ForenSecure’17April 27, 2017

FUTURE OF CREDIT CARD PAYMENT APPLICATION

SECURITY: PA-DSS VS P2PE

SPEAKERJoel Dubin, PCI QSA, PA-QSA, CISSPSenior Consultant, Application Validation

-Eight years as a PA-QSA and QSA and five years in PCI for a global bank

-Reviewed payment vendors from small mom-and-pop to major global companies

-Conducted PA-DSS assessments in U.S., Latin America, Europe and Middle East

-Scoped architectures for PCI, PA-DSS applications and P2PE

OVERVIEW• Payment application architectures• The payment application ecosystem

• Who is the PCI SSC?• What is PA-DSS and P2PE?

• Current Issues with PA-DSS• Growth and challenge of P2PE• Advantages and Drawbacks of PA-DSS and P2PE• The future of PA-DSS and payment application security

PAYMENT APP (POS) ARCHITECTURE I

PAYMENT APP (POS) ARCHITECTURE II

PAYMENT APP (POS) ARCHITECTURE III (P2PE)

WHO IS THE PCI SSC?

Payment Card Industry Security Standards Council

• Visa• MasterCard• American Express• Discover• JCB

One standard for merchants and service providers PCIOne standard for payment applications PA-DSSOne standard for P2PE solution providers P2PE

SUITE OF PCI STANDARDS

Hierarchy of PCI Standards

• PTS è PIN-pad Level

• PA-DSS è Application Level

• PCI è Network Level

• P2PE è ALL OF THE ABOVE

WHAT IS PA-DSS?Payment Application Data Security Standard (PA-DSS)

Card industry standard for payment applications

WHAT IS P2PE?

P2PE stands for “Point-to-Point Encryption”

• Encryption of card data at the merchant point of acceptance• Most frequently at the point of swipe or dip at the payment terminal

• Complete end-to-end encryption of card number• From merchant location• Through merchant network• Over a public (i.e., Internet) or private network• Ending at P2PE solution provider, may be a P2PE-certified acquirer

THE PROMISE OF P2PE

The Holy Grail of P2PE in three words:

PCI SCOPE REDUCTION

THE SIX DOMAINS OF P2PE

PARTS OF A P2PE SOLUTION

• Encryption of card data at point of swipe or dip• PTS compliant PIN-pad with SRED functionality• Domain 1• Key injection by P2PE solution provider or their third-party

• Encrypted card data flows untouched all the way out to the processor or acquirer• No management of keys by merchant

• Key management and decryption handled by P2PE solution provider• Domain 5 – Decryption• Domain 6 – Key management

P2PE HIGH-LEVEL RECAP

• Card data . . .• . . . is encrypted at point of swipe or dip• . . . flows untouched through merchant environment• . . . is never stored by the merchant at any point• . . . encryption keys never handled by merchant• . . . is only decrypted outside merchant at solution provider

• P2PE components• PTS PIN-pad with SRED• PIN-pads with pre-loaded keys by solution provider or their third party• P2PE approved solution provider with decryption environment

THREE FLAVORS OF P2PE

1) All-in-one solution provider

2) Solution provider using P2PE components• Outsourced PIN-pads• Outsourced key injection• Outsourced decryption• Outsourced payment apps – Domain 2 P2PE PA-DSS

3) Merchant provided solutions• Segregated P2PE environment within PCI CDE• Also called “Hybrid” P2PE solutions

GEOGRAPHIC SPREAD OF P2PE

• Europe• Early adopters with regional or country-based processors

• Latin America• One or two big processors dominate each country

• United States• Large number of processors and acquirers, so slower to catch on• Not as standardized as smaller countries but gaining traction

CURRENT ISSUES WITH PA-DSS

• Complicated and expensive assessments with PA-DSS 3.x• Document and testing requirements difficult for smaller vendors• Requirements for PA-QSA certification are more difficult• Shrinking pool of qualified PA-QSAs and fewer SSC classes• Changes in technology have removed some apps from scope• Growth of P2PE and other end-to-end encryption technologies• Vendors deliberately reducing releases to avoid assessments• Vendors consolidating code base to reduce assessments

GROWTH AND CHALLENGE OF P2PE

• Rapidly gaining ground around the world• Vendors moving toward implementing P2PE features in apps• Merchants attracted to possible reduction of PCI scope

• But scope reduction isn’t always as big as promised• P2PE “club” is an exclusive elite but still growing• Moves PCI headache from merchant to processor• Moves management of payment apps from merchant to processor

PA-DSS VS P2PE

PA-DSS P2PETime Frame 2 to 3 months 6 months to a yearOverhead 1-2 PA-QSAs Teams, sometimes multinationalReporting (ROV) About 200 pages Can be 600+ pagesImplementation No change to merchant

environmentNew PIN-pads from solution providerMay have to rip out “plumbing”

Assessor Training Must be QSA in good standingMust have pen test experienceMust have been developerMust be CISSPMust have done two PCI ROCs>4 years experienceMust pass SSC exam/requal

Must be QSA/PA-QSAMust know encryptionMust know PTS hardwareMust have dev and pen testingMust have done two PCI ROCs>2 years experience in aboveMust pass SSC exam/requalOnly about 60 P2PE QSAs

PA-DSS VS P2PE FAQWill PA-DSS completely disappear as P2PE technologies advance?No. First, the SSC has a commitment to keeping PA-DSS alive and adapting it to new technologies.

Second, P2PE requires significant overhead and, until now, has been a preserve of larger merchants and larger acquirers.

In that case, since P2PE is so much more involved, will it buckle under and go back to PA-DSS?Not necessarily. The SSC has been streamlining the standard since it came out in 2013, and we’re seeing smaller entities, other than just large acquirers entering the game.

In fact, with the mix and match approach of assembling P2PE components from diverse third-parties, it’s getting easier for players to get on board.

PA-DSS VS P2PE FAQ (CONT’D)

Is P2PE the wave of the future?Yes and no. It’s the current hot technology of today. But there are competitors with various types of tokenization, creative new encryption technologies and even cloud solutions challenging the traditional P2PE space.

P2PE is here to stay, but it might be very different in a few years than what we’re seeing today.

Is there a shortage of P2PE QSAs?

Absolutely, and the demand is outstripping the supply. The barriers to entry for P2PE QSAs are high and not coming down.

NESA – P2PE AND E2E

• Non-Listed Encryption Solutions• SSC work around for end-to-end encryption solutions that aren’t fully

P2PE compliant• Can avoid overhead of full P2PE assessment, if applicable• Must still be compliant with Domains 5 and 6 of P2PE

• NESA released in November 2016 by SSC• Response to growth of E2E solutions resembling P2PE

1) Encryption and keys not handled by merchant2) No card data storage by merchant3) PTS approved PIN-pads encrypting at swipe or dip

FUTURE OF PA-DSS AND P2PE

• PA-DSS and P2PE will co-exist for the foreseeable future• The decision of which to use, will be the same for the

implementation of any technology:1) Size of application vendor or merchant2) Complexity of their environment and ease of implementation3) Technological constraints4) Business needs

• New technologies are being used – and others will arise – to challenge PA-DSS and P2PE in the future

FRUSTRATION NEVER ENDS

FOR MORE INFORMATION

Check the PCI SSC web site:

https://www.pcisecuritystandards.org

MY CONTACT INFORMATION

Joel Dubin, QSA, PA-QSA, CISSPSenior Consultant

jdubin@coalfire.com877-224-8077 x7861

QUESTIONS?