Welcome to the SafeNet Executive Day! · • PKI – Key storage for CAs – signing of Digital...
Transcript of Welcome to the SafeNet Executive Day! · • PKI – Key storage for CAs – signing of Digital...
Welcome to the
SafeNet Executive
Day!
Новые
ГоризонтыИнформа
ционной
Безопасности
Why a Root of trust of
your physical & virtual
environment is
needed?
Marko Bobinac PreSales Consultant
Agenda
Introduction to HSM„s
Digital infrastructure on the Front Line
SafeNet HSM„s
History, Portfolio and Integrations
Root of trust for your physical and virtual environment
How do we get there?
Introducing SafeNet‟s Crypto Hypervisor!
Payment HSM„s
Introduction to HSM
Think You Don‟t Use Hardware Security Modules?
HSMs secure mobile money payments and verbal banking
transactions made from phones
HSMs secure card data and the delivery of Personal
Identification Numbers (PIN)
HSMs secure entertainment devices, including videogame
consoles and Personal Video Recorders (PVR/DVR)
HSMs secure automated toll booth passes
HSMs secure documents for governments, hospitals, and the court
system
HSMs secure Smart Metering Systems and the delivery of Meter
messages in our homes to Head End Utility systems
HSMs secure Device Manufacturing in the delivery of Trusted Device
Identities we used Every Day
HSMs secure SSL and Web Sites We all use every day
What is an HSM?
Multiple
Application
Servers Application
Key Usage Services
Key
Management
Services
Key Vault Services
Tamper Resistance/Response
Separation of Duties
MFA with M of N Controls
PKCS #11 CAPI / CNG
Java CSP OpenSSL
XML-DIGSIG
Backup/Restore
Export Controls
EKM Interface
Policies FIPS 140-2 Level 3 Common Criteria EAL4+
Offlo
ad
Multiple
Partitions
High Availability
And
Load Balancing
Cryptographic Processing
What do HSM„s do?
An HSM is a collection of algorithms, secure key
storage, accelerators, key management all inside a
tamper resistant unit – it‟s like a box of cryptographic
Lego – how you put the elements together determines
what the HSM does
7
Security Performance Auditability
What is a Hardware Security Module
(HSM)?
A device to keep Business critical crypto keys at the
highest level of security
Accelerate Crypto operations to eliminate bottlenecks
Provides a clear audit trail for all key materials, crypto
operations
We have a wide range of HSM options • Varying performance, storage capacity, and Form Factors,
authentication models
Wide range of SDKs/Toolkits for flexible integration
All with Industry Certifications!
Digital Infrastructures on the Front Line
All IT vendors recommends HSM„s
10
Vs.
Keys in Software Keys in Hardware
Corporate Responsibility
12
Image Credit: [funkwood / Deviant Art]
Will you be here?
SafeNet HSM portfolio
Pre-PKI HSM„s
EFT
Electronic Funds Transfer
• There was no public Internet, SSL traffic and Trusted CA‟s prior to 90‟s
• HSMs were used primarily in Card EFT Payments, the Banking, Government and Enterprise
sectors for protection of sensitive data and secure data exchange
• SafeNet (back then Eracom, founded in 1979) was one of the pioneers in HSM technology:
developed the very 1st PC Encryption Card, and
offered HSMs for EFT/Card Payment Security since the early 80s
Traditional PKI Landscape
Certificate Authorities
Registration Authorities
Web Servers Application
Servers
EFT
Traditional PKI Endpoints
The Evolving „Next Generation‟ PKI Landscape
Smart Grid
Digital Invoicing
Code Signing
e-Passports
… and many more
e-Voting
Online Commerce
e-Signatures
EFT
Next-Generation PKI Endpoints
SafeNet HSM Portfolio
18
Luna SA Luna SP Luna PCI Luna G5
PS Internal Express ProtectServer External Luna EFT Luna KMIP
Security for Server Systems | Custom Firmware
Network Attached and Scalable
High Performance Cryptographic Processor
Hardware security for Java-based applications
HSM Portfolio - Transaction & Identity
Protection
Luna PCI
Luna SA
Luna SP
ProtectServer
Offline Key Archive/Starter HSM Luna G5
Electronic Fund Transfer Luna EFT
Luna G5
Luna PCI
Luna SA
Luna SP
ProtectServer
Luna EFT
200 RSA 1024-bit TPS
600 RSA 1024-bit TPS
7,000 RSA 1024-bit TPS | 1,800 ECDSA TPS
7,000 RSA 1024-bit TPS | 1,800 ECDSA TPS
4,000 RSA 1024-bit TPS
HSM Performance Metrics Offering the Best Breadth of Performance in RSA, ECC and Symmetric
Algorithms
Luna G5
Luna PCI
Luna SA
Luna SP
ProtectServer
Perf
orm
ance
Luna EFT 1600 Visa PIN Verifies
Hardware Security Module Integration
HSMs always integrated with application – on same server or network
attached
Application communicates with keys stored in HSM usually via a client -
but Keys NEVER leave the HSM
HSM Usage:
• PKI – Key storage for CAs – signing of Digital Certificates
• EFT – Retail and Banking (PIN processing for Credit/Debit Cards at ATMs
or Point of Sale, Smart Card issuance). PCI DSS requirements
• Customised Applications – document signing, time stamping, ePassport
projects, DNSSEC, AMI
HSM Integrations (a partial general-purpose list)
ActivIdentity 4TRESS
Authentication Server
ActivIdentity ActivID CMS
Microsoft CA Luna SA PKI-
Bundle
Adobe LiveCycle Digital
Signatures ES2
Adobe Lifecycle Document
Security with Luna SA
Apache HTTP Server
BIND/OpenDNSSEC DNSSEC
EJBCA (Primekey)
Emue Technologies Fortress
Entrust Security Manager
IAIK PKCS #11 Provider
IBM Tivoli Access Manager
IBM Websphere MQ
Microsoft ADRMS (& RMS)
Microsoft Authenticode
Microsoft Certificate Enrolment
Microsoft Certificate Services
Microsoft FIM (ILM & CLM)
Microsoft IIS
Microsoft OCSP
Microsoft SharePoint
Microsoft SQL Server
OpenCA
Open SSL
Oracle 11g
Protegrity DPS
Red Hat Certificate Authority
RSA Keon
SafeNet ProtectDrive
SafeNet SMCII
SafeNet Authentication Service
SafeNet Authentication
Manager
SafeNet DataSecure i460
SafeNet KeySecure k460
Sun Java PKCS#11 Provider
Tumbleweed OCSP
Vasco VACMAN Controller
Venafi Encryption Director
Vordel XML Gateway
22
Payment SW Vendors – HSM Integration
Payment Software Vendor Product Name Business Region Served
ACI Base24-eps + TSS Global
ACI / EPS ASx EE
ACI / S1 Postilion Global
ACI / S2 Systems ON/2, OpeN/2 MEA
Arius Asoft EMEA
Banksoft BPS (Banksoft Pre-Personalisation System) EMEA
BPC (Banking Production Centre) SmartVista Global
Compass Plus Tranzware Online, Card Factory EMEA, APAC
CR2 BankWorld EMEA
CSFI u/SWITCHWARE Global
CubeIQ AlphaPIN EMEA
Distra e-switch APAC, EMEA
FIS / EFunds / Oasis Technology Connex, IST/Switch Global
HPS PowerCARD EMEA
Interblocks iSuite iSwitch APAC, MEA
Interpro Switch Americas
i-Sprint USO, AccessMatrix UAS MEA
IWI Net+1 APAC
OpenWay Way4 EMV Issuance EMEA, APAC
Opus / ECS Electra EFT Switch APAC, EMEA
RS2 BankWorks EMEA
S2M SELECT EMEA
Silverlake SIBS APAC
Sparkassen IT Solution Payment Switch EMEA
Sungard CardPro Americas, APAC
Tallyho Online Switch Module Americas, APAC
TAS CARD EMEA
TECS TECS Payment System EMEA
TietoEnator TransMaster EMEA
TPS Iris (Phoenix), Access, Sentinel EMEA
TSYS CTL ONLINE, PRIME, NCRYPT Global
Collis EMV Host Toolkit, PVT Global
Barnes International CPT 3000 EMV PVT EMEA
SafeNet HSM Integrations samples
SafeNet solutions
using HSM
SafeNet Authentication
Manager - SAM
SafeNet Authentication Service - SAS
KeySecure k460
DataSecure i460
SafeNet Management
Console II (for
HighSpeed encryptors)
SafeNet KMIP
(manage keys on HSM)
Root of trust for your physical and virtual
environment
25
… But HW doesn‟t work in a Virtual World? Today‟s Hardware-based encryption solutions are designed for the physical
world!
Islands of
encryption
26
Time-consuming crypto rollouts
Very slow to scale up and down
Limits of encryption today:
Inability to protect & control data centrally
Can’t take full benefits of cloud
DNSSEC SSL Email Code Sign Database
What is needed?
Encryption Infrastructure that follows the
cloud model!
27
Benefits:
• Reduce Costs (Reduce DC
presence)
• Centralize SME Crypto Group
• Unify Governance and
Compliance
• Centralize services
Islands of encryption
DNSSEC SSL Email Code Sign Database
Centralized Encryption model
On Demand Cryptographic Resources for
Your Virtual Data Center and the Cloud
28
Where do we start?... With a hypervisor for encryption…
Introducing the SafeNet Crypto Hypervisor!
Crypto Hypervisor c. 2013
• HSM Partition
• HSM Isolation
• Dynamic crypto allocation
VMware hypervisor c. 2001
• O/S Partition
• O/S Isolation
• Dynamic resource allocation
Application
Hypervisor
Operating System
Hardware
Platform
asD
AS
D48
RH
AsD
54
6F
4d
fgf
dd
fgd
fgh
jkD
6G
54
R
Dynamic Crypto Resource
Crypto Hypervisor
Crypto Hardware
Platform (HSM)
Application
Crypto Hypervisor:
Designed for operational cloud model
On-demand
crypto delivery
1
Self-service
portal for users
2
New crypto services
spin up easily
3
Encryption now a
cloud enabler
4
Part of “New
VM Rollout
Process”
5
Apps can now
migrate to cloud
6
Three things to know about
Crypto Hypervisor
31
Built for the cloud
• Shared resource pooling, rapid elasticity and multi-tenancy
• Can reduce capital costs up to 95%
Lower TCO
• Take advantage of virtualization
• Deliver high-assurance cryptographic resources in a fraction of the time
• 5 minutes, not 5 hours
Centralized control
• Strong auditing capabilities
• Compliance in the Cloud
• Ensure enterprise-wide consistency of crypto policy
Crypto Hypervisor Extends the Capability of
HSMs to Fit the Cloud Model
32
NIST1 Cloud Definition of
Essential Characteristics
Legacy
HSMs
On-Demand Self-Service No
Rapid Elasticity No
Measured Service Some
Broad Network Access
Yes
Resource Pooling Some
Multi-Tenancy2 No
1. National Institute of Standards and Technology
2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance
NIST1 Cloud Definition of
Essential Characteristics
Crypto
Hypervisor
On-Demand Self-Service Yes
Rapid Elasticity Yes
Measured Service Yes
Broad Network Access
Yes
Resource Pooling Yes
Multi-Tenancy2 Yes
What‟s in the Crypto Hypervisor
Crypto Command Center Bundle
Crypto Command Center
SafeNet PED II
SafeNet Luna G5
SafeNet Luna SA 5.2
HSM Includes:
• Crypto Command Center Software
• SafeNet Luna G5
• Local PED II
• PED II Keys
What is Crypto Command Center?
System (SW) to automate the provisioning of HSM resources
Abstracts the management of HSMs from the end user
Administrators
• Manage the crypto for your company
• Manage the physical HSM devices
• Determine what crypto services are offered
• Create a catalog of services for end users
• Manage who has access to those services
Consumers/Users
• Manage crypto applications that consume crypto services
• Own their HSM resource when „leased‟
• Request and release use of HSM resources from catalogues
• Always in control of their keys!
34
VM is Stolen…VMs with “HTL” Host Trust
Link
HSM Client VM
NTLS
Luna SA
Today:
• Stolen VM will not be granted access to
SA partition
• Stolen image does not have OTT,
required to establish HTL Link
X Access Denied
• Prevents theft of an at-rest VM image
• Connection to the SA is authorized by a one-time token
HSM Client VM
© SafeNet Confidential and Proprietary
Benefits for Private or Public Cloud…
Reduced Risk • FIPS/CC validated HSM for applications
• Centralized compliance and governance
Increased Efficiency • Fast secure application deployment
Reduced Cost • Centralized crypto experts
• Shared HSM crypto resources
Increased Revenue • New HSM „AAS‟ Offering
Production example: AWS CloudHSM
• Secure Key Storage and Cryptographic Operations
http://aws.amazon.com/cloudhsm/
Payment HSM„s and
Use Cases
Hermann Bauer Director HSM Business
Development, EMEA
Agenda
Criticality of Payment and Banking Systems
HSM Payment Solutions and Use Cases • Card Transaction Processing (Acquiring, Switching, Authorisation)
• Card Issuance (Data Preparation, Card Personalisation) of EMV and mag-stripe cards,
plus PIN Issuance
• OTP with EMV Card (Chip Authentication)
• 3D Secure Internet Payments using Payment Card
• Contactless Payment Cards
• NFC Mobile Payments
• OBM (Online Banking Module) for End-to-End Encryption of Online Credentials
• Remote ATM Key Loading
• PCI/P2PE Compliance & Fraud Reduction
• ViewPIN – Secure online delivery/distribution of card PINs to cardholder
• Wholesale Payments / Interbank Funds Transfer
• Check Clearing
39
Insert Your Name
Insert Your Title
Insert Date
Why are Payment & Banking Systems,
as well as their protection, so critical?
Payment Systems
Financial Institutions, PSPs and Electronic Payment Systems • Integal Part of the Global Economy = Infrastructure, Live Blood
Wholesale and Retail Payments very much intertwined • Most Wholesale Payments are the result and the collection of many
small Retail Payments
Regulation and Standardization of Payments market Use of HSMs mandated by card schemes (Visa, MasterCard) and
domestic payment organizations
• EMV, PCI, SEPA, PSD, ...
Financial Institutions & Payment Service Providers very security conscious because MONEY is #1 target of criminals & fraudsters
HSMs critical in protecting MONEY
41
Data Breaches – Victims & Motives of
Attackers
42
Source: 2013 Verizon DBIR
… Well, what a surprise … MONEY
Motives of Hackers
$$$
Steady Growth in Payment Cards, Payment
Transactions & e- and m-Payments
Non-cash payments growth worldwide 7,1% in 2010 (283 bn, 306 bn expected in 2011) • Strong growth rate in developing countries (16,9%)
• Increase of more than 30% in Russia and China
Cards (debit cards and credit cards) biggest driver of non-cash payments volumes globally • Cards accounted for 55.8% of all non-cash payments in 2010
• In 2010, more than one in three non-cash payments were made using a debit card
Rapid growth of e-payments and m-payments • e-commerce activities (e-payments) is forecast to reach 31.4 billion in 2013, 20% sustained growth a year in 2009-13
• payments using mobile device (m-payments) expected to grow even faster, by 52.7% a year to reach 17 billion in 2013.
