Card Present PIN Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)

Debit cards (consumer) – Electronic Fund Transfer Act (EFTA), 15 U.S. Code (U.S.C.) § 1693 et seq.; Regulation E. 12 Code of Federal Regulations (CFR) § 1005.2 et seq. (EFTA applies only to accounts “established primarily for personal, family, or household purposes” 15 U.S.C. § 1693a(2))

Credit cards (consumer) – Truth in Lending Act (TILA), 15 U.S.C. § 1601 et seq.; Regulation Z. 12 CFR § 1026.1 et seq. (TILA exempts “extensions of credit primarily for business, commercial, or agricultural purposes, or to governmental agencies or instrumentalities, or to organizations”)

Prepaid cards (consumer) – Under Consumer Financial Protection Bureau (CFPB) Prepaid Accounts Rule (81 Fed. Reg. 83934 (November 22, 2016)) (to be codified at 12 CFR pts. 1005 and 1026), as amended on January 25, 2018, and effective April 1, 2019, Regulation E would apply to prepaid cards, with Regulation Z expanded to apply to prepaid cards with certain credit features.

Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S.C. § 5311, et seq.; 31 CFR § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014).

Customer Identification Program (CIP), 31 CFR § 1020.220, et seq.

Identity Theft Red Flags Rules, 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)

Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) –- FRB SR 13-19: Third party oversight guidance, set of cyber-risk oversight activities which includes reporting and expectations for Boards of Directors and Senior Management.

FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third party oversight.

• FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
• FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
• FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)

FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005); FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)

FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some US states, but in general it is based on existing guidance and thus does not constitute new regulation.

Gramm-Leach-Bliley Act (1999), 15 U.S.C. § 6801 et seq.

Regulation P, Privacy of Consumer Financial Information, 12 CFR 1016.1 et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third party oversight.

Durbin Amendment, 15 U.S.C. § 1693o-2; 12 CFR § 235.1 et seq. (interchange transaction fees)

Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)

Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531 et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)

State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:

• All 50 States address unauthorized access, malware and viruses
• 20 States address spyware
• 23 States address phishing

Source: National Conference of State Legislatures

International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve; e.g. European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017)

Office of Foreign Assets Control (OFAC)/Sanction Screening

American National Standards Institute (ANSI) X9.8-1 Personal Identification Management (PIN) Management and Security Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems (equivalent of ISO 9564)

• Applicable to institutions responsible for implementing, managing, and protecting PINs
• Provides the minimum security measures required for effective international PIN management (ATM and POS)
• Includes PIN protection techniques applicable to card payments initiated in an online environment
• Provides a standard means of interchanging PIN data

International Organization for Standardization (ISO) 9564 Banking PIN Package

• Provides businesses, government agencies, and other organizations with tools needed to protect against the theft and misuse of personal and financial information
• The requirements in this document are intended to apply in addition to applicable Payment Card Industry Data Security Standard (PCI DSS) requirements to the token data environment (TDE). The TDE is a dedicated, secure area within the token service provider (TSP), where one or more of the following services are performed:
• Token generation, issuing, and mapping processes
• Assignment of token usage parameters
• Token lifecycle management
• Processes to map or re-map tokens, or perform de-tokenization
• Cryptographic processes to support tokenization functions
• Maintenance of underlying token security and related processing controls, such as domain restrictions during transaction processing
• Covers management and security requirements for online / offline PIN handling in ATM and POS systems
• Includes algorithms for PIN encipherment and open network PIN handling

ANSI X9.24-1 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques

• Specifies minimum requirements for the management of keying material
• Covers manual and automated management of keying material used for financial services such as point of sale (POS) transactions and automatic teller machine (ATM) transactions; messages among terminals and financial institutions; interchange messages among acquirers, switches, and card issuers
• Deals exclusively with management of symmetric keys using symmetric techniques
• This part of this standard does not cover message format, communications protocol, transmission speed, or device interface

ANSI X9.24-2 Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys

• Covers manual and automated management of keying material used for financial services such as point of sale (POS) transactions and automatic teller machine (ATM) transactions; messages among terminals and financial institutions; interchange messages among acquirers, switches and card issuers
• May apply to internet-based transactions, but only when such applications include the use of a tamper resistant security module (TRSM) as defined in section 7.2 of ANS X9.24 Part 1 to protect the private and symmetric keys
• Deals with management of symmetric keys using asymmetric techniques and storage of asymmetric private keys using symmetric keys

