Contactless Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)

Debit cards (consumer) – Electronic Fund Transfer Act (EFTA), 15 U.S. Code (U.S.C.) § 1693 et seq.; Regulation E. 12 Code of Federal Regulation (CFR) § 1005.2 et seq. (EFTA applies only to accounts “established primarily for personal, family, or household purposes” 15 U.S.C. § 1693a(2))

Credit cards (consumer) – Truth in Lending Act (TILA), 15 U.S.C. § 1601 et seq.; Regulation Z. 12 CFR § 1026.1 et seq. (TILA exempts “extensions of credit primarily for business, commercial, or agricultural purposes, or to governmental agencies or instrumentalities, or to organizations”)

Prepaid cards (consumer) – Under CFPB Prepaid Accounts Rule (81 Fed. Reg. 83934 (November 22, 2016)) (to be codified at 12 CFR pts. 1005 and 1026), as amended on January 25, 2018, and effective April 1, 2019, Regulation E would apply to prepaid cards, with Regulation Z expanded to apply to prepaid cards with certain credit features.

Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S.C. § 5311, et seq.; 31 CFR § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014)

Customer Identification Program (CIP), 31 CFR § 1020.220, et seq.

Identity Theft Red Flags Rules, 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)

Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) – FRB SR 13-19: Third party oversight guidance, set of cyber-risk oversight activities which includes reporting and expectations for Boards of Directors and Senior Management.

FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third party oversight.

• FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
• FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
• FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)

FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005); FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)

FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some US states, but in general it is based on existing guidance and thus does not constitute new regulation.

Gramm-Leach-Bliley Act (1999), 15 U.S.C. § 6801 et seq.

Regulation P, Privacy of Consumer Financial Information 12 CFR 1016.1 et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third party oversight.

Durbin Amendment, 15 U.S.C. § 1693o-2; 12 CFR § 235.1 et seq. (interchange transaction fees)

Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)

Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531 et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)

State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:

• All 50 States address unauthorized access, malware and viruses
• 20 States address spyware
• 23 States address phishing

Source: National Conference of State Legislatures

International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve, e.g., European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017)

Office of Foreign Assets Control (OFAC)/Sanction Screening

International Organization for Standardization (ISO)/International Electrotechnical Organization (IEC) 13157 Information technology –Telecomm and information exchange between systems –NFC Security Parts 1-5:

• Part 1: NFC-SEC NFCIP-1 security services and protocol (ISO/IEC 13157-1:2014)
  • Specifies the NFC-SEC secure channel and shared secret services for NFCIP-1 and the Protocol Data Units and protocol for those services
• Part 2: NFC-SEC cryptography standard using ECDH and AES (ISO/IEC 13157-2:2016)
• Specifies the message contents and the cryptographic methods for PID 01
• Specifies cryptographic mechanisms that use the Elliptic Curves Diffie-Hellman (ECDH) protocol for key agreement and the AES algorithm for data encryption and integrity
• Part 3: NFC-SEC cryptography standard using ECDH-256 and AES-GCM (ISO/IEC 13157-3:2016)
• Specifies the message contents and the cryptographic methods for PID 02
• Specifies cryptographic mechanisms that use the Elliptic Curves Diffie-Hellman (ECDH) protocol with a key length of 256 bits for key agreement and the AES algorithm in GCM mode to provide data authenticated encryption
• Part 4: NFC-SEC entity authentication and key agreement using asymmetric cryptography
• Specifies the message contents and the cryptographic mechanisms for PID 03
• Specifies key agreement and confirmation mechanisms providing mutual authentication, using asymmetric cryptography, and the transport protocol requirements for the exchange between Sender and TTP
• Adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA-409) NFC-SEC-02
• Part 5: NFC-SEC entity authentication and key agreement using symmetric cryptography
• Specifies the message contents and the cryptographic mechanisms for PID 04.
• Specifies key agreement and confirmation mechanisms providing mutual authentication, using symmetric cryptography.
• Adds entity authentication to the services provided by ISO/IEC 13157-3 (ECMA‑409) NFC-SEC-02

American National Standards Institute (ANSI) X9.112 Wireless Management and Security

Part 1: General Requirements addresses:

• Risks related to wireless systems and legacy networks opened by the wireless environment are described in §5 Wireless Risks
• Requirements for managing wireless systems in a secure fashion are defined in §6 Requirements
• Requirements for policy management are defined in §7 Wireless Security Policy
• Control objectives for evaluating wireless systems are provided in Annex A: Wireless Validation Control Objectives
• Information regarding cryptography relating to wireless technology is provided in Annex B: Wireless Cryptography Controls
• Background information on other wireless standards is provided in Annex C: Wireless Technology Standards
• Other wireless-related standards recognized by X9 are listed in Annex D: X9 Registry

