Security Presentation

Patricia Walters| CTGA, VP, Security Solutions IBM Retail User Group Conference 2011

Agenda

Re-defining end-to-end encryption Technology Trends E2E Methodologies Retailer Adoption Standards Development

Transaction Lifecycle
Data in Transit

Consumer
Sale Pre-Auth Return Void
Card Present & Card Not Present

Merchant
Data Transmitted and Stored

Acquirer
Data Transmitted and Stored

Issuer
Data Transmitted and Stored

Data at rest

Re-Defining end-to-end

Targets of Attack
POS Systems are 75% more likely to be targeted

The entire POS infrastructure is a target

The terminal -

POS/ECR - and Network

- all are at risk

Without End to End, Card Data Flows unencrypted through retail infrastructure
RetailDataCenter Stores/Lanes
ECR PaymentSwitch Amex Processor CardBrands &Issuers

Store1 ECR SAP/Oracle Discover

Store2 ECR

Fin/Accounting InComm/Blackhawk GreenSpot LossPrevention

Storen

Business/PII

With End to End, only the payment terminal (TRSM) has clear text payment data
RetailDataCenter Stores/Lanes
ECR PaymentSwitch Amex Processor CardBrands &Issuers

Store1 ECR SAP/Oracle Discover

Store2 ECR

Fin/Accounting InComm/Blackhawk GreenSpot LossPrevention

Storen

Business/PII

Multiple E2E Methodologies have emerged

Two basic methodologies in play today:

Public Key Schemas P bli K S h Provide flexibility as keys can be downloaded as a data file May increase the size of the transaction Symmetric Key Require traditional secure key injection techniques to begin use Does not increase the size of the transaction It i common f most E2E schemas to couple with a t k is for t h t l ith token schema to protect the data in flight and at rest

Tokenization Techniques
The PAN is represented and replaced with a pseudo random alternate value: token Token schemes are designed to that it cannot be reverse engineered or decoded Card data can be retrieved at a later time using the Token Tokens cannot be used in a sale transaction Tokens are typically offered in addition to E2E in order to in addition protect card data while at rest Typically a token is the same length as the PAN, does not start with a 3, 4 or 5 and carries the same last 4 digits of the PAN for reference purposes Typically tokens do not p yp y pass a M10 check
9

Processors are adopting E2E/Token Schemas as a way of increasing their value proposition to the retailer Retailers can now contract directly with their processor for E2E functionality Retailers provide the retailer with an E2E key Retailer E2E key is either injected or downloaded Processors are offering direct pricing incentives to move retailers to E2E

10

US Processor E2E Commitments

TBD
EVO First Data Heartland Chase Global TSYS FifthThird Elavon

RSA

MagTek g

Voltage g

VeriShield

x x x x
X

x x
X

11

E2E Methodologies in use today: RSA

RSA technology combines a public encryption key and tokenization to provide both transaction and data at rest security Marketed and Branded as TransArmor by First Data, supported on most of the First Data host front ends t d t f th Fi t D t h t f t d Public Keys are flexible and easy to download Important to protect the public key by authenticating it prior to use Typically priced by the processor to the retailer directly

12

E2E Methodologies in use today: Voltage

Voltage Technologies combine a terminal generated symmetric key a public encryption key and key, tokenization to provide both transaction and data at rest security M k t d and B d d b b th Fifth Thi d (FTPS) and Marketed d Branded by both Third d Heartland The combination symmetric and public key methods may assist in meeting new key rotation standards Important to protect the public key by authenticating it prior to use Typically priced by the processor to the retailer directly

13

E2E Methodologies in use today: MagTek

MagTeks MagneSafe 2.0 utilizes a TDES, DUKPT symmetric key to protect the transaction, there is no transaction token schema at present Marketed and Branded by EVO Provide a hosted decryption solution (Magensa) for retailers who want flexibility Can be combined with Hypercoms Remote Key Hypercom s Injection to more effectively manage key rotation Typically priced as an annual license fee

14

E2E Methodologies in use today: VeriShield Total Protect

VSP utilizes an AES static symmetric key to protect the transaction and an RSA token schema for data at rest security Branded and Marketed by Chase Paymentech Requires traditional secure key injection techniques Typically priced as a per transaction fee For retailers using VeriFone payment terminals only

15

E2E Methodologies in use today: EFTSec 2.0

EFTSec utilizes a TDES, DUKPT symmetric key to protect the transaction and a token schema for data at rest security Provides retailers with a method of supporting both encryption i th t ti in the terminal and d i l d decryption at th ti t the retailers host Can be combined with Hypercoms Remote Key yp y Injection service to more effectively manage key rotation Typically priced as an annual license fee For retailers using Hypercom payment terminals only

16

The New Trend in PCI DSS Scope elimination, Terminal to Processor Direct
CardBrands &Issuers

Processor

RetailDataCenter Stores/Lanes
ECR PaymentSwitch

Amex

Store1 ECR SAP/Oracle

Discover Store2 ECR InComm/Blackhawk / GreenSpot Storen Fin/Accounting

LossPrevention

Business/PII

17

New E2E Standards Emerging: PCI and ANSI

The PCI SSC has announced a new Point to Point Encryption standard is forthcoming:
Standard calls for use of TRSMs to protect keys Strong encryption algorithms Strong public key authentication More frequent key rotation

ANSI has developed their new draft standard, X9.119

Calls for very similar standards as PCI

18

Summary: Best practices for Merchant Environments

Always use data encryption when transmitting cardholder data, including the retail store environment Implement end to end encryption strategies that protect each end-to-end node in the network transport Reduce and eliminate systems that store cardholder data
Eliminate need for in-store host to maintain cardholder data Centralize cardholder data in one secure system Use Tokenization strategy wherever possible

Protect your Terminal Estate from rogue applications, malware and unauthorized removal F online PIN environment, upgrade 3DES and i l For li i t d d implement t Remote Key injection to protect symmetric keys Follow best practices published by SPVA, Visa
19

End
Patricia Walters | CTGA, VP, Marketing and Security Solutions N.A. ETA 2011

2010 Hypercom Corporation. All rights reserved. Hypercom Corp. Proprietary Information. The information contained in this document is protected by U.S. and international laws relating to intellectual property. This document and the information contained herein may not be summarized, translated, modified, copied or otherwise adapted to a third partys needs without the written permission of Hypercom Corp. All information is subject to change without notice and Hypercom Corp. does not warrant the informations accuracy or correctness. Corp information s correctness