Point-to-Point Encryption: Best Practices and PCI Compliance Update

09.26.2012

LIVE WEBINAR

Point-to-Point Encryption: Best Practices & PCI Compliance Update

Introductions

Ben Smyth Product Manager Merchant Link

Beth Farris Manager, Marketing Merchant Link

Misael Henriquez Director – Enterprise Security Merchant Link

Agenda

• Current Threats • Industry Response

– PCI Council – EMV

• Point-to-Point Encryption – PCI P2PE-HW requirements – Solution types – Implementation best practices

• Q&A

69%

81%

7% 5% 10%

1% 0%

Leveraging malware/hacking... to steal data in transit

4.3%

28.0%

5.2% 62.5%

malware

hacking

The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report

in transit

stored data

hybrid

data redirection

Hackers’ Preferred Method

Internal Threats

11%

17%

17%

22%

28%

28%

33%

50% Viruses, Malware, Worms, Trojans

Criminal Insider

Theft of Data-Bearing Devices

SQL Injection

Phishing

Web-Based Attacks

Social Engineering

Other

Types of malicious attacks

The Ponemon 2011 Cost of a Data Breach Study

Data-stealing malware

The Attack of the Bots

In this diagram we have a typical network. The enterprise has two perimeter points of entry connecting to the Internet

The Attack of the Bots

In this diagram, the Red Icon represents the BOT Master who will be controlling and receiving information through infected systems within the larger Internet macrostructure.

The Attack of the Bots

The BOT Master has established two command and control centers (C&Cs) here for his "army" to check into to receive instructions. The BOT Master generally will interface to these C&Cs via open tools such as IRC.

The Attack of the Bots

In this final picture, through various means (social, malware, etc.), BOTs have infiltrated the perimeter of an enterprise. These BOTs may appear totally harmless, using standard ports to transmit data to Command & Control Centers. Often, the only way to find them is to search from the perimeter for common destinations

How to Combat the Threat?

• PCI Council Embraces P2PE – Recent releases from the Council with recommendations and

requirements for implementing and providing P2PE solutions – QSA Certification, Training, and Validated P2PE solution publishing

for solutions and providers – Requirements for Hybrid (Hardware to Hardware/Software) P2PE

systems

• Card Associations Adopt EMV Standard – Addressing the root of the problem by moving to a more secure

payment vehicle – Extending the umbrella of security to authenticate the payment

card to the cardholder and adding a measure of track data security to the POI

Protects Card-Present

Protects Card-Not-Present

Reduces PCI Scope

EMV

P2PE

Misconceptions About EMV

VALIDATED AND LISTED SOLUTION

PCI Domains and Requirements for P2PE PCI Domains and Requirements for P2PE DOMAIN 1: Encryption Device Management

PTS Lab and Device Vendor

QSA (P2PE) and Integrator/Solution

Provider

1. Device is current and on PTS list.

2. Device is managed appropriately from key injection to pre-use including key management per Domain 6.

PTS / SRED approval

D4: Transmissions Between Encryption and Decryption Environments

Merchant QSA (P2PE) and Solution Provider

N/A – Device manages segregation between

encryption and decryption zones

N/A – Device manages segregation between

encryption and decryption zones per Domain 1

1. Secure device management 2. Devices monitored for anomalous behavior 3. HSM use 4. Key Management per Domain 6 5. PCI DSS compliance

QSA (P2PE) and Solution Provider

DOMAIN 5: Decryption Environment/

Device Management

DOMAIN 2: Application Security

PA-QSA (P2PE) and Application Vendor

QSA (P2PE) and Solution Provider

Application is current on P2PE list or assessed as part of this P2PE solution.

1. Application developed per device vendor guidance, etc.

2. Application is assessed as part of P2PE solution.

DOMAIN 3: Encryption Environment

QSA (P2PE) and Solution Provider

Merchant

1. Follows solution provider PIM for device inventory, tamper-checking, physical security.

2. Annual SAQ if required.

1. Solution provider’s PIM is complete.

2. Device/solution provider manages remote access, logical access, etc.

Domain 6 requirements for key operations are applicable anywhere that cryptographic keys are handled,

including the encryption device environment.

QSA (P2PE) and Solution Provider

DOMAIN 6: P2PE Cryptographic Key

Operations

P2PE Solution Types

Hardware/ Hardware

Hybrid (hardware/ hardware-software)

Hybrid (hardware/software)

For a merchant to qualify for PCI scope reduction for P2PE, the solution

provider must be external to the enterprise

On the PCI Horizon...

• The next version (v3.0) of the PCI Data Security Standards (PCI DSS and PA-DSS) will be released in October 2013

– No details yet

• Recent focus on more specialized education for integrators, POS and device providers, individuals/professionals... (beyond QSAs)

– P2PE Internal Security Assessor (ISA) program – Qualified Integrators and Resellers (QIR) program – Payment Card Industry Professional (PCIP) certification

Evaluate:

Encryption industry-recognized standards and methods vs. proprietary

The POI must be a PTS-certified hardware device

Decryption hardware security modules (HSMs) how is key data transport handled?

Devices, Applications The POI device must be SRED 2.x (or higher) enabled and active PA-DSS validated application

Key Operations who holds the keys? who has access? key injection process?

Consider:

Service / Support Fast access to data and ability to troubleshoot? Responsive, redundant support centers, 24x7x365?

Network Uptime and Throughput Redundant data centers? Transactions per second?

Stability Financial strength of company? Number of years experience?

Flexibility Encryption via various POI devices? Single vs. multi-use tokens? Processor choice? POS vendor/device choice?

TransactionShield®: Our P2PE Solution • A flexible solution for the market today

– Ability to support many point of interaction • card present, key-entered, e-commerce, virtual terminal

– Designed to integrate with most major encrypting devices – Connectivity to all major processors

• No processor lock-in: Ability to easily change acquirers without equipment changes, reprogramming or PIN re-injection

• Option to connect to multiple processors simultaneously (AMEX, private label, gift cards, etc.)

• Protects data as it travels through merchant IT environment

– Encrypts cardholder data using industry-recognized standards and methods

– Utilizes cloud-based decryption

• C (QSA) validated

Conclusions • Data in-transit is under attack.

– Hackers using a combination of techniques

• To protect data, merchants much also use a combination of techniques (layers of security).

– EMV is a good layer, but it’s not the answer

• PCI has endorsed P2PE as an effective way to enhance security and reduce PCI scope.

– Esp. hardware-based, third-party solutions

• Requirements and threats continue to expand and change. Seek out a flexible, secure solution that can meet your needs now and into the future.

Contact us by email: [email protected] Engage: www.merchantlink.com/blog Connect with us online: