2. EMV Security /
A Key Component to a
Multi-layered Security Approach
JULY 29, 2015
3. 2
EMV security / enhanced functionality in 3 key areas
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV secures the
payment
transaction with
enhanced
functionality in
3 key areas
1. Card Authentication /
protecting against counterfeit
cards
2. Cardholder Verification /
authenticating the cardholder
and protecting against lost
and stolen cards
3. Transaction authorization /
using issuer-defined rules to
authorize transactions
4. 3
Card Authentication
• The card is
authenticated during
the payment
transaction, protecting
against counterfeit
cards
• Online transactions
contain a unique chip
generated cryptogram,
validated by the user
• Offline transactions are
validated with the
terminal using PKI
DATA Authentication
Cardholder
Verification
• EMV supports four
issuer defined and
prioritized cardholder
verification methods
(CMV):
1. Offline PIN
2. Online PIN
3. Signature
4. No CVM*
*typically unattended kiosks
or small ticket transactions
Transaction
Authorization
• Online, transaction
info is sent to the
issuer, along with a
unique cryptogram
• Offline, the card and
terminal
communicate and
use issuer-defined
risks parameters in
the chip to make the
authorization decision
• Offline transactions
may be used when
no online connectivity
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV security / enhanced functionality in 3 key areas
5. 4
• EMV cards store payment information in a
secure chip rather than on magnetic strip
• The personalization of EMV cards is done
using issuer-specific keys
• Unlike a magnetic stripe card, it is virtually
impossible to successfully create a usable
counterfeit EMV card
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV security / increased protection against fraud
6. 5
EMV authenticates the
validity of the card
EMV authenticates the
validity of the cardholder
EMV DOES NOT secure
the data
Multi-layered security / why EMV alone is not
enough
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
7. 6
• Encryption and tokenization are mechanisms to
protect sensitive cardholder data, but those
methods do not authenticate the data
• Without EMV, it is likely that you would be
protecting fraudulent data
• Without EMV, merchants bear the liability for
fraudulent transactions
o The extent of the liability varies, depending on card brand
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
Multi-layered security / why encryption and
tokenization alone are not enough
8. 7
EMV offers a good start to enhancing
data security, with:
• Card authentication
• Cardholder verification
• Transaction authorization
But a multi-layered security approach
that includes encryption and tokenization
provides complete data protection,
safeguarding both merchants and their
customers.
Multi-layered security / complete data protection
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
10. Beyond EMV /
Why P2PE is a Key Component
to Multi-layered Security
JULY 29, 2015
11. 2
Multi-layered security / the solution to criminal
attacks
Merchants’ payments systems continue to be under
attack by criminals
• Malware – mainly memory scrapers – installed on merchants’
point of sale (POS) systems
• Roughly 100 Million cards captured from December 2013
through 2014
• Monetized through the selling of dumps on the dark web
• Track data dumps are worth more than PAN/Expiry
• PAN/Expiry still has value in CNP environment
The purpose of multi-layered security is to stop attacks
• Removes the monetization potential and encourages the
criminals to move on
• Reduces the value of captured data to zero
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
12. 3
Point-to-point-encryption (P2PE) / attack points –
points to protect
Source: Hacking the Point of Sale, Slava Gomzin, 2014
EMV still sends card data in the
clear
To protect the POS: Merchant must
be successful 100% of the time
To attack the POS: Criminals only
need to be successful one time
The odds do not favor the merchant
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
13. 4
Multi-layered security / the way to protect
Multi-layered security ensures card
data protection
• EMV for card authentication – protect
against fraudulent cards
• Point-to-point encryption (P2PE) – no
clear card data outside secure POI
• Tokenization – Protect card data at rest
Now a successful attack on the POS will yield
data that cannot be monetized
“I think the bigger [merchants]
could maybe put a fence around
this, such that it gets harder and
harder. But the little guys are
looking to just plug in the malware
once, and it doesn’t matter if you
have to get the big guys once to
get 50 million cards, or you have to
get 1,000 cards from 50,000
compromised merchants.”
