Point-to-Point Encryption: Best Practices and PCI Compliance Update


Published on

Point-to-point encryption (P2PE) is gaining momentum as one of the most effective ways to secure payment data as it moves through and from the merchant environment. Recently, the technology got the official nod from the PCI Council with the release of their final requirements to safely deploy P2PE solutions.

In this webinar, recorded on 9-26-12, attendees were able to:

* Find out what was discussed at the PCI Community Meeting and where the Council is headed as it relates to P2PE and PCI compliance

* Learn best practices for P2PE implementation and encryption key management

* Identify different types of P2PE solutions and evaluate which one is right for you

* Understand how the upcoming move to EMV will impact and integrate with P2PE

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Point-to-Point Encryption: Best Practices and PCI Compliance Update

  1. 1. 09.26.2012 LIVE WEBINAR Point-to-Point Encryption: Best Practices & PCI Compliance Update
  2. 2. Introductions Ben Smyth Product Manager Merchant Link Beth Farris Manager, Marketing Merchant Link Misael Henriquez Director – Enterprise Security Merchant Link
  3. 3. Agenda • Current Threats • Industry Response – PCI Council – EMV • Point-to-Point Encryption – PCI P2PE-HW requirements – Solution types – Implementation best practices • Q&A
  4. 4. 69% 81% 7% 5% 10% 1% 0% Leveraging malware/hacking... to steal data in transit 4.3% 28.0% 5.2% 62.5% malware hacking The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report in transit stored data hybrid data redirection Hackers’Preferred Method
  5. 5. Internal Threats 11% 17% 17% 22% 28% 28% 33% 50% Viruses, Malware, Worms, Trojans Criminal Insider Theft of Data-Bearing Devices SQL Injection Phishing Web-Based Attacks Social Engineering Other Types of malicious attacks The Ponemon 2011 Cost of a Data Breach Study Data-stealing malware
  6. 6. The Attack of the Bots In this diagram we have a typical network. The enterprise has two perimeter points of entry connecting to the Internet
  7. 7. The Attack of the Bots In this diagram, the Red Icon represents the BOT Master who will be controlling and receiving information through infected systems within the larger Internet macrostructure.
  8. 8. The Attack of the Bots The BOT Master has established two command and control centers (C&Cs) here for his "army" to check into to receive instructions. The BOT Master generally will interface to these C&Cs via open tools such as IRC.
  9. 9. The Attack of the Bots In this final picture, through various means (social, malware, etc.), BOTs have infiltrated the perimeter of an enterprise. These BOTs may appear totally harmless, using standard ports to transmit data to Command & Control Centers. Often, the only way to find them is to search from the perimeter for common destinations
  10. 10. How to Combat the Threat? • PCI Council Embraces P2PE – Recent releases from the Council with recommendations and requirements for implementing and providing P2PE solutions – QSA Certification, Training, and Validated P2PE solution publishing for solutions and providers – Requirements for Hybrid (Hardware to Hardware/Software) P2PE systems • Card Associations Adopt EMV Standard – Addressing the root of the problem by moving to a more secure payment vehicle – Extending the umbrella of security to authenticate the payment card to the cardholder and adding a measure of track data security to the POI
  11. 11. Protects Card-Present Protects Card-Not-Present Reduces PCI Scope EMV P2PE Misconceptions About EMV
  12. 12. VALIDATED AND LISTED SOLUTION PCI Domains and Requirements for P2PEPCI Domains and Requirements for P2PE DOMAIN 1: Encryption Device Management PTS Lab and Device Vendor QSA (P2PE) and Integrator/Solution Provider 1. Device is current and on PTS list. 2. Device is managed appropriately from key injection to pre-use including key management per Domain 6. PTS / SRED approval D4: Transmissions Between Encryption and Decryption Environments Merchant QSA (P2PE) and Solution Provider N/A – Device manages segregation between encryption and decryption zones N/A – Device manages segregation between encryption and decryption zones per Domain 1 1. Secure device management 2. Devices monitored for anomalous behavior 3. HSM use 4. Key Management per Domain 6 5. PCI DSS compliance QSA (P2PE) and Solution Provider DOMAIN 5: Decryption Environment/ Device Management DOMAIN 2: Application Security PA-QSA (P2PE) and Application Vendor QSA (P2PE) and Solution Provider Application is current on P2PE list or assessed as part of this P2PE solution. 1. Application developed per device vendor guidance, etc. 2. Application is assessed as part of P2PE solution. DOMAIN 3: Encryption Environment QSA (P2PE) and Solution Provider Merchant 1. Follows solution provider PIM for device inventory, tamper-checking, physical security. 2. Annual SAQ if required. 1. Solution provider’s PIM is complete. 2. Device/solution provider manages remote access, logical access, etc. Domain 6 requirements for key operations are applicable anywhere that cryptographic keys are handled, including the encryption device environment. QSA (P2PE) and Solution Provider DOMAIN 6: P2PE Cryptographic Key Operations
  13. 13. P2PE Solution Types Hardware/ Hardware Hybrid (hardware/ hardware- software) Hybrid (hardware/software)
  14. 14. For a merchant to qualify for PCI scope reduction for P2PE, the solution provider must be external to the enterprise
  15. 15. On the PCI Horizon... • The next version (v3.0) of the PCI Data Security Standards (PCI DSS and PA-DSS) will be released in October 2013 – No details yet • Recent focus on more specialized education for integrators, POS and device providers, individuals/professionals... (beyond QSAs) – P2PE Internal Security Assessor (ISA) program – Qualified Integrators and Resellers (QIR) program – Payment Card Industry Professional (PCIP) certification
  16. 16. Evaluate: Encryption industry-recognized standards and methods vs. proprietary The POI must be a PTS- certified hardware device Decryption hardware security modules (HSMs) how is key data transport handled? Devices, Applications The POI device must be SRED 2.x (or higher) enabled and active PA-DSS validated application Key Operations who holds the keys? who has access? key injection process?
  17. 17. Consider: Service / Support Fast access to data and ability to troubleshoot? Responsive, redundant support centers, 24x7x365? Network Uptime and Throughput Redundant data centers? Transactions per second? Stability Financial strength of company? Number of years experience? Flexibility Encryption via various POI devices? Single vs. multi-use tokens? Processor choice? POS vendor/device choice?
  18. 18. TransactionShield®: Our P2PE Solution • A flexible solution for the market today – Ability to support many point of interaction • card present, key-entered, e-commerce, virtual terminal – Designed to integrate with most major encrypting devices – Connectivity to all major processors • No processor lock-in: Ability to easily change acquirers without equipment changes, reprogramming or PIN re-injection • Option to connect to multiple processors simultaneously (AMEX, private label, gift cards, etc.) • Protects data as it travels through merchant IT environment – Encrypts cardholder data using industry-recognized standards and methods – Utilizes cloud-based decryption • C (QSA) validated
  19. 19. Conclusions • Data in-transit is under attack. – Hackers using a combination of techniques • To protect data, merchants much also use a combination of techniques (layers of security). – EMV is a good layer, but it’s not the answer • PCI has endorsed P2PE as an effective way to enhance security and reduce PCI scope. – Esp. hardware-based, third-party solutions • Requirements and threats continue to expand and change. Seek out a flexible, secure solution that can meet your needs now and into the future.
  20. 20. Contact us by email: sales@merchantlink.com Engage: www.merchantlink.com/blog Connect with us online: