FUTUREX.COM

About First American Payment Systems

Case Study - Point-to-Point Encryption

Point-to-Point Encryption for Securing Cardholder DataFirst American Payment Systems, a top-ranked, privately-owned merchant acquirer, sought a solution to inject keys into electronic payment devices in a standards-compliant manner. Building on a previously established relationship, the Futurex Solutions Architect team developed a turnkey Point-to-Point Encryption (P2PE) solution for injecting payment devices and subsequently decrypting cardholder data. With Futurex’s technology, First American Payment Systems was able to protect their customers’ sensitive data and reduce the scope of PCI DSS compliance in an easy, efficient, and cost-effective manner.

With every advancement in data security, those who wish to intercept sensitive data become increasingly more resilient in their tactics to thwart security measures. The trend of accepting mobile payments is no exception. What has become an effective new way of accepting payments and conducting business has also opened up new areas of exposure for sensitive cardholder data.

One of the most effective solutions to ensure the safety of this data in transit is Point-to-Point Encryption, sometimes referred to as End-to-End Encryption. Point-to-Point Encryption protects cardholder data from the moment it is

captured at the Point of Sale (POS) terminal until the data has been validated by the payment gateway. The Payment Card Industry Data Security Standard (PCI DSS) requires cardholder data to be encrypted at rest and in transit over wireless or open, public networks. Cardholder data encryption reduces the scope of PCI DSS compliance for merchants and reduces the risk of exposing cardholder information, thereby reducing card fraud.

Futurex’s team of industry-expert Solutions Architects have created a comprehensive Point-to-Point Encryption system which is fully PCI DSS compliant and protects cardholder data throughout the transaction process. This solution is comprised of two phases. In the key injection phase, encryption keys are injected into payment terminals in a secure facility using the SKI9000 Secure Key Injector or RKMS Series Remote Key Management Server. These encryption keys ensure that sensitive data is protected using a unique, secret value.

Once in the field, terminals accept cardholder data (CHD) during transactions and encrypt the data using the keys. The encrypted data is then sent through a firewall to the payment gateway, where it is routed to the Excrypt SSP9000 hardware security module, decrypted, and then sent back to finalize the transaction.

First American Payment Systems, L.P., based in Fort Worth, Texas, is a merchant services acquirer and electronic payment processor for more than 140,000 merchants throughout the United States. First American Payment Systems enables merchants to process credit card, debit card, EBT, ATM, and gift card transactions. They offer a complete line of proprietary products and services to both businesses and non-profits.

https://www.first-american.net

FUTUREX.COM

First American Payment Systems, one of the United States’ largest and most trusted merchant acquirers, was looking for a way to bolster their already-robust reputation for security while simultaneously reducing their PCI DSS audit costs. They required a turnkey solution that worked with their merchants’ m+ Terminal, a smartphone-based card reader which allows merchants to process credit card transactions anywhere, at any time.

As existing Futurex customers, First American Payment Systems was well aware of the capabilities of Futurex’s key management solutions, having used them for direct key injection for over five years.

John Stevenson, First American Payment Systems’ Vice President of Information Security and Compliance, saw an opportunity to take their existing Futurex technology to the next level by implementing Point-to-Point Encryption.

“Our high-level requirements were to locate a scalable, easy to integrate P2PE solution capable of growing alongside our business,” said Stevenson. “By implementing P2PE using the Excrypt SSP9000, we have gone above and beyond in protecting our customers’ sensitive data.”

Case Study: Point-to-Point Encryption for Securing Cardholder Data

Point-to-Point Encryption: How Does it Work?1. Cardholder data decryption keys are injected within a secure facility by the SKI9000 Secure Key Injector. 2. Payment terminals, deployed at merchant sites, encrypt cardholder data at the point of interaction.3. Encrypted cardholder data is securely decrypted by the Excrypt SSP9000 hardware security module.

The Business Case First American Payment Systems’ RequirementsRequirement: Compatible with m+ Terminal hardware. The SKI9000 is capable of injecting encryption keys into all major Point of Sale terminals for mobile and retail environments, including a wide range of mobile devices.

Requirement: Infrastructure to support processing billions of dollars in electronic payment transactions every year. First American Payment Systems has built their industry-leading reputation around a stable, technologically advanced platform designed for rock-solid reliability. Business Critical Xceptional Support provides them with 24x7x365 access to Futurex’s Certified TR-39 Auditor (CTGA) teams.

Requirement: FIPS 140-2 Level 3 and PCI HSM-compliant key injection, storage, and transaction processing.All data within the Point-to-Point Encryption solution encrypts data within a FIPS 140-2 Level 3 and PCI HSM-validated Secure Cryptographic Device. All data encryption occurs prior to sensitive cardholder data traveling over the Internet.

Requirement: Extensible and easy-to-use technology. Both the SKI9000 and the Excrypt SSP9000 include the ability to be expanded in the field as new technologies, terminals, and protocols are developed. Additionally, a Graphical User Interface built in to both products enables simple operation and rapid training of new users or key administrators.

Additionally, the RKMS Series Remote Key Management Server can be seamlessly implemented in the future to enable remote injection of cardholder data encryption keys.

Case Study: Point-to-Point Encryption for Securing Cardholder Data

NORTH AMERICA—Global Headquarters 864 Old Boerne Road, Bulverde, Texas 78163 USATF 800.251.5112 P +1 830.980.9782 F +1 830.438.8782 info@futurex.comWWW.FUTUREX.COM

John StevensonVice President of Information Security and Compliance First American Payment Systems

The ResultsUsing Futurex technology, First American Payment Systems established a comprehensive, turnkey Point-to-Point Encryption solution that decreased their PCI DSS scope, thereby reducing the significant time and monetary investment they dedicate to compliance. The Futurex Point-to-Point Encryption Solution required no outside vendor involvement and was simple and straightforward to set up.

The solution’s support for the m+ Terminal allows their merchants to accept electronic payments anytime, anywhere in a safe and secure manner. Additionally, the extensible nature of the system ensures that emerging protocols and terminals can be supported.

By successfully implementing Point-to-Point Encryption, First American Payment Systems demonstrated their continued leadership as a security-minded organization in the field of merchant acquiring.

The SolutionAfter discussing their system requirements and options, First American Payments Systems decided to implement the SKI9000 Secure Key Injector, enabling them to inject cardholder data decryption keys into their m+ Terminals.

First American Payments Systems also opted to use the Excrypt SSP9000 hardware security module to handle decryption of the encrypted cardholder data due to the comprehensive, turnkey nature of the solution, the ease of use and operation, and its ability to scale as their needs grow in the future.

After developing a detailed plan for maximizing the security benefits of Point-to-Point Encryption and gaining the greatest reduction in PCI scope and cost, First American Payment Systems prepared their key administrators and operations personnel for the implementation. Solutions Architects provided on-site training on Futurex systems, audit requirements, and industry best practices, enabling all individuals involved with the Point-to-Point Encryption solution to instantly and effectively begin working with the system.

“I am very impressed with this solution. We needed an infrastructure that could securely support processing billions of dollars in electronic payment transactions every year.

P2PE, using the Excrypt SSP9000, allows us securely and cost-effectively offer the most rigorous protection of our customers’ information.”