Scribd
Upload
134 views26 pages

Electronic Payments Security & Payment Card Industry (PCI) Security Standards

The document discusses electronic payment security and the Payment Card Industry (PCI) security standards. It provides an overview of topics related to payment card environments, transaction flows, chip card structures, encryption methods, PCI Data Security Standard (DSS), PCI Payment Application standard (PA), and their objectives of protecting payment data and applications. The document aims to outline the technical and security standards for electronic payment processing and compliance with PCI standards.

Uploaded by

msabryaly_834477085
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
134 views26 pages

Electronic Payments Security & Payment Card Industry (PCI) Security Standards

The document discusses electronic payment security and the Payment Card Industry (PCI) security standards. It provides an overview of topics related to payment card environments, transaction flows, chip card structures, encryption methods, PCI Data Security Standard (DSS), PCI Payment Application standard (PA), and their objectives of protecting payment data and applications. The document aims to outline the technical and security standards for electronic payment processing and compliance with PCI standards.

Uploaded by

msabryaly_834477085
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 26

Electronic Payments Security

&
Payment Card Industry (PCI)
Security Standards

Moe Sabry - 2015 1


Topics
• Payment Cards Environments
• Transactional domain
• Chip Card logical and Physical structures
• Card & Terminal Keys
• Transaction flow
• Card Authentication
• PIN Authentication – Online
• PIN Authentication - Offline
• Card - Issuer verification (Cryptogram)
• SHA-1 Script verification
• Billing ADF introduction
• PCI
• DSS vs. PA
• Objectives
• Production (speed vs. encryption)

Moe Sabry - 2015 2


Payment Cards Environments

Moe Sabry - 2015 3


Transactional Domain

Moe Sabry - 2015 4


Chip Card – Physical Structure

Moe Sabry - 2015 5


Chip Card – Logical Structure

Moe Sabry - 2015 6


Chip Card – Functional Structure

Moe Sabry - 2015 7


Card & Terminal Keys
• Integrity key for script verification
• Confidentiality key for PIN verification
• Encryption key for handling Cryptograms
• Terminal PIN key for PIN encryption
• Authenticity / Issuer certificate

Moe Sabry - 2015 8


Encryption methods
• RSA is the standard encryption for offline
operations
• TDES is the standard encryption for online
operations

Moe Sabry - 2015 9


Transactional flow
• Card Authentication
• PIN Authentication – Online / Offline
• Card - Issuer verification (Cryptogram)
• Transaction Authorisation
• SHA-1 Script verification (Optional)

Moe Sabry - 2015 10


Card Authentication
• Done by using RSA:
– Issuer bank generate a certificate for its cards
– The “Network” digitally sign this certificate
– Acquirer bank loads public keys from different
networks on its POS machines
– When card is inserted, POS use the appropriate
network public key to verify the digitally signed
certificate on the card

Moe Sabry - 2015 11


PIN Authentication – Online
• Done by using TDES:
– Acquirer bank generates a key for its POS to encrypt
PINs (Terminal PIN key)
– When card is inserted, POS prompts the cardholder to
enter the PIN
– POS use the Terminal PIN key to encrypt the PIN and
send it to the acquirer bank
– Acquirer bank decrypt the PIN then encrypt it using
the “Network” TDES key and send it to the “Network”
– The “Network” repeats the operation with the issuer
bank key and send it to the issuer bank for verification
Moe Sabry - 2015 12
PIN Authentication – Offline
• Done by using RSA:
– Issuer bank generate a public key and load it on its
cards
– When card is inserted, POS retrieves the public
key from the card
– POS encrypt PIN entered by cardholder using this
key and pass it to the card
– The card compare the value passed from the POS
to the encrypted PIN value stored on it

Moe Sabry - 2015 13


Card - Issuer verification (Cryptogram)
• Done by using TDES:
– The card will collect certain fields –specified by the
issuer bank- and grouped in a certain format then
encrypted using the “Encryption Key”
– The encrypted block is sent to the issuer bank for
verification
– The bank will collect certain fields –specified by the
issuer bank- and grouped in a certain format then
encrypted using the “Encryption Key”
– The encrypted block is sent to the card for verification

Moe Sabry - 2015 14


Script verification
• Done by using SHA-1:
– In certain cases the bank sends scripts to be
executed on the card e.g.: PIN change
– The issuer bank sends the script along with its
hashing string
– The card will hash the script once received and
compare the two strings

Moe Sabry - 2015 15


Payment Card Industry
Standards
For
Data Security
&
Payment Applications

Moe Sabry - 2015 16


PCI Standards
• Payment Card Industry Standards for Data
Security (PCI DSS)
• Payment Card Industry Standards for Payment
Applications (PCI PA)

Moe Sabry - 2015 17


PCI SCC
• The Payment Card Industry Security Standards Council, or PCI SSC –
often termed simply “the Council” – is an open global forum,
launched in 2006, that develops, maintains and manages the PCI
Security Standards, which include the Data Security Standard (DSS),
Payment Application Data Security Standard (PA-DSS), and PIN
Transaction Security (PTS) Requirements
– American Express: www.americanexpress.com/datasecurity
– Discover Financial Services:
http://www.discovernetwork.com/merchants/
– JCB International: http://www.jcb-global.com/english/pci/index.html
– MasterCard Worldwide: http://www.mastercard.com/sdp
– Visa Inc: http://www.visa.com/cisp
– Visa Europe: http://www.visaeurope.com/ais

Moe Sabry - 2015 18


PCI DSS
• The PCI Data Security Standard represents a
common set of industry tools and
measurements to help ensure the safe
handling of sensitive information.
• Initially created by aligning Visa's Account
Information Security (AIS)/Cardholder
Information Security (CISP) programs with
MasterCard's Site Data Protection (SDP)
program

Moe Sabry - 2015 19


PCI DSS
• PCI DSS applies wherever account data is stored,
processed or transmitted. Account Data consists of
Cardholder Data plus Sensitive Authentication Data

Moe Sabry - 2015 20


PCI DSS - Objectives

Moe Sabry - 2015 21


PCI PA
• The PA-DSS applies to software vendors and
others who develop payment applications that
store, process, or transmit cardholder data

Moe Sabry - 2015 22


PCI PA

Moe Sabry - 2015 23


PCI PA - Objectives
• Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2,
CVV2), or PIN block data
• Protect stored cardholder data (Mask PAN, Encrypt stored data)
• Provide secure authentication features
• Log payment application activity
• Develop secure payment applications
• Protect wireless transmissions
• Test payment applications to address vulnerabilities
• Facilitate secure network implementation
• Cardholder data must never be stored on a server connected to the Internet
• Facilitate secure remote access to payment application
• Encrypt sensitive traffic over public networks
• Encrypt all non-console administrative access
• Maintain instructional documentation and training programs for customers,
resellers, and integrators

Moe Sabry - 2015 24


Q&A

Moe Sabry - 2015 25


References
• Payment Card Industry (PCI) - Data Security Standard:
“Requirements and Security Assessment Procedures Ver. 2.0”

• Payment Card Industry (PCI) - Payment Application Data


Security Standard: “Requirements and Security Assessment
Procedures Ver. 2.0”

• Payment Card Industry (PCI): “PIN Security Requirements Ver.


1.0”

Moe Sabry - 2015 26

You might also like