Your SlideShare is downloading. ×
0
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

End-to-End Encryption for Credit Card Processing

2,608

Published on

Discussion of different approaches to E2EE in the credit card industry.

Discussion of different approaches to E2EE in the credit card industry.

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,608
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
60
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. END TO END ENCRYPTION Heartland’s Silver Lining?
    • 2. Overview <ul><li>Heartland breach as impetus for End-to-End Encryption </li></ul><ul><li>Description of card transaction process </li></ul><ul><li>Heartland’s approach to End-to-End Encryption </li></ul><ul><li>Encryption and Key Management Methods used </li></ul><ul><li>Other Processor &amp; Merchant solutions </li></ul><ul><li>Smartcard solutions </li></ul>
    • 3. Heartland Payment Systems, Inc <ul><li>On Inauguration Day, HPS announced breach Occurred from May 2008 until January 2009 </li></ul><ul><li>Approximately100 million credit and debit cards compromised from 650 financial institutions </li></ul><ul><li>More electronic records were breached in 2008 than in the previous 4 years </li></ul><ul><li>Track (magnetic strip) Data was obtained which includes card number and sometimes Name. </li></ul>
    • 4. The Beginning of End-to-End <ul><li>Robert Carr, CEO, has hosted a ‘preliminary planning meeting’ on May 7 th for the Accredited Standards Committee X9 at Heartland headquarters. As of 9/1/09, X9 did not have a standard yet. </li></ul><ul><li>The Goal – find a way to standardize End-to-End Encryption. This is being promoted as a panacea to external data threats. </li></ul><ul><li>Enabling E2EE would, in theory, limit the scope of PCI-DSS security requirements and audits for merchants and Processors. </li></ul>
    • 5. The Credit Debit Process
    • 6. The Credit Debit Process
    • 7. The Credit Debit Process Loyalty Programs
    • 8. The Credit Debit Process Loyalty Programs
    • 9. The Heartland-Voltage Security Plan E3 <ul><li>Tamper Resistant Terminal encrypts PAN with AES </li></ul><ul><li>Equipment manages its own private keys </li></ul><ul><li>Encrypted data is passed to and from Processor </li></ul><ul><li>Unencrypted track data is not stored at Merchant </li></ul><ul><li>Merchant stores all encrypted card data in a HSM. </li></ul><ul><li>Encryption keys are stored with Processor </li></ul><ul><li>All encryption/decryption happens at Processor’s HSM </li></ul><ul><li>“ Securely Delivered” to the card brands </li></ul><ul><li>Token is Card Brand reference#, date stamp &amp; last 4 digits of the PAN </li></ul><ul><li>Token is sent back to merchant for chargebacks and other post-processing </li></ul>1234-56XX-XXXX-7899
    • 10. FFSEM Mode AES and IBE <ul><li>FFSEM – Feistel Finite Set Encryption Mode </li></ul><ul><li>Preserves the format of the data while encrypting the digits for system management purposes w/AES. </li></ul><ul><li>Encrypts numbers only and data must be between 9 and 19 digits. </li></ul><ul><li>Developed by Voltage, Heartland’s encryption partner, and not yet PCI authorized method. </li></ul><ul><li>IBE – Identity Based Encryption uses shared information about cardholder as the public key. Public and private keys are managed by a trusted third party called the PKG (private key generator). </li></ul>
    • 11. Hardware Security Module <ul><li>Secure cryptoprocessor </li></ul><ul><li>Goals: </li></ul><ul><ul><li>Onboard secure key generation </li></ul></ul><ul><ul><li>Onboard secure storage </li></ul></ul><ul><ul><li>Use of cryptographic and sensitive data material </li></ul></ul><ul><ul><li>Offloading application servers for complete asymmetric and symmetric cryptography. </li></ul></ul><ul><li>Provides both logical and physical protection from non-authorized use. </li></ul>
    • 12. Steven Elefant, CIO HPS <ul><li>“ When we peel back the onion and look at the so-called end-to-end solutions out there, we find that they&apos;re really point-to-point solutions…True end-to-end encryption to us, … [starts] from the time the digits leave the magstripe on the consumer&apos;s card, and is turned from analog data into digital data, [and continues] all the way through the terminal, through the wires, through our host processing network until we securely deliver it to the brands.” </li></ul>
    • 13. Other Hats in the Arena <ul><li>First Data and RSA have teamed up for a tokenization approach where the encrypted card data is at the Processor site and the merchant has only the token, created by the Processor. </li></ul><ul><li>RBS Worldpay (another hacker victim) will market VeriFone secure swipe terminals. Also uses format-preserving AES encryption. </li></ul><ul><li>Merchants are pursuing their own tokenization schemes. Fingerhut will tokenize all of their card data-at-rest and store encrypted card numbers in an HSM. </li></ul>
    • 14. E2EE - Problems <ul><li>Not all transactions are initiated at a swipe machine. How often have you made a payment over the phone or on the internet? </li></ul><ul><li>Virtual Point of Sale websites are replacing swipe machines, increasing web exposure to card data. </li></ul><ul><li>Many business need to un-encrypt card data for recurring transactions, returns, pay on ship, etcetra. </li></ul><ul><li>The one greatest point of weakness, the magnetic strip can still be lifted and cloned. </li></ul><ul><li>Most End-to-End solutions do not extend past the processor. </li></ul>
    • 15. E2EE – How It Would Work <ul><li>Visa’s recommendations: </li></ul><ul><ul><li>Limit clear-text cardholder and authentication data </li></ul></ul><ul><ul><li>Use robust key management solutions that meet international standards </li></ul></ul><ul><ul><li>Use recognized cryptographic algorithms </li></ul></ul><ul><ul><li>Protect devices used to perform cryptographic functions </li></ul></ul><ul><ul><li>Consider Tokenization as a data surrogate in place of credit card numbers. </li></ul></ul><ul><li>They are essentially recommending the use of the smartcard(chip) or something like a Speedpass </li></ul>
    • 16. Other Security Measures - Smartcards <ul><li>EMV – Microprocessor Chip Card popular outside the US. Expensive to implement: </li></ul><ul><ul><li>Cryptographic coprocessor </li></ul></ul><ul><ul><li>Public key certificate management at the terminal level </li></ul></ul><ul><ul><li>Card data is still being stolen and transferred to the US for fraudulent transactions with mag-strip cloned cards. </li></ul></ul><ul><li>Contactless Token – (i.e. speedpass) </li></ul>
    • 17. Other Security Measures - Smartcards <ul><li>Contactless Smartcards with Online Dynamic Cryptograms </li></ul><ul><ul><li>Cryptogram is a type of digital signature </li></ul></ul>

    ×