43
Source: World Payments Report 2012
Insert Your Name
Insert Your Title
Insert Date
Card Transaction Processing
Acquiring, Switching, Authorisation
Card Payment Transaction Security primarily based on symmetric cryptography (DES3)
Security Requirements
• User authentication
• Secure PIN processing (“end-to-end” protection requirement)
• Card authentication
• Transaction authentication
• Data confidentiality
• Cryptographic key management…
…involves the use of a certified HSM, mandated by
- international card schemes
- national payment schemes
Card Payment Security Concepts &
Services
45
T IA A S1
Acquirer Switch 1 Issuer A Terminal
Card Transaction Processing - Role of the
HSM
S2
Switch 2
IB
Issuer B
1 2
2 3
PIN operations
1. PIN Encryption
2. PIN Translation
3. PIN Decryption & Verification
Message Authentication operations
1. MAC Generation
2. MAC Translation (Generation/Verification)
3. MAC Verification
Each connected pair of entities share a
Common key to form a key zone
46
Insert Your Name
Insert Your Title
Insert Date
Card & PIN Issuance
Card Management, Data Preparation, Card Personalisation
Card Issuance Card Management, Data Preparation, Card
Personalization Applications
• Production & personalization of smart cards & secure documents
• Card types & environments:
• Payment Cards (EMV & mag-stripe credit/debit cards), Fuel/Fleet Cards
• eID / e-Passport Documents
• eHealth Cards
• Telco/SIM Cards
• Loyalty/Gift Cards
• Corporate ID Cards
• Online Banking & Authentication Cards & Tokens
• Personalization data includes private user information (PAN, PIN), keys and certificates
HSM Usage • Data Preparation: Server side key, PIN, certificate generation for injection into smart card
• Personalization: Encrypted communications (Secure Messaging) with smart card for chip encoding
• High speed/throughput key generation/derivation - may do thousands of cards per hour
• High availability – cannot tolerate stoppage of automated card processing equipment
• Adherence to relevant standards : EMV, ANSI, ZKA, APCA, GlobalPlatform, ICAO, …
• Certifications: FIPS 140-2 Level 3, PCI-HSM
Application Providers • ACI/BellID, AustriaCard, BPC, CardHall/Pronit, CardTek, Compass Plus, Cryptomathic, DataCard,
G&D, Gemalto, Morpho, Mühlbauer, NBS/UbiQ, Oberthur, OpenWay, TSYS CardTech, …
48
Card Issuance – Central Back Office
Bank
HSM Government
Issuer Card Application
Management System
Data Preparation System
Card Manufacturer
OS +
Card
Application
HSM
HSM
Card Production System
Personalisation System
Personalizer / Personalization Bureau
KEK
KEK
KMC
KMC
Chip Manufacturer
OS +
App
encrypted
file(s)
49
Instant Issuance at Branch
50
HSM
PIN Mailing / Key Mailing
51
HSM Features HSM directly attached to printer
PINs never exposed in clear form
(outside of protected HSM
evnvironment)
HSM generates and prints PINs to
PIN Mailers
Support of PIN Mailer layouts in
Postscript format 10)
PIN Printing in Words
USB & Serial Printing
Separate PIN Mailer User Rolers
Extensive Auditing
Insert Your Name
Insert Your Title
Insert Date
OTP with EMV Card
Chip Authentication Program (CAP)
Chip Authentication Program (EMV-CAP)
Payment Card as General-Purpose Secure Authentication Device
Card + Offline Reader
Products: Mastercard CAP & Visa DPA • Two Factor Authentication (2FA)
• Payment Card (Credit or Debit) & PIN
Authentication Process • Payment card inserted into stand-alone reader
• Cardholder authenticates to the chip with PIN entered on the reader (not interceptable)
• Card produces One-time Password (OTP), not susceptible to “phishing” attacks
• Any chip card loaded with standard Mastercard M/Chip or Visa VSDC payment application or stand-alone CAP/DPA card
Advanced feature: Transaction Signing
53
Insert Your Name
Insert Your Title
