Professional Documents
Culture Documents
Patricia Walters| CTGA, VP, Security Solutions IBM Retail User Group Conference 2011
Agenda
Re-defining end-to-end encryption Technology Trends E2E Methodologies Retailer Adoption Standards Development
Transaction Lifecycle
Data in Transit
Consumer
Sale Pre-Auth Return Void
Card Present & Card Not Present
Merchant
Data Transmitted and Stored
Acquirer
Data Transmitted and Stored
Issuer
Data Transmitted and Stored
Data at rest
Re-Defining end-to-end
Targets of Attack
POS Systems are 75% more likely to be targeted
The terminal -
Without End to End, Card Data Flows unencrypted through retail infrastructure
RetailDataCenter Stores/Lanes
ECR PaymentSwitch Amex Processor CardBrands &Issuers
Store2 ECR
Storen
Business/PII
With End to End, only the payment terminal (TRSM) has clear text payment data
RetailDataCenter Stores/Lanes
ECR PaymentSwitch Amex Processor CardBrands &Issuers
Store2 ECR
Storen
Business/PII
Public Key Schemas P bli K S h Provide flexibility as keys can be downloaded as a data file May increase the size of the transaction Symmetric Key Require traditional secure key injection techniques to begin use Does not increase the size of the transaction It i common f most E2E schemas to couple with a t k is for t h t l ith token schema to protect the data in flight and at rest
Tokenization Techniques
The PAN is represented and replaced with a pseudo random alternate value: token Token schemes are designed to that it cannot be reverse engineered or decoded Card data can be retrieved at a later time using the Token Tokens cannot be used in a sale transaction Tokens are typically offered in addition to E2E in order to in addition protect card data while at rest Typically a token is the same length as the PAN, does not start with a 3, 4 or 5 and carries the same last 4 digits of the PAN for reference purposes Typically tokens do not p yp y pass a M10 check
9
Processors are adopting E2E/Token Schemas as a way of increasing their value proposition to the retailer Retailers can now contract directly with their processor for E2E functionality Retailers provide the retailer with an E2E key Retailer E2E key is either injected or downloaded Processors are offering direct pricing incentives to move retailers to E2E
10
TBD
EVO First Data Heartland Chase Global TSYS FifthThird Elavon
RSA
MagTek g
Voltage g
VeriShield
x x x x
X
x x
X
11
12
13
14
15
16
The New Trend in PCI DSS Scope elimination, Terminal to Processor Direct
CardBrands &Issuers
Processor
RetailDataCenter Stores/Lanes
ECR PaymentSwitch
Amex
LossPrevention
Business/PII
17
18
Protect your Terminal Estate from rogue applications, malware and unauthorized removal F online PIN environment, upgrade 3DES and i l For li i t d d implement t Remote Key injection to protect symmetric keys Follow best practices published by SPVA, Visa
19
End
Patricia Walters | CTGA, VP, Marketing and Security Solutions N.A. ETA 2011
2010 Hypercom Corporation. All rights reserved. Hypercom Corp. Proprietary Information. The information contained in this document is protected by U.S. and international laws relating to intellectual property. This document and the information contained herein may not be summarized, translated, modified, copied or otherwise adapted to a third partys needs without the written permission of Hypercom Corp. All information is subject to change without notice and Hypercom Corp. does not warrant the informations accuracy or correctness. Corp information s correctness