Encryption<br />vs<br />Tokenisation<br />Witham Laboratories<br />Witham Laboratories<br />1/842 High Street<br />East Ke...
Agenda<br />Protecting Cardholder Data<br />Cryptography and Tokenisation 101<br />What’s the difference?<br />Format Pres...
Protecting Cardholder Data<br />PCI DSS scope = all systems which store/process/transmit card data<br />Render sensitive e...
Cryptography 101<br />Encryption is a keyed reversible function<br />Output ‘looks’ different to input data<br />Generally...
Tokenisation 101<br />Replace PAN with a ‘reference number’<br />Same format, ‘looks’ like card data <br />PAN not necessa...
Tokenisation 101<br />Lots of different tokenisation methods<br />Cryptography, look-up, proprietary<br />What are the pro...
Encryption - Visualisation<br />Encryption maps an value from the input domain to a value in the output domain<br />0<br /...
Encryption - Visualisation<br />Different input values have different output values, based on the value and the key<br />0...
Encryption - Visualisation<br />Changing the key changes the output values for the same input values<br />0<br />0<br />En...
Encryption - Visualisation<br />The key, and the use of the key, define the attack surface – the algorithm is public <br /...
Tokenisation - Visualisation<br />Tokenisation is similar –input values mapped to output values based on secret(s)<br />Lo...
Tokenisation - Visualisation<br />Here the attack surface is not as well defined – it may be a key, DB, server, or other<b...
What’s the difference?<br />Similarities?<br />1:1 reversible mapping of input ↔ output<br />Security dependant on secret(...
Format Preserving Encryption<br />‘Normal’ encryption assumes all data is all unformatted binary data<br />Any formatting ...
FPE Common Features<br />Feistel cipher construction<br />Round function = AES, Triple DES<br />Systems may modify inputs ...
Feistel Cipher<br />For any round ‘n’<br />Repeat as necessary …<br />Witham Laboratories<br />1/842 High Street<br />East...
FPE Algorithm Example<br />EG: Encrypt PAN4123456789012349<br /><ul><li> Keep first digit (card type)
 Discard Luhn check</li></ul>Mod10 addition<br />Output PAN = 4748232137547657<br /><ul><li> Restore first digit
 Recalculate Luhn check</li></ul>Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Austral...
Encryption Implementations<br />FPE most often used in (DB) servers<br />Provides ‘transparent’ encryption and used for to...
P2PE Standards 101<br />ISO 10894*<br />“Procedures for Message Encipherment”<br />ANSI X9.119* <br />“Protection of Sensi...
TRSM Standards 101<br />FIPS140-2: Four approval levels (1 – 4)<br />L1 generally for SW only – no HW security<br />L2 som...
Australian EFTPOS Standard(s)<br />AS2805 = Aus. Standard for EFTPOS<br />Key management, encryption, message formats, pay...
AS2805.9<br />Encryption of each EFTPOS message<br />Extract non-sensitive elements<br />Encrypt whole message with TDES O...
PCI SSC P2PE Activity<br />Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’<br />Referenced SRED standar...
What is SRED?<br />SRED stands for “Secure Reading and Exchange of Data”<br />“Data” refers to Card Holder Data<br />A mod...
SRED Device Block Diagram<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia...
Audit of Encryption Solutions<br />What encryption algo & modes?<br />Beware anything not AES, TDES, ECC, RSA<br />Key man...
Upcoming SlideShare
Loading in …5
×

Encryption vs tokenisation (for share)

1,971
-1

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,971
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Encryption vs tokenisation (for share)

