Published byGertrude Webster Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure mobile payments getting the balance right"— Presentation transcript:

1 Secure mobile payments getting the balance right
Royal Holloway University of London Richard Martin Payment System Security Visa Europe 7 September 2013 1

2 Visa Europe Owned and operated by over 3,745 European member banks
In October 2007 Visa Europe became independent of the new global Visa Inc. with an exclusive, irrevocable and perpetual licence in Europe Almost 466 million Visa cards have been issued in Europe In the 12 months ending September 2012 point of sale spending totalled over €1.3 trillion Fraud continues to decline and has fallen to €40 in every €10,000 as at September 2012 (0.04%) Visa Europe Mobile POS & Acceptance

3 European commerce is changing
€1 in every €6.75 50% of Visa transactions 1 in every 6 25% Visa spend Consumer spend on Visa cards Ecommerce +200% vs face-to-face Mobile by 2020 Visa cards in Europe contactless The way that people research, reach and follow through on their buying decisions has shifted Their needs and behaviours are changing… You can see that very clearly in the Visa Europe figures Across Europe, €1 in €6.75 of consumer spending takes place on a Visa card E-comm is 25 per cent of the total Growing twice as fast as face-to-face (11 per cent compared to six per cent) By 2020 we are predicting 50% of all Visa transactions will be made via mobile devices 1 in every 6 Visa cards in Europe is contactless But that’s not all… Visa Europe Mobile POS & Acceptance

4 Striking the balance Acquirers Issuers Merchants Cardholder
Visa Europe Mobile POS & Acceptance 4

5 The Visa Europe Payment System Risk Strategy
Focus our protection efforts on residual risks Design solutions that are secure from the outset Reinvigorate the data security debate Understand the level of complexity Provide cost effective solutions for all stakeholders For data security to be meaningful, it must be applied sensibly A security and compliance policy that relies on a single solution, a single approach, and a single correct answer, is not likely to succeed in its objectives Visa Europe Mobile POS & Acceptance

6 1 2 3 Manage Evolving Risks Enhanced Authentication Data Devaluation
Protect cardholder data Continue deployment and use of robust authentication platforms -key to the stability of the payment systems of the future 1 Data Devaluation Protect cardholder data by limiting its availability Visa Europe instrumental in defining global practices for complimentary security technologies 2 Data protection Additional protection required for data which can be reused and cannot be devalued The Payment Card Industry Data Security Standard (PCI DSS) has been fundamental in raising awareness and fighting fraud 3 Visa Europe Mobile POS & Acceptance

7 Lets focus the rest of this session onto mobile, and consider how mobile technology is helping payments to evolve. First, let’s look at the basic models for how mobile devices can be used in a payments situation… Visa Europe Mobile POS & Acceptance

8 Visa’s mobile payment services
Mobile POS Person to Person Contactless Visa Paywave for Mobile Visa Personal Payments Use a mobile device to shop conveniently, quickly and securely in a face-to-face environment Send money from a Visa card to any Visa card, anywhere in the world, using mobile phone number or PAN Visa Europe Mobile POS & Acceptance

9 Making payments vs. Accepting payments
A Merchant uses his phone to: Accept and process payments from customers He will handle many card payments from many customers A Cardholder uses her phone to: Enter her card details into a web form Store her card details (or a token) in a wallet Store her card details on a secure element (e.g. contactless) The key take-away from this slide is that cardholders and merchants face very different risks from each other, and present different risks to the payment system. Visa Europe Mobile POS & Acceptance

10 Threat Axes and Vulnerabilities
Over the channel: SMS / USSD Voice Data: GPRS / Wifi / Bluetooth… Operating System Hidden processes and applications User behaviour User interface Complexity User awareness Mobile registration and ownership Embedded Mobile Network Provider The Owner Visa Europe Mobile POS & Acceptance

11 Recent news 76% of Android malware profit motivated (Q1 2013)
HTML5 Framework hacks Android Security Squad and Bluebox Security – “Master Key” attacks SIM hack, Security Research Labs Visa Europe Mobile POS & Acceptance

12 What exactly are we trying to protect?
Basically any data whose theft or modification could cause financial or reputational harm to Visa, its Members and users Key assets at risk: Cardholder data (CHD): PAN, Expiry date, CVV, CVV2 Sensitive authentication Data: PIN, cryptograms **** Visa Europe Mobile POS & Acceptance

13 Q. What can we do to secure the mobile phone?
Not a lot Issuers and acquirers need to cater for hundreds of millions of cardholders and millions of merchants Mobile Device Management? User policies - Enforced AV, restrictive Ts & Cs? Enforce certification of handsets against security standards? The reality is that card issuers and acquirers will need to take mobile devices as they come Our security strategy must take this into account Visa Europe Mobile POS & Acceptance

14 Innovation with tradition Criteria for mobile POS & acceptance
Honour all cards Chip & magstripe Security Lowering standards would threaten the system Familiar & trustworthy User experience If any payment service is to be widely adopted, it must bring benefits to all participants. Having always operated at the centre of the payments ecosystem, Visa Europe recognises this fact better than most – so we have thought through the propositions from every perspective. We have also thought about the value that’s created by each individual component. Irrespective of whether our services are used on their own, or as part of a wider, integrated offer, the business case still stacks up. Consumers get convenient, fast and secure ways to pay – provided by the brands they already trust (Visa and their bank), and are integrated into the personal finance and payment products they already use. Retailers – are able to deliver a quicker, more convenient experience to their customers. We can also help them to trade across multiple channels, we bring increased business efficiencies, we enable them to build on existing investments (e.g. in EMV and payWave), and we can help them to identify and target customers with personalised offers. Banks – can offer an integrated online and mobile banking and payments experience – which builds on your existing Visa investments, and is operated via your existing technical connections and interfaces. Crucially, as a European association, we are committed to working on behalf of our members – making sure that you have the necessary fire power to win in the new world of payments. We are focussed, not just on future payment flows, but also on the interests of our European members Benefits for all Visa Trusted Brand Visa Europe Mobile POS & Acceptance

15 Visa Europe’s position on mobile acceptance devices
Mobile environment Processor / Point of Decryption Secure Hardware Accessory What about those new mobile payment services that are emerging all over the world which are aimed at micromerchants, the ones where a merchant is given a card reader that plugs into the smartphone, turning it into a payment terminal? Our approach to security here is to recognise that the mobile device (phone/tablet) is itself an insecure device, and to develop requirements that effectively remove the mobile device from the security domain. This is done by ensuring that card data is only seen and processed by the secure card reader, which encrypts it to ensure that it is never available on the phone itself. This approach is in line with Visa’s encryption and tokenisation guidelines and ensures that this exciting and fast-growing development of card payments remains as secure as possible while still meeting the lower costs that are attractive to the micro-merchant market. Protected in line with Visa’s Encryption & Tokenisation Guidelines Visa Europe Mobile POS & Acceptance

16 Mobile solutions not permitted by Visa Europe (1/4)
“App” with manual key entry of card data on merchant owned mobile device Software only solutions with no hardware accessory App downloaded on merchant phone Card data keyed on merchant phone transactions processed as e-comm or MOTO Compliance: Acquirers will have 30 days from publication of the Member Letter to provide a plan for removal of these “apps” from the market Entry of data on a merchant mobile device cannot be PCI certified at this time This also includes PIN entry Visa Europe Mobile POS & Acceptance

17 Mobile solutions not permitted by Visa Europe (2/4)
Hardware accessory with a magstripe only reader (Used with a merchant owned mobile device) Solutions with a magstripe only reader: no chip reader no PIN pad transactions sent as a magstripe transaction or as a MOTO or e-comm transactions Solutions where card data is captured electronically (via a magstripe or chip reader) to populate more quickly the data fields of a an “app” residing on a merchant mobile device Equivalent to solutions where card data is manually entered on the merchant mobile device therefore not permitted Europe is a region where chip is required so this type of solution is not suitable Visa Europe Mobile POS & Acceptance

18 Mobile solutions not permitted by Visa Europe (3/4)
Hardware accessory with a chip reader but no PIN pad (used with a merchant owned mobile device) Solutions with a chip reader: no PIN pad with or without magstripe transactions sent as chip trs. PIN pad required in Europe so this solution is not suitable “Honour All Cards” is a must key entry of card data on a merchant phone not permitted: magstripe support required Waiver conditions will apply Magstripe support cannot be waived Contactless support encouraged PCI SRED certification required Pilot monitoring conditions apply Only for “mobile” merchants Recommend to devlop low cost PI supporting solutions Visa Europe Mobile POS & Acceptance