ISO/International Electrotechnical Commission (IEC) 7816-4 Identification cards — Integrated circuit cards Part 4: Organization, security and commands for interchange

• Independent from the physical interface technology
• Applies to cards accessed by one or more of the following methods: contacts, close coupling, radio frequency

ANSI X9.122 Secure Customer Authentication for Internet Payments – draft in approval stage (Note: It says that to use PIN you must use the standards already referenced in PIN)

• Requirements for secure customer authentication for electronic payment transactions over multiple channels initiated through the interchange system (debit/credit network) via internet, mobile or voice channels
• Includes requirements for passcodes, passwords, biometrics, magnetic stripe authentication values, cryptography, small device authentication, and vendor considerations

Protection of Sensitive Payment Card Data through Encryption
ANSI ASC X9.119 Retail Financial Services – Requirements for Protection of Sensitive Payment Card Data

• Part 1: Using Encryption Methods – defines minimum security requirements when employing encryption methods to protect sensitive payment card data. “Protection” refers to maintaining the secrecy of the data from unauthorized disclosure. It applies to protection of the data from the point of encryption to the point of decryption, wherever those points may be in a given system. Addresses the protection of sensitive payment card data from the requesting entity to the token request interface.
• Part 2: Implementing Post-Authorization Tokenization Systems standard focuses on the tokenization service and the token request interface. It defines the minimum security requirements when employing a post-authorization tokenization system to protect sensitive payment card data. “Protection” refers to maintaining the secrecy and integrity of the data protected by tokenization from unauthorized disclosure and modification. Data encryption, integrity protection, and the support for key management services are required to protect sensitive payment card data during the tokenization and de-tokenization process.

ISO Information Technology – Encryption Algorithms

• ISO/IEC 10116 – Security techniques – Modes of operation for an n-bit block cipher – These modes provide methods for encrypting and decrypting data where the bit length of the data may exceed the size of the block cipher and provide protection of data confidentiality.
• ISO/IEC 18033-2 – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers – Encryption (or encipherment) techniques protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to plaintext or cleartext data to yield encrypted data (or ciphertext). The encryption algorithm should be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Every encryption algorithm has a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext. An asymmetric, i.e. public-key, encryption scheme allows a sender to use a recipient’s public key to transmit an encryption of a message to the receiver, who uses a secret key to decrypt the given ciphertext to obtain the original message.
• ISO/IEC 18033-3 – Security techniques – Encryption algorithms – Part 3: Block ciphers – A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext. The following algorithms are specified in this standard:
  • 64-bit block ciphers: TDEA, MISTY1, CAST-128, HIGHT
  • 128-bit block ciphers: AES, Camellia, SEED

ANSI ASC X9.97 Secure Cryptographic Devices (Retail)

• Part 1: Concepts, Requirements and Evaluation Methods – incorporates the cryptographic processes defined in ISO 9564, ISO 16609 and ISO 11568. Part 1 has two primary purposes:
  • To state the requirements concerning both the operational characteristics of secure cryptographic devices (SCDs) and the management of such devices throughout all stages of their lifecycle
  • To standardize the methodology for verifying compliance with those requirements
• Part 2: Security Compliance Checklists for Devices Used in Financial Transactions – Identical to ISO 13491, which specifies use of checklists to evaluate SCDs incorporating cryptographic processes, as specified in parts 1 and 2 of ISO 9564, ISO 16609 and parts 1 to 6 of ISO 11568, in the financial services environment. IC payment cards are subject to the requirements identified in this part of ISO 13491 up until the time of issue, after which they are regarded as a “personal” device and outside of the scope of this document.

ISO 13491 Banking – Secure cryptographic devices, all parts               

Key Management Schemes

ANSI Accredited Standards Committee

• 44 – Key Establishment Using Integer Factorization Cryptography – RSA – Integer Factorization Cryptography
• 133 – Identity Based Encryption for Financial Services Industry (in drafting stage) – Encryption algorithms used to attain standard levels of cryptographic strength when using the identity of a user (or application) as the public key, as banks often do.
• 42 – Public Key Cryptography for Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography – Diffie-Hellman – Discrete Logarithm Cryptography. Adapted from ISO 11770-3.
• 98 – Lattice-Based Polynomial Public Key Encryption Algorithm Part 1: Key Establishment
• 63 – Key Agreement and Key Management Using Elliptic Curve-Based Cryptography – Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques
• TR 34 Part 1 – Using Factor Based Public Key Cryptography Unilateral Key Transport
• TR 31 – Interoperable Secure Key Exchange Key Block Specifications for Symmetric Algorithms

