Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Aug 30, 2016
After we've released a first commercial payment card with dynamic cvv code presented on e-ink paper on the bottom of the card there was so much inaccurate comments from the tech people in the social websites that I was scared and at the same time frustrated. People I know, who are the good developers or projects managers simply do not understand the basis of payment cryptographical flows. I was almost screaming that "cvv code is not just random digits! It's cryptographical signature of your card and it is never ever stored or represented on anything except your card and to verify it a super secure hardware called HSM needs to be used to recompute it and decide if the input made by a user in a web browser is the correct one!" Then I've realised that in fact if not for the project I was involved in last year my knowledge would be more or less the same: inaccurate and based on the wrong assumptions. When I looked around for the reasons why there is so much gap between people’s knowledge and real security patterns that are used in payment industry I've found a very simple explanation. There is simply not enough accessible and well presented information about payment cryptography and security measures. There is only highly advanced stuff with more mathematics than text or it is inaccessible due to the necessity of having to be part of payment organisations such as Visa or Security Council. My talk is aiming to fill this gap by introducing the audience to most popular machinery involved in making our world secure enough to trust the credit or debit card. I would like to present: * basis of symmetric cryptography algorithms * key derivation and why it so important for payment protection * how pin flows from ATM to issuer bank in order to be verified * what is HSM and why it is used * one more real world example with online payment transactions * how to tie it all together with PA-DSS certification As a practical bonus I would also like to show some java implementations of those algorithms and contrast it with how integration with the hardware crypto-modules looks like.