Wallet Overview of Laws, Regulations and References on Payment Security (Including Challenges and Improvement Opportunities)

Note: See the Regulations section for the applicable funding method (e.g., ACH, credit or debit card).

Financial Crimes Enforcement Network (FinCEN) Bank Secrecy Act, 31 U.S. Code (U.S.C.) § 5311, et seq.; 31 Code of Federal Regulation (CFR) § 1010.100, et seq. (implementing regulations); Federal Financial Institutions Examination Council (FFIEC), Bank Secrecy Act/Anti-Money Laundering Examination Manual (2014).

Customer Identification Program (CIP) 31 CFR § 1020.220, et seq.

FFIEC Multi-Factor Authentication (MFC) Guidance (for safe mobile applications)

• MFA and re-authentication
• Maintenance – annual mobile application testing
• Use of geo-location for fraud control, transaction monitoring
• Open Web Application Security Project (OWASP) standards

Identity Theft Red Flags Rules 12 CFR § 41.90 (OCC); 12 CFR § 222.90 (FRB); 12 CFR § 334.90 (FDIC); 12 CFR § 717.90 (NUCA); 16 CFR § 681.1 (FTC); 17 CFR § 162.30 (CFTC); 17 CFR § 248.201 (SEC)

Board of Governors of the Federal Reserve System, Guidance on Managing Outsourcing Risk (Dec. 5, 2013) – FRB SR 13-19: Third party oversight guidance, set of cyber-risk oversight activities which includes reporting and expectations for Boards of Directors and Senior Management.

FFIEC IT Exam Handbooks: Some of the handbooks are more frequently a factor in exams, but they all contain provisions that impact payments compliance in the areas of confidentiality, availability, data integrity, privacy and third party oversight.

• FFIEC, IT Examination Handbook, Information Security (Sept. 2016)
• FFIEC, IT Examination Handbook, Retail Payment Systems (Apr. 2016)
• FFIEC, IT Examination Handbook, Supervision of Technology Service Providers (Oct. 2012)

FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005); FFIEC, Supplemental to Authentication in an Internet Banking Environment (June 28, 2011)

FFIEC, Cybersecurity Assessment Tool (CAT) (June 2015): The CAT is a support tool issued by the FFIEC to assist financial organizations with managing cyber-risk. CAT is strongly encouraged by some US states, but in general it is based on existing guidance and thus does not constitute new regulation.

Gramm-Leach-Bliley Act (1999), 15 U.S.C § 6801 et seq.

Regulation P, Privacy of Consumer Financial Information 12 CFR 1016.1 et seq. – enacted to control how financial institutions manage the private information of individuals. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information include provisions associated with the role of risk management, boards and third party oversight.

Durbin Amendment 15 U.S.C. § 1693o-2; 12 CFR § 235.1 et seq. (interchange transaction fees)

Federal Trade Commission Act (1914), 15 U.S.C. § 45(a) (prohibiting “unfair or deceptive acts or practices in or affecting commerce”); 16 CFR § 314.3 (requiring companies to develop written information security programs to protect customer information)

Consumer Financial Protection Act of 2010, 15 U.S.C. § 5531 et seq. (prohibiting “unfair, deceptive, or abusive act[s] or practice[s]. . .” in consumer finance)

State-based cybersecurity and breach laws: A challenge due to the variation among those sets of regulation which include:

• All 50 States address unauthorized access, malware and viruses
• 20 States address spyware
• 23 States address phishing

Source: National Conference of State Legislatures

International cybersecurity regulations and related data-protection laws: Vary widely and continue to evolve, e.g., European Union General Data Protection Regulations (May 2018); Japan: The Act on the Protection of Information (May 2017)

Office of Foreign Assets Control (OFAC)/Sanction Screening

American National Standards Institute (ANSI) X9.8-1 Personal Identification Management (PIN) Management and Security Part 1: PIN protection principles and techniques for online PIN verification in ATM & POS systems (equivalent of ISO 9564)

• Applicable to institutions responsible for implementing, managing, and protecting PINs
• Provides the minimum security measures required for effective international PIN management (ATM and POS)
• Includes PIN protection techniques applicable to card payments initiated in an online environment
• Provides a standard means of interchanging PIN data

International Organization for Standardization (ISO) 9564 Banking PIN Package

• Provides businesses, government agencies, and other organizations with tools needed to protect against the theft and misuse of personal and financial information
• Covers management and security requirements for online / offline PIN handling in ATM and POS systems

ANSI X9.24-1 Retail Financial Services Symmetric Key Management Part 1: Using Symmetric Techniques

• Specifies minimum requirements for the management of keying material
• Covers manual and automated management of keying material used for financial services such as POS transactions and ATM transactions; messages among terminals and financial institutions; interchange messages among acquirers, switches and card issuers
• Deals exclusively with management of symmetric keys using symmetric techniques
• This part of this standard does not cover message format, communications protocol, transmission speed, or device interface

ANSI X9.24-2 Retail Financial Services Symmetric Key Management Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys

• Covers manual and automated management of keying material used for financial services such as POS transactions and ATM transactions; messages among terminals and financial institutions; interchange messages among acquirers, switches and card issuers
• May apply to internet-based transactions, but only when such applications include the use of a tamper resistant security module (TRSM) as defined in section 7.2 of ANS X9.24 Part 1 to protect the private and symmetric keys.
• Deals with management of symmetric keys using asymmetric techniques and storage of asymmetric private keys using symmetric keys

ISO/International Electrotechnical Commission (IEC) 7816-4 Identification cards –Integrated circuit cards Part 4: Organization, security and commands for interchange

• Independent from the physical interface technology
• Applies to cards accessed by one or more of the following methods: contacts, close coupling, radio frequency

ANSI X9.122 Secure Customer Authentication for Internet Payments – Draft in approval stage (Note: It says that to use PIN you must use the Standards already referenced in PIN)

• Requirements for secure customer authentication for electronic payment transactions over multiple channels initiated through the interchange system (debit/credit network) via internet, mobile or voice channels
• Covers passcodes, passwords, biometrics, magnetic strip authentication values, cryptography, small device authentication, and vendor considerations

Protection of Sensitive Payment Card Data through Encryption

ANSI Accredited Standards Committee (ASC) X9.119 Retail Financial Services – Requirements for Protection of Sensitive Payment Card Data

• Part 1: Using Encryption Methods – defines minimum security requirements when employing encryption methods to protect sensitive payment card data. “Protection” refers to maintaining the secrecy of the data from unauthorized disclosure. It applies to protection of the data from the point of encryption to the point of decryption, wherever those points may be in a given system. Addresses the protection of sensitive payment card data from the Requesting Entity to the Token Request Interface.
• Part 2: Implementing Post-Authorization Tokenization Systems standard focuses on the Tokenization Service and the Token Request Interface. It defines the minimum security requirements when employing a post-authorization tokenization system to protect sensitive payment card data. “Protection” refers to maintaining the secrecy and integrity of the data protected by tokenization from unauthorized disclosure and modification. Data encryption, integrity protection, and the support for key management services are required to protect sensitive payment card data during the tokenization and de-tokenization process

ISO Information Technology – Encryption Algorithms

• ISO/IEC 10116 – Security techniques – Modes of operation for an n-bit block cipher – These modes provide methods for encrypting and decrypting data where the bit length of the data may exceed the size of the block cipher and provide protection of data confidentiality.
• ISO/IEC 18033-2 – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers – Encryption (or encipherment) techniques protect the confidentiality of stored or transmitted data. An encryption algorithm is applied to plaintext or cleartext data to yield encrypted data (or ciphertext). The encryption algorithm should be designed so that the ciphertext yields no information about the plaintext except, perhaps, its length. Every encryption algorithm has a corresponding decryption algorithm, which transforms ciphertext back into its original plaintext. An asymmetric, i.e. public-key, encryption scheme allows a sender to use a recipient’s public key to transmit an encryption of a message to the receiver, who uses his secret key to decrypt the given ciphertext to obtain the original message.
• ISO/IEC 18033-3 – Security techniques – Encryption algorithms – Part 3: Block ciphers A block cipher is a symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e. a string of bits of a defined length, to yield a block of ciphertext. The following algorithms are specified in this standard:
  • 64-bit block ciphers: TDEA, MISTY1, CAST-128, HIGHT
  • 128-bit block ciphers: AES, Camellia, SEED

ANSI ASC X9.97 Secure Cryptographic Devices (Retail)

• Part 1: Concepts, Requirements and Evaluation Methods – incorporates the cryptographic processes defined in ISO 9564, ISO 16609 and ISO 11568. Part 1 has two primary purposes:
  • To state the requirements concerning both the operational characteristics of secure cryptographic devices (SCDs) and the management of such devices throughout all stages of their life cycle,
  • To standardize the methodology for verifying compliance with those requirements.
• Part 2: Security Compliance Checklists for Devices Used in Financial Transactions – Identical to ISO 13491, which specifies use of checklists to evaluate Secure Cryptographic Devices (SCDs) incorporating cryptographic processes, as specified in parts 1 and 2 of ISO 9564, ISO 16609 and parts 1 to 6 of ISO 11568, in the financial services environment. IC payment cards are subject to the requirements identified in this part of ISO 13491 up until the time of issue, after which they are regarded as a “personal” device and outside of the scope of this document.

ISO 13491 Banking – Secure cryptographic devices, all parts

Key Management Schemes

ANSI Accredited Standards Committee

• 44 – Key Establishment Using Integer Factorization Cryptography – RSA – Integer Factorization Cryptography
• 133 – Identity Based Encryption for Financial Services Industry (in drafting stage) – Encryption algorithms used to attain standard levels of cryptographic strength when using the identity of a user (or application) as the public key, as banks often do.
• 42 – Public Key Cryptography for Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography – Diffie-Hellman – Discrete Logarithm Cryptography. Adapted from ISO 11770-3.
• 98 – Lattice-Based Polynomial Public Key Encryption Algorithm Part 1: Key Establishment
• 63 – Key Agreement and Key Management Using Elliptic Curve-Based Cryptography – Interoperable Method for Distribution of Symmetric Keys using Asymmetric Techniques
• TR 34 Part 1 – Using Factor Based Public Key Cryptography Unilateral Key Transport
• TR 31 – Interoperable Secure Key Exchange Key Block Specifications for Symmetric Algorithms

ISO 11770-3 Information technology – Security techniques – Key management – Part 3: Mechanisms using asymmetric techniques

Key Management Methods

ANSI Accredited Standards Committee

• 102-2008 Key Wrap Standard – for symmetric key block ciphers whose block size is either 64 bits or 128 bit
• 69-2012 Framework for Key Management Extensions – Symmetric cryptographic algorithms – Key extensions
• 79-4-2013 Public Key Infrastructure – Part 4: Asymmetric Key and Public Key Infrastructure
• 24 Retail Financial Services Symmetric Key Management
  • Part 1- Symmetric Key Management
  • Part 2- Using Asymmetric Techniques for the Distribution of Symmetric Keys
  • Part 3- Derived Unique Key Per Transaction (AES-DUKPT) Symmetric Key Management using AES DUKPT. This is the new standard replacing Triple DES – TDEA.
• TR-34-1-2012 Interoperable Method for Distribution of Symmetric Keys using Asymmetric techniques-Part 1 Using Factor Based Public Key Cryptography Unilateral Key Transport – Technical Report provides guidelines for secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys

ISO 15782 (similar to ISO X9.79-4) Certificate management for financial services –Part 1: Public key certificates – defines a certificate management system for financial industry use for legal and natural persons that includes credentials and certificate contents, Certification Authority systems, including certificates for digital signatures and for encryption key management certificate generation, distribution, validation and renewal, authentication structure and certification paths, and revocation and recovery procedures. Also recommends some useful operational procedures.

Format Preserving Encryption

• ANSI ASC X9.124 Format Preserving Encryption of Financial Information – Format Preserving Encryption is useful in situations where fixed-format data, such as Primary Account Numbers or Social Security Numbers, must be encrypted, but there is a requirement to limit changes to existing communication protocols, database schemata or application code. Format Preserving Encryption Counter Mode is a particularly simple and efficient mechanism to achieve format preserving encryption, which shares many of the strengths and challenges of Counter Mode (CTR) as defined in NIST SP38B.
  • Part 1 Cryptographic algorithms – Block Ciphers – covers format preserving block ciphers
  • Part 2 Cryptographic algorithms – Stream Ciphers – covers format preserving stream ciphers
• National Institute for Standards and Technology (NIST) SP 38B – Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication – This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data.

SimAlliance (Near Field Communication (NFC) with Host Card Emulation (HCE) or secure element) Access mode/network credit/debit

• Protection of payment credentials
• Communications between mobile device and POS terminal

Global System for Mobile Communication Association (GSMA) NFC Core Wallet Requirements and Mobile Wallet White Paper (WP) (NFC with HCE or secure element) credit/debit

• Protection of payment credentials
• Communication between mobile device and POS terminal
• Includes algorithms for PIN encipherment and open network PIN handling

EMV Payment Tokenization Specification – Technical Framework

• Payment Tokens are surrogate values that replace the Primary Account Number (PAN) in the payments ecosystem. They may be used to originate payment transactions, while non-payment tokens may be used for ancillary processes, such as loyalty tracking. This specification does not address non-payment tokens, but does not does preclude their use.

Source: https://www.emvco.com/

EMV QR Code Specification for Payment Systems – Consumer-Presented Mode Version 1.0 and the EMV QR Code Specification for Payment Systems Merchant-Presented Mode Version 1.0

Source: https://www.emvco.com/emv-technologies/qrcodes/

Payment Card Industry (PCI) Data Security Standard (DSS) – Requirements and Security Assessment Procedures

• Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. It provides a baseline of technical and operational requirements designed to protect account data and applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1484000182971

PCI Payment Application Data Security Standard (PA-DSS) – Requirements and Security Assessment Procedures

• Defines security requirements and assessment procedures for software vendors of payment applications. This document is to be used by Payment Application Qualified Security Assessors (PA-QSAs) conducting payment application assessments to validate that a payment application complies with the PA-DSS.
• Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of primary account number (PAN), full track data, Card Verification Values ¹, PINs and PIN blocks, and the damaging fraud resulting from these breaches.

PCI Point-to-Point-Encryption (P2PE) – Solution Requirements and Testing Procedures

• Defines both requirements and testing procedures for P2PE solutions. The objective of this standard is to facilitate the development, approval, and deployment of PCI approved P2PE solutions that will increase the protection of account data by encrypting that data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment, effectively removing clear-text account data between these two points.
• The requirements contained within this standard are intended for P2PE solution providers and other entities that provide P2PE components or P2PE applications for use in P2PE solutions, as well as P2PE assessors evaluating these entities. Additionally, merchants benefit from using P2PE solutions due to increased protection of account data and subsequent reduction in the presence of clear-text account data within their environments.

PCI P2PE – Encryption, Decryption, and Key Management within Secure Cryptographic Devices (Hardware/Hardware)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware-based encryption and decryption solutions, also called “hardware/hardware.” Hardware/hardware solutions utilize secure cryptographic devices for both encryption and decryption including at the point of merchant acceptance for encryption, and within hardware security modules (HSMs) for decryption.

PCI P2PE – Encryption and Key Management within Secure Cryptographic Devices, and Decryption of Account Data in Software (Hardware/Hybrid)

• Provides a method for providers of P2PE solutions to validate their solutions, and for merchants to reduce the scope of their PCI DSS assessments when using a validated P2PE solution for account data acceptance and processing. Specifically, this version contains validation requirements and testing procedures for hardware/hybrid solutions which utilize secure cryptographic devices at the point of merchant acceptance for encryption and for managing cryptographic keys in the decryption environment while utilizing non-SCDs for the decryption of account data.

PCI Card Production and Provisioning – Logical Security Requirements

• All systems and business processes associated with the logical security activities associated with card production and provisioning such as data preparation, pre-personalization, card personalization, PIN generation, PIN mailers, and card carriers and distribution must comply with the requirements in this document.
• This document describes the logical security requirements required of entities that:
  • Perform cloud-based or secure element (SE) provisioning services;
  • Manage over-the-air (OTA) personalization, lifecycle management, and preparation of personalization data; or
  • Manage associated cryptographic keys.

PCI PIN Transaction Security (PTS) Point of Interaction (POI) – Modular Security Requirements

Provides vendors with a list of all the security requirements against which their product will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) device approval.

PCI Token Service Providers (TSP) – Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens)

• The requirements in this document are intended to apply in addition to applicable PCI DSS requirements to the token data environment (TDE). The TDE is a dedicated, secure area within the TSP, where one or more of the following services are performed:
• Token generation, issuing, and mapping processes
• Assignment of token usage parameters
• Token lifecycle management
• Processes to map or re-map tokens, or perform de-tokenization
• Cryptographic processes to support tokenization functions
• Maintenance of underlying token security and related processing controls, such as domain restrictions during transaction processing.

Global Platform Specifications for secure/interoperable deployment and management of applications on Secure Element (SE), Trusted Execution Environment (TEE) (NFC with SE or TEE) Access mode/network credit/debit

• Protection of payment credentials
• http://www.globalplatform.org
• European Payments Council (EPC) credit and debit
• EPC492-09 Mobile Payments WP
• EPC178-10 Mobile Contactless SEPA Card Payments Interoperability Implementation Guidelines
• http://www.europeanpaymentscouncil.eu

Mobey Forum (global back focused) analysis and education on mobile wallets (NFC with secure elements) Access mode/network credit/debit

• Protection of payment credentials
• Communications between mobile device and POS terminal

National Institute of Standards and technology (NIST) Cybersecurity Framework (CSF) and Sector-specific variations (Profiles) under development by leading financial services organizations. The CSF was mandated under and Executive Order 13636 in February of 2013 and has had significant domestic and international influence on not only the standardization of cybersecurity practices, but also on regulatory oversight activities. The CSF remains a voluntary standard, but regulators strongly encourage its use and adoption.

Payment network rules (e.g. Visa, MasterCard, American Express, Discover Network, JCB and debit card networks)

Tokens have the opportunity to improve security in the payments ecosystem, and standards would enable more interoperability and the use of tokens in various applications.

Payments stakeholders employ various methods and processes to comply with relevant state and federal regulations regarding customer onboarding as well as relevant private sector protocols. Greater focus on the development and adoption of standards related to online registration or mobile enrollment could enhance security.

The market has evolved to offer different kinds of mobile/digital wallets models. These models may vary in authentication, enrollment, use of tokenization, etc. They can be roughly categorized as the following types: NFC Pay Wallet (e.g. Apple Pay, Android Pay, Samsung Pay), cloud-based wallets with QR codes for POS contactless payments (e.g. Chase Pay, Walmart Pay), eCommerce wallets with Guest checkout, eCommerce wallets with card on file (e.g. Amazon, PayPal), digital checkout wallets provided by card networks (e.g. Visa Checkout, Masterpass, American Express Express); and in-app mobile application wallets (i.e. iTunes and others to access special content or features in a video).

Each wallet accepts a mix of payment methods but not all of the mixes are the same: depends on the wallet type.

Greater deployment of tokenization, user authentication and encryption based on open standards could enhance payment security.

Greater focus on development and adoption of risk-based cybersecurity rules, frameworks and open standards could enhance security.

Continued development and evolution of best practices for validating card credentials stored in a digital/mobile wallet may help enhance security.