SlideShare une entreprise Scribd logo

Payments Security – Vital Information all Payment Processors need to know

CASCouncil
CASCouncil

CASC Member Dean Coclin, Symantec's Transact conference 2016 presentation on the CA/B Forum, the problem with SHA-1 and future solutions to the problem.

Technologie
1  sur  21
Payments Security – Vital Information all Payment Processors need to know Dean Coclin Sr. Director of Business Development Chair CA/Browser Forum
Agenda 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 2
Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 3
Who is the CA/B Forum? 4 The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. http://www.cabforum.org
CA/B Forum: A Brief History 5  CABF starts as a loose association of CAs and browsers to draft guidelines for EV SSL Certificates  Membership expands globally, currently 52 CAs and 6 browsers  EV Guidelines generated and approved  Baseline Requirements formulated and passed  Network Security document created and finalized  All publicly trusted CAs, whether members of CABF or not, must adhere to guidelines! 20142007 2008 2009 2010 2011 20122006 2013 2014 2015
CA/B Forum members 6
Roles of parties in the CA ecosystem 7 Server Auditors Browsers Root Certificates
CA/B Forum Facts and Misconceptions • Rules are codified in “Baseline Requirements” documents • The Forum cannot grant “exceptions” to its rules • All rules are made by ballot • Browsers and CAs have separate voting groups: – 2/3 of CAs must approve + Majority of Browsers must approve • All meeting minutes, mailing lists are public • The Chair does not have the authority to waive any requirements 8
Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 9
Payment Terminals are all over the map • Many different terminals… – Manufacturers – Software versions – ROMs • …which trust various root certificates… – SHA-1 – SHA-2 – Many only trust Verisign roots • …causing difficulty in determining which terminals work with SHA-2 10
Many didn’t know until it was too late… • Processors, while most were aware of the SHA-1 deadline, didn’t realize the extent of the problem • Limited data on existing terminals, limited testing opportunities • EMV would dictate update timeline • RESULT  Panic calls to CAs after the deadline Copyright © 2014 Symantec Corporation 11
Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 12
What is a hashing function? • An algorithm that maps large data sets of variable length to smaller data sets of fixed length • Used as a “fingerprint” or “checksum” • It should be “impossible” to find two data sets that map to the same hash value • Used in digital signatures to avoid having to encrypt the large data set • Examples: MD2, MD5, SHA-1, SHA-256 • SHA: Secure Hash Algorithm Copyright © 2014 Symantec Corporation 13
Why SHA-1 Migration? • Risk of collision attacks* – (no known security breaches to date) • NIST recommendation: transition to SHA-256 (SHA-2) 14 *Source: http://csrc.nist.gov/groups/ST/hash/statement.html
In Response*… 15 *Source: https://technet.microsoft.com/en-us/library/security/2880823.aspx http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html, https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 16
SHA-1 certificates for the payment industry • In order to continue issuing SHA-1 certificates (for non-browser users), some CAs have removed roots from public (browser/OS) trust stores • These roots had excellent ubiquity and are likely present in many payment terminals • Because they are no longer trusted by browsers/OSes, CA/B rules do not apply 17
Private CA with retired root • A cross-intermediate CA for Private CA – Private SSL can chain to up to a retired root via a cross cert • Customers don’t need to distribute the Private root to clients • This solution works for only non-browser applications Server E/E cert ICA cert Cross cert Non-browser (POS, Set box) Browser* *Private root needs to be pre-installed
SHA-2 certificate from SHA-1 intermediate • Issue a SHA-2 certificate from a known SHA-1 intermediate • Some payment terminals seem to work with this method • Terminals were found to check for a “hard coded” name in the intermediate certificate (which was “Verisign”) • Use an old Verisign SHA-1 Intermediate to issue the SHA-2 certificate 19
Going Forward…. • Move away from CA/Browser Forum publicly trusted roots • Create separate “roots of trust” specific to the payment industry • Distribute these roots to terminals in a trusted fashion • Roots can be used under payment industry rules and guidance 20 Root Certificates
Thank you! Dean Coclin Email: dean_coclin@symantec.com Twitter: @chosensecurity Office: +1 617 252 3035

Recommandé

CenturyLink EASE
CenturyLink EASECenturyLink EASE
CenturyLink EASEcenturytelnet
 
Kaseya monitoring tool
Kaseya monitoring toolKaseya monitoring tool
Kaseya monitoring toolAntony Georgin G
 
Elina Product Branch Office
Elina Product Branch OfficeElina Product Branch Office
Elina Product Branch OfficeVinod Kumar
 
L7Viewer datasheet
L7Viewer datasheetL7Viewer datasheet
L7Viewer datasheetL7Viewer
 
KCPE
KCPEKCPE
KCPECHELANGAT CAROLYNE
 
CV ENGLESKI
CV ENGLESKICV ENGLESKI
CV ENGLESKIAlija Kujevic
 
CAD-Sewer-Plan
CAD-Sewer-PlanCAD-Sewer-Plan
CAD-Sewer-PlanOpenmaps
 
Cp vin société 11 juin
Cp vin société 11 juinCp vin société 11 juin
Cp vin société 11 juinCatherine Mousnier
 

Recommandé

CenturyLink EASE
CenturyLink EASECenturyLink EASE
CenturyLink EASEcenturytelnet
 
Kaseya monitoring tool
Kaseya monitoring toolKaseya monitoring tool
Kaseya monitoring toolAntony Georgin G
 
Elina Product Branch Office
Elina Product Branch OfficeElina Product Branch Office
Elina Product Branch OfficeVinod Kumar
 
L7Viewer datasheet
L7Viewer datasheetL7Viewer datasheet
L7Viewer datasheetL7Viewer
 
KCPE
KCPEKCPE
KCPECHELANGAT CAROLYNE
 
CV ENGLESKI
CV ENGLESKICV ENGLESKI
CV ENGLESKIAlija Kujevic
 
CAD-Sewer-Plan
CAD-Sewer-PlanCAD-Sewer-Plan
CAD-Sewer-PlanOpenmaps
 
Cp vin société 11 juin
Cp vin société 11 juinCp vin société 11 juin
Cp vin société 11 juinCatherine Mousnier
 
Séptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresasSéptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresasPwC España
 
Виртуальный 3D тур для бизнеса
Виртуальный 3D тур для бизнесаВиртуальный 3D тур для бизнеса
Виртуальный 3D тур для бизнесаМарина Андронова
 
Final Pages Pro - Forma
Final Pages Pro - FormaFinal Pages Pro - Forma
Final Pages Pro - Formaniamhdarby
 
Updated Resume7
Updated Resume7Updated Resume7
Updated Resume7Jacques Everly
 
Happy mother’s day 
Happy mother’s day Happy mother’s day 
Happy mother’s day reinjanin
 
Q6
Q6Q6
Q6Natalia Salazar
 
Maria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st CenturyMaria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st Centuryponenciasexpoquim11
 
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesusbulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesusBay Max
 
Tema 2 Función nutrición
Tema 2 Función nutriciónTema 2 Función nutrición
Tema 2 Función nutriciónN Flores
 
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...Maria Luisa Lopez
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...Alan Quayle
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
WebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP WorldsWebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP WorldsIMTC
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Mohammad Asif
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Dunamu
 
Flux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case StudyFlux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case Studyevolvus
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 

Contenu connexe

En vedette

Séptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresasSéptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresasPwC España
 
Final Pages Pro - Forma
Final Pages Pro - FormaFinal Pages Pro - Forma
Final Pages Pro - Formaniamhdarby
 
Happy mother’s day 
Happy mother’s day Happy mother’s day 
Happy mother’s day reinjanin
 