Insert Date
3D
Verified by Visa
MasterCard SecureCode
3D-Secure Internet Payments
3D-Secure Credit-Card Transactions over the Internet
• A Visa Initiative, but licensed to others:
• Verified by Visa
• MasterCard SecureCode
• JCB J/Secure
• For merchants and financial institutions,
specifies authentication and processing procedures
• Requires some form of card-holder authentication, at
this stage generally keying of a password/PIN
55
3D-Secure - Online Card Payment
Technology Purpose
• Increase e-commerce transactions
• Promote consumer confidence
• Increase member and merchant profitability
Features • Provide global framework for authentication of remote payments
• Reduce operational expense by minimizing chargebacks for unauthorised use
• Can be implemented without special cardholder SW or HW
• Extensible as to authentication methods (e.g. payment smartcards, certificates)
• Enhanceable by Issuer without impacting acquirer or merchant
• Extensible into emerging channels like mobile phones, PDA, digital TV
• Based on globally accepted technical standards
• Provides a centralized archive of payment authentications for use in dispute resolution
3D-Secure Components
• MPI – Merchant Server Plug-In • processes payment messages
• ACS – Access Control Server • Issuing application requiring FIPS 140-2 Level 3 HSM. • CAVV – Authentication code for card generated by HSM • Authenticates card holder, merchant and transactions
56
Insert Your Name
Insert Your Title
Insert Date
Contactless Payments
MasterCard PayPass
Visa PayWave
Contactless Cards
Simpler way to pay, higher convenience, speed
“Tap & Go” experience (public transport, parking garages, toll roads, fuel dispensers)
Minimum impact on existing payment infrastructure
2 offerings: • Contactless / (EMV) Chip
• Usually dual interface card (contact and contactless
• Uses standard EMV authentication technologies (SDA/CDA)
• Low-value payments, approved offline by both card and terminal
(for fast transactions)
• Contactless / Mag-Stripe • meaning: for magnetic-stripe payment infrastructures
• potentially other form factors (key fob, watch)
• Online Payments
• New authentication mechanism: Static or Dynamic CVV
(CVC3 / dCVV)
58
Insert Your Name
Insert Your Title
Insert Date
Mobile Payments
NFC Mobile Payments
NFC Mobile Payments
“Payment Card“ ( ) on mobile phone
• NFC used for communications (up to 10 cm distance)
• Payment app resides in SE (Secure Element) on mobile
• UICC, MicroSD, Integrated Chip
Equivalent to contactless/mag-stripe card
No modification to existing (contactless) acceptance infrastructure
No mobile network activity during transaction (payment app on mobile <-> reader/terminal)
New: OTA (over-the-air) personalisation/provisioning
• Issuer Installation (full OTA personalisation)
• Service Provider Installation (pre-installation)
• MasterCard and Visa offer such services
60
Insert Your Name
Insert Your Title
Insert Date
OBM (Online Banking Module)
End-to-End Encryption of Credentials for Internet/Online Banking
Internet Banking E2E Application
Typical internet security from the browser to web server is SSL, terminated at the web server
End-to-end encryption, browser to host, provides totally secure online transactions - end-to-end PIN / password protection
RSA encryption at client with Java applet – HSM decryption and verification at host
Supports numeric (card) PINs and (alphanumeric) passwords (4-30 characters)
PIN/password change option
Application
Server/Host Web Server
Internet
62
Insert Your Name
Insert Your Title
Insert Date
ATM Remote Key Loading
ATM Remote Key Loading
64
RKL means the secure on-line transport to the
ATM of its initial DES/3DES key (A-key, TMK)
using public key techniques, along with associated
key and certificate management.