Part 2: Point of Sale (POS) and ATM addresses the following:

• End-to-end encryption to protect transactional and operational information from unauthorized entities
• Patches and modification management to protect systems from vulnerabilities
• Configuration management to protect wireless systems from weaknesses
• Physical and logical security controls to protect wireless access
• Network segmentation to protect against attacks originating from wired and wireless environments
• Monitoring controls to detect threats from higher risk environments

SimAlliance (NFC with Host Card Emulation (HCE) or secure element) Access mode/network credit/debit

• Protection of payment credentials

Global System for Mobile Communications Association (GSMA) NFC Core Wallet Requirements and Mobile Wallet WP (NFC with HCE or secure element) credit/debit

• Protection of payment credentials

ISO/IEC 13239: 2002 Information technology – Telecomm and information exchange between systems – High-level data link control (HDLC) procedures

ISO/IEC 18092: 2013 Information technology – Telecomm and information exchange between systems – NFC – Interface and Protocol (NFCIP-1)

• Defines communication modes for NFC interface and protocol (NFCIP-1) using inductive coupled devices operating at the center frequency of 13,56 MHz for interconnection of computer peripherals
• Defines active and passive communication modes of NFC interface and protocol (NFCIP-1) to realize a communication network using NFC devices for networked products and consumer equipment
• Specifies modulation schemes, coding, transfer speeds, and frame format of the RF interface, as well as initialization schemes and conditions required for data collision control during initialization
• Defines a transport protocol including protocol activation and data exchange methods

ISO/IEC 16353: 2011 Information technology – Telecomm and information exchange between systems – Front-end configuration command for NFC-WI (NFC-FEC)

Specifies commands for the NFC Wired Interface (NFC-WI) specified in ISO/IEC 28361. The commands allow exchange of control and state information between the transceiver and the front-end.

ISO/IEC 28361: 2007 Information technology – Telecomm and information exchange between systems – NFC Wired Interface (NFC-WI)

• Specifies the digital wire interface between a transceiver and a front-end
• Includes the signal wires, binary signals, the state diagrams and the bit encodings for three data rates
• ISO/IEC 7816 Identification cards – Integrated circuit cards Parts 1-15:
• Part 1: Cards with contacts – Physical characteristics
• Part 2: Cards with contacts – Dimensions and location of the contacts
• Part 3: Cards with contacts – Electrical interface and transmission protocols
• Part 4: Organization, security and commands for interchange
• Part 5: Registration of application providers
• Part 6: Inter-industry data elements for interchange
• Part 7: Inter-industry commands for Structured Card Query Language (SCQL)
• Part 8: Commands and mechanisms for security operations
• Part 9: Commands for card management
• Part 10: Electronic signals and answer to reset for synchronous cards
• Part 11: Personal verification through biometric methods
• Part 12: Cards with contacts — USB electrical interface and operating procedures
• Part 13: Commands for application management in a multi-application environment
• Part 15: Cryptographic information application

NIST Cybersecurity Framework (CSF)

EMV Contactless Specifications for Payment Systems

• Book A: Architecture and General Requirements – defines a generalized POS System environment that includes:
  • Reader functionality
  • Terminal functionality
  • Entry point software that performs the initial analysis of a contactless transaction and invokes appropriate kernel software, and
  • Several kernels, each of which provides processing appropriate to certain contactless transactions.
• Book B: Entry Point – defines the reader requirements necessary to support a multi-kernel architecture that enables:
  • Discovery and selection of a contactless application that is supported by both the
  • Reader and the card
  • Activation of the appropriate kernel for processing the contactless transaction in an international interchange environment
  • NOTE: This specification is based on the ISO/IEC 7816 and ISO/IEC 14443 series of standards and should be read in conjunction with those standards.
• Books C [C-1, C-2, C-3, C-4, C-5, C-6, C-7]: Kernel Specifications
• Book D: Contactless Communication Protocol
  • Describes the minimum functionality required of proximity integrated circuit cards (piccs) and proximity coupling devices (pcds) to ensure correct operation and interoperability independent of the application to be used. Additional proprietary functionality and features may be provided, but these are beyond the scope of this specification and interoperability cannot be guaranteed. This specification is intended for use by manufacturers of piccs and pcds, system designers in payment systems, and financial institution staff responsible for implementing financial applications in piccs and pcds.

