Saturday, September 3, 2011

NFC-payments and PCI-compliance: a tester's adventure!

Summer 2011 is finishing, the evenings are getting shorter in the Netherlands, so time to start blogging again.
This time I was in a dilemma, or reporting about the fraudulent certificate Google-Iran DigiNotar incident , or about looking at how NFC-payments affect payments regulations and testing.
Well, because the former is just fresh and still very guessy, I will share my thoughts on the theme which intrigued me this summer: testing mobile NFC-payments.

So, where to start?
Why not first look at what testing methods there already are on payments, especially focused on security.
For 8 years now I'm in the testing business, mainly for financial institutions, and I saw lot of compliance rules come by. One of these is for payment cards: Payment Card Industry Data Security Standard aka PCI DSS.
Hey, this seems a good start to look for testing NFC payments with a contactless card or mobile phone.
Mind you, I never tested this way, this is, for the moment, just my theoretical view on how to test NFC-payment using the PCI DSS standard. And because it's a big quest, it will take some blog posts to finish it.
But what's PCI DSS and how does it relate to NFC payments?
First I have to find out what the purpose of PCI DSS is.
Its website says:

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

Aha, OK and are there any testing procedures an organisation should undertake to be compliant with the PCI security standards and get its benefits?
Oh yes,both for PCI-solutions vendors and by all entities that process, store or transmit account data must be validated against PCI compliance, except, according to Wikipedia, issuing and acquiring banks.
For vendors ,PIN transaction security must comply with the requirements and guidelines specified in the following documents: a Device Testing and Approval Program Guide and the POI Modular Security Requirements.
The program guide reminds me of the Kantara Initiative Interoperability testing programs I saw last year, so this experience comes in handy.
As every testing program it describes the purpose, the testing process in overview and detail, and what to do if a security breach or compromise takes place. These are specialized security tests done by specialized evaluation labs like T-systems as seen on this list.
For organisations handling large volumes of transactions, validation of compliance is done annually, by an external Qualified Security Assessor (QSA) , or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes like small webshops.
To avoid a SAQ, and lessen the burden, a webshop can outsource its creditcardhandling to a payment acquirer like PayPal. PayPal is the one who should be PCI compliant, as long as the webshop does not store, transmit, or process payment card information.
This shows how complex the ecosystem is and how stakeholders are affected by the PCI compliancy.
How does NFC-payments affect the relationship between PCI compliancy and its stakeholders in the creditcard industry?
IMFO, the primary change is the method of authentication by the customer, but the underlying technology to execute this, should be PCI compliant. This means the device enabling NFC payments should be PCI compliant (meaning a different annual PCI-compliance test for authentication for the vendor) and the same for the company or payment acquirer, if the creditcard handling is affected.
Visa is even eliminating the requirement for US merchants (European program already in process) to annually validate their compliance with PCI DSS if 75% of the merchant’s annual Visa transactions originate from chip-enabled terminals.
This is done to prepare the US payment infrastructure for NFC-based mobile payments. So, the NFC-stakes are high for the creditcard companies.
Not to forget, Mobile payments brings also a new species (and not a small 1) in the creditcard PCI DSS ecosystem: the cell phone company.
It should also be PCI compliant because it is a part of the processing (I haven't seen a cellphone customer of PayPal) and can also put the creditcard bill on the phone bill or via a NFC chip put in it like Visa’s payWave or MasterCard’s PayPass.

So, for a tester there is enough adventure in the creditcard PCI DSS Ecosystem. Different stakeholders, different chains and different tests to do. I look forward to it and will share my thoughts and experiences in this new ecosystem.

2 comments:

Sync InfoSec LLC said...

Excellent information about PCI compliance. Thank you so much
PCI QSA in USA

Cordny Nederkoorn said...

You're welcome!

How's PCI compliance in the USA?