RKL eliminates the arduous nature of manual key
loading and the associated compliance tracking
Result - dramatically reduced cost and increased
security
PCI-DSS compliant (change keys once per year)
2 Methods:
Certificate-based (Diebold)
Signature-based (NCR, Wincor-Nixdorf)
Insert Your Name
Insert Your Title
Insert Date
PCI-P2PE Compliance & Fraud Reduction
eCommerce & Payment Service Providers
PCI-DSS & PCI-P2PE Compliance
Key Requirements:
• Protect cardholder information (when stored and
transmitted)
Technologies:
• Network segmentation
• Tokenization
• Encryption reduce PCI scope
• Point-to-point encryption (P2PE)
66
What is Point-to-Point Encryption?
Point-to-Point Encryption (P2PE) is encryption of sensitive
data at the Point-of-Interaction (POI) for secure
transmission to a secure boundary where it may be
decrypted, re-encrypted or tokenized.
67
FIPS 140-2 L3 or PCI-HSM certified HSM is required by P2PE decryption provider
Insert Your Name
Insert Your Title
Insert Date
Payment Solutions using other
SafeNet HSMs and Appliances
(Luna SA/PCI, Luna SP, DataSecure)
ViewPIN
Electronic Check Processing
Wholesale Payments / Interbank Funds Transfer
PCI-DSS Compliance – Encryption and Tokenization
Insert Your Name
Insert Your Title
Insert Date
ViewPIN
Secure Online PIN/Credential Delivery
Secure Online PIN/Credential Delivery
ViewPIN - Luna HSM helps provide the only
secure/easy-to-use online EMV PIN delivery solution
Solution allows card issuers to provide a secure
electronic alternative to traditional PIN mailers
Benefits • Instant PIN issuance allowing immediate use of card
• Cost savings associated with not having to issue paper PIN mailers
• Eliminates PIN mailer interception fraud via post
• Provides a competitive advantage
70
Insert Your Name
Insert Your Title
Insert Date
Compliance & Fraud Reduction
DataSecure Powerful Centralized HW-Based Encryption Management
72
• Compliance & Fraud Prevention • Solution built from the ground up to meet compliance requirements (e.g. PCI-DSS)
• Two Methods
Encryption • At DB level (transparently) or Application layer
Tokenization • Tokenization replaces sensitive data (credit cards, social security numbers etc.)
with a surrogate value, a token
• As a result most system components are exposed only to the surrogate value and NOT to the original sensitive data
• Protects sensitive data and eliminates the risk of data-blooming
• Sensitive data does not exist in the system and processing is done only with the token
• Reduces significantly regulatory scope
• Works best on structured data
Insert Your Name
Insert Your Title
Insert Date
Wholesale Payments /
Interbank Funds Transfer
Wholesale Payments (Funds & Securities)
74
Applications
Applications
Directory
Certificate
Authority
Key Management
SSL Acceleration
FIPS certified
SafeNet HSM
SafeNet HSM
Small
Banks
Access Control
via 2 or 3 factor
Financial Transaction
Infrastructure
Payments & Cash Mgt
Treasury & Derivatives
Trade services
Pre-Settlement/trade
Clearing services
Custody services
SafeNet HSM
Large
Banks
Insert Your Name
Insert Your Title
Insert Date
Check Clearing
Check Clearing Process Embedded Example
Check MIRC data & images are captured at the Presenting
Bank
Clearing House Interface (Paying Bank)
Signed & Encrypted
Outward Electronic Check MICR
& image
Clearing House
Luna PCI
Root Key Storage, Signing,
Encryption
Luna PCI
Root Key Storage, Signing,
Encryption Luna PCI
Root Key Storage, Signing,
Encryption
Signed & Encrypted
Outward Electronic Check MICR
& image
Outward return Check MICR Inward Check MICR &
images
Electronic Check
Archive
Clearing House Interface (Presenting Bank)
Luna SA
User Auth
Auth &
license
control
Auth &
license
control
Database encryption OCSP & Enc data
Sign & Enc data
76
Спасибо