  1. 1. Encryption<br />vs<br />Tokenisation<br />Witham Laboratories<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 1<br />
  2. 2. Agenda<br />Protecting Cardholder Data<br />Cryptography and Tokenisation 101<br />What’s the difference?<br />Format Preserving Encryption<br />P2PE and TRSM Standards 101<br />Australian P2PE Implementations<br />PCI SSC P2PE Activity<br />Auditing Encryption and Tokenisation<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 2<br />
  3. 3. Protecting Cardholder Data<br />PCI DSS scope = all systems which store/process/transmit card data<br />Render sensitive elements inaccessible<br />PAN, track data, online PIN block, CVV2<br />Req. 3.4 (storage), 4.1 (transmission)<br />Prevents exposure of card data<br />Comms / storage does not reveal card data<br />Prevents line tapping / memory attacks<br />Encryption & tokenisation referenced<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 3<br />
  4. 4. Cryptography 101<br />Encryption is a keyed reversible function<br />Output ‘looks’ different to input data<br />Generally encrypts data in ‘blocks’<br />Use standardised encryption algos<br />AES, TDES, ECC, RSA<br />Security is dependant on the ‘key’<br />The key is just a ‘big’ number<br />Good key management is vital<br />‘Attack surface’ = key and use of key<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 4<br />
  5. 5. Tokenisation 101<br />Replace PAN with a ‘reference number’<br />Same format, ‘looks’ like card data <br />PAN not necessary after the transaction<br />Token can be used instead<br />Minimises access to card data<br />Tokenisation system can ‘restore’ PAN<br />Tokenisation is a reversible process<br />How is this done?<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 5<br />
  6. 6. Tokenisation 101<br />Lots of different tokenisation methods<br />Cryptography, look-up, proprietary<br />What are the pros / cons of each???<br />Beware systems based on global secrets<br />Exploit one system, expose many<br />‘Attack surface’ depends on:<br />Method of tokenisation used<br />Systems involved in tokenisation method<br />Tokenisation and encryption share some similarities …<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 6<br />
  7. 7. Encryption - Visualisation<br />Encryption maps an value from the input domain to a value in the output domain<br />0<br />0<br />Encryption Algo<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Key<br />2(block size)<br />2(block size)<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 7<br />
  8. 8. Encryption - Visualisation<br />Different input values have different output values, based on the value and the key<br />0<br />0<br />Encryption Algo<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Key<br />2(block size)<br />2(block size)<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 8<br />
  9. 9. Encryption - Visualisation<br />Changing the key changes the output values for the same input values<br />0<br />0<br />Encryption Algo<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Key<br />2<br />2(block size)<br />2(block size)<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 9<br />
  10. 10. Encryption - Visualisation<br />The key, and the use of the key, define the attack surface – the algorithm is public <br />0<br />0<br />Encryption Algo<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Key<br />2<br />2(block size)<br />2(block size)<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 10<br />
  11. 11. Tokenisation - Visualisation<br />Tokenisation is similar –input values mapped to output values based on secret(s)<br />Lowest PAN value<br />Lowest PAN value<br />Tokenisation System<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />??Key<br />DB<br />Server<br />Highest PAN Value<br />Highest PAN Value<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 11<br />
  12. 12. Tokenisation - Visualisation<br />Here the attack surface is not as well defined – it may be a key, DB, server, or other<br />Lowest PAN value<br />Lowest PAN value<br />Tokenisation System<br />Input domain<br />Output domain<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />??Key<br />DB<br />Server<br />Highest PAN Value<br />Highest PAN Value<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 12<br />
  13. 13. What’s the difference?<br />Similarities?<br />1:1 reversible mapping of input ↔ output<br />Security dependant on secret(s)<br />Differences? For encryption:<br />Lots of study, security standards/products<br />Well known attack methods & mitigations<br />May not ‘play nice’ with existing systems<br />Tokenisation: no standards, little study<br />But compatible … Compromise?<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 13<br />
  14. 14. Format Preserving Encryption<br />‘Normal’ encryption assumes all data is all unformatted binary data<br />Any formatting is ‘lost’ during encryption<br />Problem for format dependant systems<br />Eg databases, existing protocols, data capture devices (eg PINPads)<br />Format preserving encryption (FPE) = encryption without loss of formatting<br />Combines encryption & tokenisation<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 14<br />
  15. 15. FPE Common Features<br />Feistel cipher construction<br />Round function = AES, Triple DES<br />Systems may modify inputs for each round<br />Round fn. output trunc’d to FPE block size<br />Remap input/round fn. output as required<br />Encrypt with multiple Feistel rounds<br /># rounds, re-mapping – depends on cipher<br />These details can be important … <br />May only encrypt middle digits of a PAN<br />Ensures card type and luhn check still valid<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 15<br />
  16. 16. Feistel Cipher<br />For any round ‘n’<br />Repeat as necessary …<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 16<br />
  17. 17. FPE Algorithm Example<br />EG: Encrypt PAN4123456789012349<br /><ul><li> Keep first digit (card type)
  18. 18. Discard Luhn check</li></ul>Mod10 addition<br />Output PAN = 4748232137547657<br /><ul><li> Restore first digit
  19. 19. Recalculate Luhn check</li></ul>Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 17<br />
  20. 20. Encryption Implementations<br />FPE most often used in (DB) servers<br />Provides ‘transparent’ encryption and used for tokenisation<br />FPE increasingly a feature in PINPad SW<br />Also in encrypting MSRs, credit terminals<br />Encrypt data without ‘breaking’ POS SW<br />Encryption of comms for PCI DSS<br />Called ‘Point to Point Encryption’ (P2PE)<br />FPE not always used / required<br />What standards exist?<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 18<br />
  21. 21. P2PE Standards 101<br />ISO 10894*<br />“Procedures for Message Encipherment”<br />ANSI X9.119* <br />“Protection of Sensitive Data between Device and Acquiring System”<br />PCI SSC: PTS v3 ‘SRED’ & P2PE reqs*<br />Localised/industry associations and SIGs<br />SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9<br />Secure HW (TRSM) is often required<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 19<br />
  22. 22. TRSM Standards 101<br />FIPS140-2: Four approval levels (1 – 4)<br />L1 generally for SW only – no HW security<br />L2 some tamper evident HW security<br />L3 provides some tamper response<br />L4 full security envelope (hardest level)<br />PCI PTS (previously PCI PED)<br />v1 & v2 = PIN security only, v3 has SRED<br />APCA PED covers PIN security<br />From 2010 requires AS2805.9 keys<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 20<br />
  23. 23. Australian EFTPOS Standard(s)<br />AS2805 = Aus. Standard for EFTPOS<br />Key management, encryption, message formats, payment processing<br />Each bank has their own ‘interpretation’<br />AS2805.9 defines message encryption<br />AS2805.6.x defines key management<br />Unique per transaction (AS2805.6.2)<br />Unique each day / 256 trans (AS2805.6.4)<br />AS2805.6.5.3 for RSA key loading<br />Watch your key lengths!<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 21<br />
  24. 24. AS2805.9<br />Encryption of each EFTPOS message<br />Extract non-sensitive elements<br />Encrypt whole message with TDES OFB<br />Stream mode of TDES; XOR with key (not FPE)<br />Replace non-sensitive elements and send<br />Things to be aware of:<br />OFB: same key = same key stream <br />Same key stream on different transactions allows for recovery of transmitted data<br />AS2805.6.4 keeps same key for many trans<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 22<br />
  25. 25. PCI SSC P2PE Activity<br />Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’<br />Referenced SRED standard for devices<br />Discussed release of audit reqs in 2011<br />Development is ongoing (under NDA)<br />What can I talk about?<br />SRED is designed for securing card data<br />PCI PIN reqs cover key management<br />2011 will be an interesting year …<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 23<br />
  26. 26. What is SRED?<br />SRED stands for “Secure Reading and Exchange of Data”<br />“Data” refers to Card Holder Data<br />A module of the PCI PTS v3.0 standard<br />PTS = PIN Transaction Security<br />Applies to devices that provide “account data protection” functionality<br />Encryption at Point Of Interaction (POI)<br />Expect to hear more about SRED soon<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Slide No. 24<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />
  27. 27. SRED Device Block Diagram<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Slide No. 25<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />
  28. 28. Audit of Encryption Solutions<br />What encryption algo & modes?<br />Beware anything not AES, TDES, ECC, RSA<br />Key management – who and how?<br />Dual control and split knowledge<br />Unique keys per device/use <br />Key sizes and IVs for stream cipher modes<br />Encryption in TRSM? What standard?<br />Are you sure?? HW, FW, App, context<br />Where is plaintext card data accessible?<br />All possible inputs / outputs? Whitelists?<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 26<br />
  29. 29. Tokenisation Auditing<br />How is the tokenisation performed?<br />(Non) Random? Encryption? Details!<br />What is the attack surface of this method?<br />Key, algorithm, DB, system, network, etc<br />Does one exploit result in multiple exposures?<br />Security of tokenisation system<br />At least as per PCI DSS reqs 1.x and 2.x<br />FPE methods used for tokenisation?<br />Refer encryption reqs. Ask for details!<br />Ask for evidence of peer review output<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 27<br />
  30. 30. Questions?<br />For further information please contact<br />Andrew Jamieson<br />Technical Manager<br />Witham Laboratories<br />Email: andrew.jamieson@withamlabs.com<br />Phone: +61 3 9846 2751<br />Witham Laboratories<br />1/842 High Street<br />East Kew 3102<br />Melbourne<br />Australia<br />Ph: +61 3 9846 2751<br />Fax: +61 3 9857 0350<br />Rambla de Catalunya<br />38, 8 planta<br />08007 Barcelona<br />Spain<br />Ph: +34 93 184 27 88<br />Email: lab@withamlabs.com<br />PCI PTS PCI PIN PCI DSS PA-DSS<br />Witham Laboratories<br />Building Confidence in Payment Systems<br />Slide No. 28<br />

×