Maria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st CenturyMaria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st Centuryponenciasexpoquim11
 
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesusbulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesusBay Max
 
Tema 2 Función nutrición
Tema 2 Función nutriciónTema 2 Función nutrición
Tema 2 Función nutriciónN Flores
 
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...Maria Luisa Lopez
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 

En vedette (11)

Séptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresasSéptima Encuesta Mundial del Coeficiente Digital de las empresas
Séptima Encuesta Mundial del Coeficiente Digital de las empresas
 
Виртуальный 3D тур для бизнеса
Виртуальный 3D тур для бизнесаВиртуальный 3D тур для бизнеса
Виртуальный 3D тур для бизнеса
 
Final Pages Pro - Forma
Final Pages Pro - FormaFinal Pages Pro - Forma
Final Pages Pro - Forma
 
Updated Resume7
Updated Resume7Updated Resume7
Updated Resume7
 
Happy mother’s day 
Happy mother’s day Happy mother’s day 
Happy mother’s day 
 
Q6
Q6Q6
Q6
 
Maria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st CenturyMaria Burka - Chemical Engineering in the 21st Century
Maria Burka - Chemical Engineering in the 21st Century
 
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesusbulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
bulaklak-ng-lahing-kalinislinisan-ni-jose-corazon-de-jesus
 
Tema 2 Función nutrición
Tema 2 Función nutriciónTema 2 Función nutrición
Tema 2 Función nutrición
 
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
La web 2.0: Concepto, Caracteristicas, Origen del término, Aplicaciones y Her...
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
 

Similaire à Payments Security – Vital Information all Payment Processors need to know

Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...Alan Quayle
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebCASCouncil
 
WebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP WorldsWebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP WorldsIMTC
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Mohammad Asif
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Dunamu
 
Flux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case StudyFlux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case Studyevolvus
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CASCouncil
 
Blockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBlockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBinh Nguyen
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4LennartF
 
An introduction to blockchain and hyperledger v ru
An introduction to blockchain and hyperledger v ruAn introduction to blockchain and hyperledger v ru
An introduction to blockchain and hyperledger v ruLennartF
 
IT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsIT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsBoreal Technologies
 
Unsung heroes Validator & Infra provider.pdf
Unsung heroes Validator & Infra provider.pdfUnsung heroes Validator & Infra provider.pdf
Unsung heroes Validator & Infra provider.pdfJiyun Kim
 

Similaire à Payments Security – Vital Information all Payment Processors need to know (20)

Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
How to Architect your WebRTC application, Alberto Gonzalez and Arin Sime, Web...
 
Symantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the WebSymantec’s View of the Current State of ECDSA on the Web
Symantec’s View of the Current State of ECDSA on the Web
 
WebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP WorldsWebRTC - Bridging Web and SIP Worlds
WebRTC - Bridging Web and SIP Worlds
 
Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2Blockchin architecture & use cases -part-2
Blockchin architecture & use cases -part-2
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Luniverse Partners Day - Jay
Luniverse Partners Day - JayLuniverse Partners Day - Jay
Luniverse Partners Day - Jay
 
Flux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case StudyFlux PayDirect NACH IndusInd Bank Case Study
Flux PayDirect NACH IndusInd Bank Case Study
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security CA/Browser Forum—To effect positive changes to improve internet security
CA/Browser Forum—To effect positive changes to improve internet security
 
Blockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-diveBlockchain Explored: A technical deep-dive
Blockchain Explored: A technical deep-dive
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
Tech t18
Tech t18Tech t18
Tech t18
 
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4
 
An introduction to blockchain and hyperledger v ru
An introduction to blockchain and hyperledger v ruAn introduction to blockchain and hyperledger v ru
An introduction to blockchain and hyperledger v ru
 
IT guide for Vocollect Voice Systems
IT guide for Vocollect Voice SystemsIT guide for Vocollect Voice Systems
IT guide for Vocollect Voice Systems
 