EMV Payment Tokenization Specification – Technical Framework

• Payment Tokens are surrogate values that replace the Primary Account Number (PAN) in the payments ecosystem. They may be used to originate payment transactions, while non-payment tokens may be used for ancillary processes, such as loyalty tracking. This specification does not address non-payment tokens, but does not preclude their use.

Source: https://www.emvco.com/

EMV Contactless Mobile Payment – Application Activation User Interface; EMV Mobile Payment: Software-based Mobile Payment Security Requirements; EMV Proximity Payment System Environment (PPSE) and Application Management for Secure Elements

Source: https://www.emvco.com/emv-technologies/mobile/

Payment Card Industry (PCI) Data Security Standard (DSS) – Requirements and Security Assessment Procedures

• Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect account data and applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1484000182971

PCI Payment Application Data Security Standard (PA-DSS) – Requirements and Security Assessment Procedures

• Defines security requirements and assessment procedures for software vendors of payment applications. This document is to be used by Payment Application Qualified Security Assessors (PA-QSAs) conducting payment application assessments to validate that a payment application complies with the PA-DSS.
• Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of primary account number (PAN), full track data, Card Verification Values¹, PINs and PIN blocks, and the damaging fraud resulting from these breaches.

PCI Point-to-Point-Encryption (P2PE) – Solution Requirements and Testing Procedures

• Defines both requirements and testing procedures for P2PE solutions. The objective of this standard is to facilitate the development, approval, and deployment of PCI approved P2PE solutions that will increase the protection of account data by encrypting that data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment, effectively removing clear-text account data between these two points.
• The requirements contained within this standard are intended for P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions, as well as P2PE assessors evaluating these entities. Additionally, merchants benefit from using P2PE solutions due to increased protection of account data and subsequent reduction in the presence of clear-text account data within their environments.

PCI P2PE – Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware-based encryption and decryption solutions, also called “hardware/hardware.” Hardware/hardware solutions utilize secure cryptographic devices for both encryption and decryption including at the point of merchant acceptance for encryption, and within hardware security modules (HSMs) for decryption.

PCI P2PE – Encryption and Key Management within Secure Cryptographic Devices, and Decryption of Account Data in Software (Hardware/Hybrid)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware/hybrid solutions which utilize secure cryptographic devices at the point of merchant acceptance for encryption and for managing cryptographic keys in the decryption environment while utilizing non-SCDs for the decryption of account data.

PCI Token Service Providers (TSP) – Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens)

• The requirements in this document are intended to apply in addition to applicable PCI DSS requirements to the token data environment (TDE). The TDE is a dedicated, secure area within the TSP, where one or more of the following services are performed:
• Token generation, issuing, and mapping processes
• Assignment of token usage parameters
• Token lifecycle management
• Processes to map or re-map tokens, or perform de-tokenization
• Cryptographic processes to support tokenization functions
• Maintenance of underlying token security and related processing controls, such as domain restrictions during transaction processing.

PCI Card Production and Provisioning – Logical Security Requirements

• All systems and business processes associated with the logical security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution must comply with the requirements in this document.
• This document describes the logical security requirements required of entities that:
  • Perform cloud-based or secure element (SE) provisioning services;
  • Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or
  • Manage associated cryptographic keys.

PCI Card Production and Provisioning – Physical Security Requirements

• Manual is a comprehensive source of information for entities involved in card production and provisioning, which may include manufacturers, personalizers, pre-personalizers, chip embedders, data-preparation, and fulfillment.
• The contents of this manual specify the physical security requirements and procedures that entities must follow before, during, and after the following processes: Perform cloud-based or secure element (SE) provisioning services;
• Card manufacturing, chip embedding , personalization , storage, packaging, mailing, shipping or delivery, fulfillment

NFC Forum

Source: http://members.nfc-forum.org/specs/spec_list/

Near Field Communication.org

Source: http://nearfieldcommunication.org/payment-systems.html

Payment network rules (e.g. Visa, MasterCard, American Express, Discover Network, JCB and debit card networks)

Payment stakeholders are deploying authentication and multiple layers of risk mitigation. Some of these tools include dynamic data, tokens, multi-factor authentication, geolocation, and analytic engines. Greater deployment of such tools may help reduce risk.

Security standards for contactless are evolving in the marketplace in light of the deployment of new technologies (e.g., QR codes, beacons, wearable internet of things).

Payments stakeholders employ various methods and processes to comply with relevant state and federal regulations regarding customer onboarding as well as relevant private sector protocols. Greater focus on the development and adoption of standards related to online registration or mobile enrollment could enhance security.

Greater deployment of tokenization, user authentication and encryption based on open standards could enhance payment security.

Greater focus on development and adoption of risk-based cybersecurity rules, frameworks, and open standards could enhance security.