19 Mobile solutions not permitted by Visa Europe (4/4)
Contactless only acceptance An acceptance device must “Honour All Cards” As not all cards support contactless, it is not possible at this time to allow contactless only devices Waiver conditions will apply Magstripe support cannot be waived Contactless support required PCI SRED certification required Pilot monitoring conditions apply Only for “mobile” merchants Recommend to devlop low cost PI supporting solutions Visa Europe Mobile POS & Acceptance

20 Two mobile acceptance solutions permitted (1/2)
Hardware accessory with chip, magstripe & PIN pad (merchant owned mobile device) or Chip & PIN must be supported Magstripe must be supported Contactless optional but recommended Key entry of data on secure PED allowed when no other option Physical (audio jack, mini USB etc.) or Bluetooth connection to mobile device Security is ensured by PCI SRED (Secure Read Exchange Data) and point-to-point encryption) For Visa Europe internal use only 20 Visa Europe Mobile POS & Acceptance 20

21 Anatomy of mobile card reader security
Security standards PCI PIN Transaction Security (PCI PTS) Secure PIN entry Device hardened against physical & logical hacking Encryption – SRED* module SRED * SRED = Secure Read and Encryption of Data. SRED is a hardware module for secure key storage & encryption functions Visa Europe Mobile POS & Acceptance

22 Encryption on the reader removes the mobile device from the key areas of risk
Processor/acquirer system PCI DSS compliant environment HSM SRED Secure host Telco / ISP Visa Europe Mobile POS & Acceptance

23 Mobile solutions permitted by Visa Europe (2/2)
Software based solution/ M-commerce app (cardholder mobile device) Card details never entered on merchant mobile device Secure if back end, registration process and permission to use protected Refer to Visa Security Best Practices for Mobile Payment Acceptance Solutions, Version 2.0 – published in Sept. 2012 For Visa Europe internal use only 23 Visa Europe Mobile POS & Acceptance 23

24 Benefits Consistent and familiar experience for cardholders and merchants Increased likelihood that cardholders and merchants will use mPOS Maintains and reinforces the trust in the brand Maintains Visa’s security profile Ensures that an exciting new method of payment starts secure Bringing new players to market Innovative new ideas and concepts Reduced costs Visa Europe Mobile POS & Acceptance

25 Working with industry providers
mPOS solutions Mobile devices allowing low cost and easy access payments Balancing security and integrity with ease of deployment Working with industry providers 7 live implementations 200k+ merchants by 2014 10 European markets Another way of displacing cash is with mPOS solutions – where consumer-grade mobile devices are used to allow low cost and easy acceptance of Visa This provides an ideal solution for small businesses and pro-sumers – but the concept is also of interest to big retail We have developed principles and requirements – balancing the needs between security and integrity with ease of deployment. We’ve worked closely with the industry – with providers like Intuit, Payleven, WorldPay, Elavon and iZettle There are seven unique live implementations covering more than ten European markets, expanding to over 15 markets by the end of 2013 Visa Europe Mobile POS & Acceptance

26 Thank you

Download ppt "Secure mobile payments getting the balance right"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Troy Leach April 2012 The PCI Security Standards Council.

Troy Leach April 2012 The PCI Security Standards Council.
Ecosystem Scenarios for Cloud-based NFC Payments

Ecosystem Scenarios for Cloud-based NFC Payments
Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.

Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.
M-PAYMENT SYSTEM (e–WALLET ).

M-PAYMENT SYSTEM (e–WALLET ).
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
The GSMA July 2014 Restricted - Confidential Information

The GSMA July 2014 Restricted - Confidential Information
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Vice President, e-Business Development Dubai United Nations Conference on Trade & Development Conference on Electronic Commerce.

Vice President, e-Business Development Dubai United Nations Conference on Trade & Development Conference on Electronic Commerce.
Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.

Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.
EMV – What you need to know… Jay J. Davis Territory Alliance Manager 360-831-7055

EMV – What you need to know… Jay J. Davis Territory Alliance Manager
Our Eyes are on the watch for you! One Stop Shop Payment Automation: Innovative and Smart platform that: Increase Sales and Merchant Retentions Creates.

Our Eyes are on the watch for you! One Stop Shop Payment Automation: Innovative and Smart platform that: Increase Sales and Merchant Retentions Creates.
LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.

LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Dongyan Wang GlobalPlatform Technical Program Manager

Dongyan Wang GlobalPlatform Technical Program Manager
Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management

Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?

Similar presentations

Ads by Google