Unsung heroes Validator & Infra provider.pdf
Unsung heroes Validator & Infra provider.pdfUnsung heroes Validator & Infra provider.pdf
Unsung heroes Validator & Infra provider.pdf
 

Plus de CASCouncil

Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastCASCouncil
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?CASCouncil
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly CASCouncil
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor RollCASCouncil
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumCASCouncil
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds TrustCASCouncil
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetCASCouncil
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebCASCouncil
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements CASCouncil
 
State of the Web
State of the WebState of the Web
State of the WebCASCouncil
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesCASCouncil
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!CASCouncil
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCASCouncil
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self RegulationCASCouncil
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of OpportunityCASCouncil
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI CASCouncil
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebCASCouncil
 

Plus de CASCouncil (18)

Six Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the PastSix Reasons http Will Become a Thing of the Past
Six Reasons http Will Become a Thing of the Past
 
What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?What Kind of SSL/TLS Certificate Do I Need?
What Kind of SSL/TLS Certificate Do I Need?
 
TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly TLS Certificates on the Web – The Good, The Bad and The Ugly
TLS Certificates on the Web – The Good, The Bad and The Ugly
 
2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll2016 IRS Free e-File Audit & Honor Roll
2016 IRS Free e-File Audit & Honor Roll
 
Update on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser ForumUpdate on the Work of the CA / Browser Forum
Update on the Work of the CA / Browser Forum
 
Extended Validation Builds Trust
Extended Validation Builds TrustExtended Validation Builds Trust
Extended Validation Builds Trust
 
CA Day 2014
CA Day 2014 CA Day 2014
CA Day 2014
 
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer InternetNew Ideas on CAA, CT and Public Key Pinning for a Safer Internet
New Ideas on CAA, CT and Public Key Pinning for a Safer Internet
 
Alternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure WebAlternatives and Enhancements to CAs for a Secure Web
Alternatives and Enhancements to CAs for a Secure Web
 
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
Addressing non-FQDNs and new gTLDs in SSL Baseline Requirements
 
State of the Web
State of the WebState of the Web
State of the Web
 
Trust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory ProcessesTrust Service Providers: Self-Regulatory Processes
Trust Service Providers: Self-Regulatory Processes
 
Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!Certificates, Revocation and the new gTLD's Oh My!
Certificates, Revocation and the new gTLD's Oh My!
 
CAs And The New Paradigm Shift
CAs And The New Paradigm ShiftCAs And The New Paradigm Shift
CAs And The New Paradigm Shift
 
CA Self Regulation
CA Self RegulationCA Self Regulation
CA Self Regulation
 
New Window of Opportunity
New Window of OpportunityNew Window of Opportunity
New Window of Opportunity
 
Nation-State Attacks On PKI
Nation-State Attacks On PKI Nation-State Attacks On PKI
Nation-State Attacks On PKI
 
Alternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure WebAlternatives to Certificate Authorities for a Secure Web
Alternatives to Certificate Authorities for a Secure Web
 

Dernier

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Dernier (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Payments Security – Vital Information all Payment Processors need to know

  • 1. Payments Security – Vital Information all Payment Processors need to know Dean Coclin Sr. Director of Business Development Chair CA/Browser Forum
  • 2. Agenda 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 2
  • 3. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 3
  • 4. Who is the CA/B Forum? 4 The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. http://www.cabforum.org
  • 5. CA/B Forum: A Brief History 5  CABF starts as a loose association of CAs and browsers to draft guidelines for EV SSL Certificates  Membership expands globally, currently 52 CAs and 6 browsers  EV Guidelines generated and approved  Baseline Requirements formulated and passed  Network Security document created and finalized  All publicly trusted CAs, whether members of CABF or not, must adhere to guidelines! 20142007 2008 2009 2010 2011 20122006 2013 2014 2015
  • 7. Roles of parties in the CA ecosystem 7 Server Auditors Browsers Root Certificates
  • 8. CA/B Forum Facts and Misconceptions • Rules are codified in “Baseline Requirements” documents • The Forum cannot grant “exceptions” to its rules • All rules are made by ballot • Browsers and CAs have separate voting groups: – 2/3 of CAs must approve + Majority of Browsers must approve • All meeting minutes, mailing lists are public • The Chair does not have the authority to waive any requirements 8
  • 9. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 9
  • 10. Payment Terminals are all over the map • Many different terminals… – Manufacturers – Software versions – ROMs • …which trust various root certificates… – SHA-1 – SHA-2 – Many only trust Verisign roots • …causing difficulty in determining which terminals work with SHA-2 10
  • 11. Many didn’t know until it was too late… • Processors, while most were aware of the SHA-1 deadline, didn’t realize the extent of the problem • Limited data on existing terminals, limited testing opportunities • EMV would dictate update timeline • RESULT  Panic calls to CAs after the deadline Copyright © 2014 Symantec Corporation 11
  • 12. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 12
  • 13. What is a hashing function? • An algorithm that maps large data sets of variable length to smaller data sets of fixed length • Used as a “fingerprint” or “checksum” • It should be “impossible” to find two data sets that map to the same hash value • Used in digital signatures to avoid having to encrypt the large data set • Examples: MD2, MD5, SHA-1, SHA-256 • SHA: Secure Hash Algorithm Copyright © 2014 Symantec Corporation 13
  • 14. Why SHA-1 Migration? • Risk of collision attacks* – (no known security breaches to date) • NIST recommendation: transition to SHA-256 (SHA-2) 14 *Source: http://csrc.nist.gov/groups/ST/hash/statement.html
  • 16. Agenda Highlight 1 The CA/Browser Forum and its role in the ecosystem 2 Publicly trusted certificates in payment terminals 3 SHA-1 deprecation 4 Solutions for the payment industry 16
  • 17. SHA-1 certificates for the payment industry • In order to continue issuing SHA-1 certificates (for non-browser users), some CAs have removed roots from public (browser/OS) trust stores • These roots had excellent ubiquity and are likely present in many payment terminals • Because they are no longer trusted by browsers/OSes, CA/B rules do not apply 17
  • 18. Private CA with retired root • A cross-intermediate CA for Private CA – Private SSL can chain to up to a retired root via a cross cert • Customers don’t need to distribute the Private root to clients • This solution works for only non-browser applications Server E/E cert ICA cert Cross cert Non-browser (POS, Set box) Browser* *Private root needs to be pre-installed
  • 19. SHA-2 certificate from SHA-1 intermediate • Issue a SHA-2 certificate from a known SHA-1 intermediate • Some payment terminals seem to work with this method • Terminals were found to check for a “hard coded” name in the intermediate certificate (which was “Verisign”) • Use an old Verisign SHA-1 Intermediate to issue the SHA-2 certificate 19
  • 20. Going Forward…. • Move away from CA/Browser Forum publicly trusted roots • Create separate “roots of trust” specific to the payment industry • Distribute these roots to terminals in a trusted fashion • Roots can be used under payment industry rules and guidance 20 Root Certificates
  • 21. Thank you! Dean Coclin Email: dean_coclin@symantec.com Twitter: @chosensecurity Office: +1 617 252 3035

Notes de l'éditeur

  1. The forum is a self regulating body composed of CAs and Browsers and was formed to devise standards relating to the issuance and use of digital certificates in the browser ecosystem.
  2. CAs issue TLS certificates to web servers using public root keys trusted by browsers. Auditors play a critical role in the ecosystem by checking the work performed by the CA against criteria known as Baseline Requirements. The result of the audit is an audit report which is given annually to browsers. Browsers act as the Internet police. If they feel that a CA is misbehaving, they can sanction that CA or in the worst case, remove their root keys.