Point-to-Point Encryption: Best Practices and PCI Compliance Update
-
Upload
merchant-link -
Category
Technology
-
view
1.072 -
download
1
Transcript of Point-to-Point Encryption: Best Practices and PCI Compliance Update
Introductions
Ben Smyth Product Manager Merchant Link
Beth Farris Manager, Marketing Merchant Link
Misael Henriquez Director – Enterprise Security Merchant Link
Agenda
• Current Threats • Industry Response
– PCI Council – EMV
• Point-to-Point Encryption – PCI P2PE-HW requirements – Solution types – Implementation best practices
• Q&A
69%
81%
7% 5% 10%
1% 0%
Leveraging malware/hacking... to steal data in transit
4.3%
28.0%
5.2% 62.5%
malware
hacking
The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report
in transit
stored data
hybrid
data redirection
Hackers’ Preferred Method
Internal Threats
11%
17%
17%
22%
28%
28%
33%
50% Viruses, Malware, Worms, Trojans
Criminal Insider
Theft of Data-Bearing Devices
SQL Injection
Phishing
Web-Based Attacks
Social Engineering
Other
Types of malicious attacks
The Ponemon 2011 Cost of a Data Breach Study
Data-stealing malware
The Attack of the Bots
In this diagram we have a typical network. The enterprise has two perimeter points of entry connecting to the Internet
The Attack of the Bots
In this diagram, the Red Icon represents the BOT Master who will be controlling and receiving information through infected systems within the larger Internet macrostructure.
The Attack of the Bots
The BOT Master has established two command and control centers (C&Cs) here for his "army" to check into to receive instructions. The BOT Master generally will interface to these C&Cs via open tools such as IRC.
The Attack of the Bots
In this final picture, through various means (social, malware, etc.), BOTs have infiltrated the perimeter of an enterprise. These BOTs may appear totally harmless, using standard ports to transmit data to Command & Control Centers. Often, the only way to find them is to search from the perimeter for common destinations
How to Combat the Threat?
• PCI Council Embraces P2PE – Recent releases from the Council with recommendations and
requirements for implementing and providing P2PE solutions – QSA Certification, Training, and Validated P2PE solution publishing
for solutions and providers – Requirements for Hybrid (Hardware to Hardware/Software) P2PE
systems
• Card Associations Adopt EMV Standard – Addressing the root of the problem by moving to a more secure
payment vehicle – Extending the umbrella of security to authenticate the payment
card to the cardholder and adding a measure of track data security to the POI
VALIDATED AND LISTED SOLUTION
PCI Domains and Requirements for P2PE PCI Domains and Requirements for P2PE DOMAIN 1: Encryption Device Management
PTS Lab and Device Vendor
QSA (P2PE) and Integrator/Solution
Provider
1. Device is current and on PTS list.
2. Device is managed appropriately from key injection to pre-use including key management per Domain 6.
PTS / SRED approval
D4: Transmissions Between Encryption and Decryption Environments
Merchant QSA (P2PE) and Solution Provider
N/A – Device manages segregation between
encryption and decryption zones
N/A – Device manages segregation between
encryption and decryption zones per Domain 1
1. Secure device management 2. Devices monitored for anomalous behavior 3. HSM use 4. Key Management per Domain 6 5. PCI DSS compliance
QSA (P2PE) and Solution Provider
DOMAIN 5: Decryption Environment/
Device Management
DOMAIN 2: Application Security
PA-QSA (P2PE) and Application Vendor
QSA (P2PE) and Solution Provider
Application is current on P2PE list or assessed as part of this P2PE solution.
1. Application developed per device vendor guidance, etc.
2. Application is assessed as part of P2PE solution.
DOMAIN 3: Encryption Environment
QSA (P2PE) and Solution Provider
Merchant
1. Follows solution provider PIM for device inventory, tamper-checking, physical security.
2. Annual SAQ if required.
1. Solution provider’s PIM is complete.
2. Device/solution provider manages remote access, logical access, etc.
Domain 6 requirements for key operations are applicable anywhere that cryptographic keys are handled,
including the encryption device environment.
QSA (P2PE) and Solution Provider
DOMAIN 6: P2PE Cryptographic Key
Operations
P2PE Solution Types
Hardware/ Hardware
Hybrid (hardware/ hardware-software)
Hybrid (hardware/software)
For a merchant to qualify for PCI scope reduction for P2PE, the solution
provider must be external to the enterprise
On the PCI Horizon...
• The next version (v3.0) of the PCI Data Security Standards (PCI DSS and PA-DSS) will be released in October 2013
– No details yet
• Recent focus on more specialized education for integrators, POS and device providers, individuals/professionals... (beyond QSAs)
– P2PE Internal Security Assessor (ISA) program – Qualified Integrators and Resellers (QIR) program – Payment Card Industry Professional (PCIP) certification
Evaluate:
Encryption industry-recognized standards and methods vs. proprietary
The POI must be a PTS-certified hardware device
Decryption hardware security modules (HSMs) how is key data transport handled?
Devices, Applications The POI device must be SRED 2.x (or higher) enabled and active PA-DSS validated application
Key Operations who holds the keys? who has access? key injection process?
Consider:
Service / Support Fast access to data and ability to troubleshoot? Responsive, redundant support centers, 24x7x365?
Network Uptime and Throughput Redundant data centers? Transactions per second?
Stability Financial strength of company? Number of years experience?
Flexibility Encryption via various POI devices? Single vs. multi-use tokens? Processor choice? POS vendor/device choice?
TransactionShield®: Our P2PE Solution • A flexible solution for the market today
– Ability to support many point of interaction • card present, key-entered, e-commerce, virtual terminal
– Designed to integrate with most major encrypting devices – Connectivity to all major processors
• No processor lock-in: Ability to easily change acquirers without equipment changes, reprogramming or PIN re-injection
• Option to connect to multiple processors simultaneously (AMEX, private label, gift cards, etc.)
• Protects data as it travels through merchant IT environment
– Encrypts cardholder data using industry-recognized standards and methods
– Utilizes cloud-based decryption
• C (QSA) validated
Conclusions • Data in-transit is under attack.
– Hackers using a combination of techniques
• To protect data, merchants much also use a combination of techniques (layers of security).
– EMV is a good layer, but it’s not the answer
• PCI has endorsed P2PE as an effective way to enhance security and reduce PCI scope.
– Esp. hardware-based, third-party solutions
• Requirements and threats continue to expand and change. Seek out a flexible, secure solution that can meet your needs now and into the future.
Contact us by email: [email protected] Engage: www.merchantlink.com/blog Connect with us online: