Академический Документы
Профессиональный Документы
Культура Документы
Jeremy King
PCI SSC PTS Working Group
May 2010
AGENDA
Modular Approach
2
PTS Security Requirements 3.0
PCI Standards
4
PTS Program Overview
5
PCI PTS Development Lifecycle
6
PCI PTS Security Requirements 3.0
MasterCard
Program consolidation PTS
7
Modular Approach
What is the Modular Approach?
9
Categories of PCI PTS Products
OEM Components:
POI PIN Entry EPP,PED,SCR Integrated POI PIN entry
Terminal Terminals
10
Applying the products to the flow chart
11
Devices not included in the PCI PTS space
12
Improved Web Listing
Product
listed as
Vendor a PED
details for Vendor details
for Open
PED Protocols
Note 1: Example of how SRED and OP modules will be represented on the web site listing
13
New Modules and Updates
What are they?
Open Protocols
Ensures PIN entry devices using open security protocols and open
communication protocols to access public networks and services do
not have public domain vulnerabilities
Covers IP connectivity (internet), GPRS, Wifi
Integration
Ensures integration of previously approved components does not
impair the overall security as stated in security requirements
Supports the cost-effective maintenance of components
Secure Read and Exchange of Data (SRED)
Enables cardholder data to be secured or protected (i.e. truncation)
after being read by the PTS terminal. It then enables the secured
cardholder data to be transmitted from the terminal.
Secure first step for Point to Point or end to end encryption
15
Open Protocols Module
Open Protocols
A set of requirements that ensures PIN
entry devices using open security
protocols and open communication
protocols to access public networks and
services do not have public domain
vulnerabilities
Covers IP connectivity (internet), GPRS,
Wifi
16
Why are Internet and Wireless POS terminals
so popular?
Convenient
Fast
Seamless integration into merchant networks
Embedded security and device management
Cash replacement niches (mobility, vending machines)
Low cost
Payment devices
Communication
Deployment
Short application development
High growth area
Available for all terminal types
Increasingly popular i.e. pay at table
Permits use in non fixed locations
17
Stand alone POS terminals
Integrated
POS terminal/PINpad
18
Allows criminals to use same attack
techniques used against PCs on the internet
20
Integration Module
21
Definition of Integration
22
Secure Read and Exchange of Data (SRED)
23
SRED Explained
24
The Process - the simple view
25
The Process how does it work?
Service
Provider
Issuer Acquirer
Service
Provider
26
SRED - Terminal Manufacturers
29
This is only the Start the first step
30
Additional Updates
31
PCI SSC Resources
Need More Information?
33
Council Resources
34
PCI PTS, DSS and PA-DSS assessments are
complementary
PCI PTS
Merchant
Standard PA-DSS anti
PCI PTS skimming
Guidelines DSS
ASV ROC
Compliance PCI PTS PA QSA
QSA ROC
evidence lab ROC ROC
Merchant self assessment
35
Summary