ISO 11770-3 Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques

Key Management Methods

ANSI Accredited Standards Committee

• 102-2008 Key Wrap Standard – for symmetric key block ciphers whose block size is either 64 bits or 128 bits
• 69-2012 Framework for Key Management Extensions- Symmetric cryptographic algorithms – Key extensions
• 79-4-2013 Public Key Infrastructure – Part 4: Asymmetric Key and Public Key Infrastructure
• 24 Retail Financial Services Symmetric Key Management
  • Part 1- Symmetric Key Management
  • Part 2- Using Asymmetric Techniques for the Distribution of Symmetric Keys
  • Part 3- Derived Unique Key per Transaction (AES-DUKPT) Symmetric Key Management using AES DUKPT. This is the new standard replacing Triple DES – TDEA.
• TR-34-1-2012 Interoperable Method for Distribution of Symmetric Keys using Asymmetric techniques – Part 1 Using Factor Based Public Key Cryptography Unilateral Key Transport – Technical Report provides guidelines for secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys.

ISO 15782 (similar to ISO X9.79-4) Certificate management for financial services – Part 1: Public key certificates – defines a certificate management system for financial industry use for legal and natural persons that includes credentials and certificate contents, certification authority systems, including certificates for digital signatures and for encryption key management certificate generation, distribution, validation and renewal, authentication structure and certification paths, and revocation and recovery procedures.  Also recommends some useful operational procedures.

Format Preserving Encryption

• ANSI ASC X9.124 Format Preserving Encryption of Financial Information – Format preserving encryption is useful in situations where fixed-format data, such as primary account numbers or Social Security numbers, must be encrypted, but there is a requirement to limit changes to existing communication protocols, database schemata or application code. Format Preserving Encryption Counter Mode is a particularly simple and efficient mechanism to achieve format preserving encryption, which shares many of the strengths and challenges of Counter Mode (CTR) as defined in NIST SP38B.
  • Part 1 Cryptographic algorithms – Block Ciphers – covers format preserving block ciphers
  • Part 2 Cryptographic algorithms – Stream Ciphers – covers format preserving stream ciphers
• NIST SP 38B – Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication – This recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data.

ANSI TR-39/TG-3 Frequently Asked Questions

• When this guideline is completed by a device manufacturer, the control objectives are intended to evaluate the PIN key management environment and device’s ability to be implemented in a manner compliant with X9.8 and X9.24 (all parts)
• Applies to all organizations using Triple Data Encryption Algorithm (TDEA) for encryption of PINs used for retail financial services: point of sale (POS) transactions and automatic teller machine (ATM) transactions; messages among terminals and financial institutions; interchange messages among acquirers, switches and card issuers
• This guideline/checklist should be completed by all organizations acquiring or processing transactions containing PINs, from the terminal driving system to authorizing entity
• Control objectives address security controls of from PIN entry device to interface delivering transaction to authorizing entity
• Control objectives address security controls of PIN key management full life cycle from creation, distribution, loading and deletion

ANSI X9.122 Secure Customer Authentication for Internet Payments – draft in approval stage (Note: It says that to use PIN you must use the standards already referenced in PIN)

• Covers passcodes, passwords, biometrics, magnetic stripe authentication values, cryptography, small device authentication, and vendor considerations
• Requirements for secure customer authentication for electronic payment transactions over multiple channels initiated through the interchange system (debit/credit network) via internet, mobile or voice channels

“Best Practice” Implementation for ATM Operators

EMV Integrated Circuit Card Specifications for Payment Systems Version 4.3

Source: https://www.emvco.com/emv-technologies/contact

EMV Payment Tokenization Specification – Technical Framework

• Payment tokens are surrogate values that replace the Primary Account Number (PAN) in the payments ecosystem. They may be used to originate payment transactions, while non-payment tokens may be used for ancillary processes, such as loyalty tracking. This specification does not address non-payment tokens, but does not preclude their use.

Source: https://www.emvco.com/

Payment Card Industry (PCI) Data Security Standard (DSS) – Requirements and Security Assessment Procedures

• Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect account data and applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1484000182971

PCI Point-to-Point-Encryption (P2PE) – Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware-based encryption and decryption solutions, also called “hardware/hardware.” Hardware/hardware solutions utilize secure cryptographic devices for both encryption and decryption including at the point of merchant acceptance for encryption, and within hardware security modules (HSMs) for decryption.

PCI P2PE – Encryption and Key Management within Secure Cryptographic Devices, and Decryption of Account Data in Software (Hardware/Hybrid)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware/hybrid solutions which utilize secure cryptographic devices at the point of merchant acceptance for encryption and for managing cryptographic keys in the decryption environment while utilizing non-SCDs for the decryption of account data.

PCI Token Service Providers (TSP) – Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens)

PCI Payment Application Data Security Standard  (PA-DSS) – Requirements and Security Assessment Procedures

• Defines security requirements and assessment procedures for software vendors of payment applications. This document is to be used by Payment Application Qualified Security Assessors (PA-QSAs) conducting payment application assessments to validate that a payment application complies with the PA-DSS.
• Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of primary account number (PAN), full track data, Card Verification Values¹, PINs and PIN blocks, and the damaging fraud resulting from these breaches.

PCI P2PE – Solution Requirements and Testing Procedures

• Defines both requirements and testing procedures for Point-to-Point Encryption (P2PE) solutions. The objective of this standard is to facilitate the development, approval, and deployment of PCI approved P2PE solutions that will increase the protection of account data by encrypting that data from the point of interaction within the encryption environment where account data is captured to the point of decrypting that data inside the decryption environment, effectively removing clear-text account data between these two points.
• The requirements contained within this standard are intended for P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions, as well as P2PE assessors evaluating these entities. Additionally, merchants benefit from using P2PE solutions due to increased protection of account data and subsequent reduction in the presence of clear-text account data within their environments.

PCI Card Production and Provisioning – Logical Security Requirements

All systems and business processes associated with the logical security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution must comply with the requirements in this document.

This document describes the logical security requirements required of entities that:

• Perform cloud-based or secure element (SE) provisioning services;
• Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or
• Manage associated cryptographic keys.

Wherever the requirements specify personalization, the requirements also apply to cloud-based provisioning networks (e.g., those for host card emulation). Cloud-based systems differ from those based on requiring the use of a secure element on a mobile device.

PCI Card Production and Provisioning – Physical Security Requirements

• A comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment.
• The contents of this manual specify the physical security requirements and procedures that entities must follow before, during, and after the following processes:
• Perform cloud-based or secure element (SE) provisioning services; card manufacturing, chip embedding, personalization, storage, packaging, mailing, shipping or delivery, fulfillment

PCI PIN Transaction Security (PTS) Point of Interaction (POI) – Modular Security Requirements

• Provides vendors with a list of all the security requirements against which their product will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval.

National Institute of Standards and technology (NIST) Cyber security Framework

Payment network rules (e.g. Visa, MasterCard, American Express, Discover Network, JCB and debit card networks)

Payments stakeholders employ various methods and processes to comply with relevant state and federal regulations regarding customer onboarding as well as relevant private sector protocols. Greater focus on the development and adoption of standards related to online registration or mobile enrollment could enhance security.

No current standard for migration from Triple DES encryption to AES Derived Unique Key per transaction. With faster computing capacity, Triple DES is no longer sufficiently secure, an issue which  X9.24-3 will address, but it is in early drafting stage. Implementing these changes will require significant changes, from terminal to every place in the network, as well as modified fields in the transaction flow, such as new PIN block.

Greater deployment of tokenization, user authentication and encryption based on open standards could enhance payment security.

Improvements to the quality and accuracy of data collected and used to facilitate mail order, telephone order, recurring payments, one-time card on file and card present key entry payments may help further mitigate payments risk. Participants who collect, process, or authorize transactional data play an important role in ensuring the accuracy of data submitted. This includes ensuring that hardware and software are properly configured. Participants may use this information as part of their authentication decision process, making accuracy an important priority.

Greater focus on development and adoption of risk-based cybersecurity rules, frameworks and open standards could enhance security.

PIN standards only address “card present” transactions. Randomized PIN pad functionality provides software-based online PIN entry, but it violates PIN security standards, which require cryptographic hardware for encryption, including X9.24, X9.8, and ISO standards as well as TRS (Telecommunication Relay Services) standards.

Open standards related to PIN capture need to be expanded to include new and evolving forms of PIN entry.

Payment stakeholders are deploying authentication and multiple layers of risk mitigation. Some of these tools include dynamic data, tokens, multi-factor authentication, geolocation, and analytic engines.  Greater deployment of such tools may help reduce risk.