-Rich Stuppy, COO at Kount
http://krebsonsecurity.com/2015/04/pos-providers-
feel-brunt-of-poseidon-malware
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
14. 5
P2PE / the process
How P2PE works
• Encrypt data at point of acceptance
• Encryption done in a secure terminal
• Decryption done in a gateway or at
the processor
• No systems in between will see
monetizable card data
Available in multiple flavors
• DUKPT – just like PIN encryption
• Public / Private key
• Format preserving encryption
ENCRYPT
Devices are
provisioned for
P2PE
PASS-THRU
POS system “sees”
only encrypted
transactions passing
them to back end
DECRYPT
Centralized
decryption and
tokenization
service
PROCESS
Transactions are
managed normally
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
15. 6
PCI P2PE program / gold standard for P2PE
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
PCI P2PE program validates full solutions to meet top level security
standards
Merchants using validated P2PE solutions de-scope their POS and
other merchant systems
Move from SAQ-D (Merchant) to SAQ-P2PE
Reduces 300 questions to roughly 30
PCI P2PE requirements cover full solutions in six domains
Terminal and terminal application
Supply chain/custody controls before and after key injection
Key injection and key management
Decryption environment
Only 12 solutions worldwide (4 in US), validated in 3years of P2PE v1.x
Modularity for solutions added in version 2, released on June 30, 2015
16. Beyond EMV /
Major Retailer Takes
a Multi-Layered
Approach to Boost
Security
Case
Study
17. 8
Major Retailer / multi-layered security success story
• One of America’s leading neighborhood / community apparel retailers
• 850+ specialty stores in small and mid - sized communities
• 10 – 50K employees
Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015
18. 9
Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015
• Eliminated the tens of
millions of customer payment
card numbers that they had
been encrypting and
decrypting in their POS
systems each year
• P2PE provides them with
short-circuits, fully removing
the payment card data –
which helps eliminate
criminal breaches
• Phishing was reduced from a
70 percent fail rate to a less-
than 2 percent fail rate
The company’s IT leadership
devised a strategy to upgrade
and fortify the retailer’s
infrastructure:
• Implemented point-to-point
encryption (P2PE) - Ingenico
Group’s On-Guard solution
• Upgraded malware and virus
defenses
• Strengthened network
defenses
• Ethical hacking exercise to
identify potential weaknesses
• Employee education on
social engineering
• In 2014, several large
retailers were victims of
massive network breaches,
resulting in credit card
exposures for millions of
customers
• This major retailer wanted to
get all of its improved
defenses in place before the
2014 holiday shopping
season, which kicks off
around Thanksgiving
• History has shown that
criminal data breaches peak
during the holidays
Challenge /
Opportunity
Solution Results
Major Retailer / multi-layered security success story
20. 11
HoneyBaked Ham /
PCI-validated P2PE success story
"Protecting your customers and your
corporate brand continue to be the
biggest challenges faced by IT
executives. To meet that challenge,
we've worked with a P2PE solution
provider to adopt a PCI-validated
P2PE payment solution across all
our stores in a simplified and cost-
effective way.”
Bill Bolton, VP,
Information Technology,
HoneyBaked Ham
• Honeybaked Ham is a privately
held retailer that sells ham, turkey
breast and other pre-cooked
entrées, side dishes and desserts
• 200+ franchise locations and
several corporate outlets
• 1001-5000 employees
Beyond Security – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015
21. 12
Beyond EMV – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015
HoneyBaked Ham anticipates the
following results:
• Reduced PCI compliance
scope from implementing a
validated solution from the
332-question SAQ D to the 35-
question SAQ P2PE-HW
• Significant annual assessment
savings
The retailer upgraded their
security and chose to use:
• PCI-validated P2PE solution
provided by Bluefin
• Ingencio Group’s iPP350
smart terminal
Store rollout of the Bluefin
solution and the iPP350 device
began March 2015 and went live
in April
• HoneyBaked Ham realized a
need for a solution that
encrypts all credit card data
and reduce PCI compliance
• In late 2014, HoneyBaked
Ham began investigating
PCI-validated P2PE solutions
for their corporate outlets as
well as for all 200+ franchise
locations
HoneyBaked Ham /
PCI-validated P2PE success story
Challenge /
Opportunity
Solution Results
22. Beyond EMV /
Agilysys Improves
Hospitality Merchants’
Security With a
Validated P2PE
Solution
Case
Study
23. 14
Agilysys / hospitality vertical included
multi-layered security with a validated P2PE solution
• Agilysys is a leading hospitality provider
• They incorporated the FreedomPay PCI-
validated P2PE solution in their rGuest Pay
hospitality payments solution
• Solution uses multi-layer security through a
validated P2PE solution and tokenization
• Cardholder data is removed in the hospitality
environment
• Because the solution is validated, their
merchants’ compliance cost is significantly
reduced
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
25. Information contained in this document is private and confidential. This document contains information sensitive to the strategic
positioning of Double Diamond Group, LLC and is considered a trade secret of Double Diamond Group, LLC.
Tokenization
27. • What it is: Tokenization is the replacement of static card numbers
with randomized numbers that cannot be used to complete payment
transactions.
• How it’s different than encryption:
• Encryption uses an algorithm to mask payment data.
• Tokenization randomizes the data (requires a lookup table).
• Tokenization is therefore applied at different stages of payment
processing.
Tokenization: What it Is
3
28. Tokenization: Who/How it Helps
Issuer
Merchant Services Providers (MSPs) offer tokenization to reduce data
security risks and costs for merchants.
1. The device encrypts card
data at the point of entry
(hardware-based encryption)
2. The gateway or processor
decrypts the data for the
network’s use (off of
merchant servers),
Storage
Accounting
Back-office
3. and stores the data
in tokenized form for
downstream use.
Static
number Gateway /
processor
P2PE
enabled device
Encrypted
number
29. Tokenization: Who/How it Helps
Issuer Static
number
Encrypted
number
Gateway /
processor
Storage
Accounting
Back-office
Hosted
payments
page
The same model exists for e-commerce transactions, normally in the form of
a hosted payments page.
Buy Now
30. Tokenization: Who/How it Helps
6
Payment networks offer tokenization to reduce data security risks and costs
for issuers and consumers.
Issuer
Tokenized
number
Encrypted,
tokenized
number
Gateway /
processor
Storage
Accounting
Back-office
Contactless
enabled device
• Separate the mobile device from
the credit card.
• Save money on card
replacement.
• Reduce/prevent issuer fraud
loss.
31. End to End Security
7
Issuer
Gateway /
processor
P2PE
enabled device
Encrypted
number
Storage
Accounting
Back-office
Tokenized
number
EMV and Issuer
tokenization
Static
number
P2PE
Tokenization
32. • For complete security, adopt or sell P2PE and tokenization as a package.
• EMV enhances issuer/consumer security and mitigates some chargeback
risk. Evaluate based on consumer demand and cost/benefit analysis.
• Contactless also enhances issuer/consumer security but without impacting
merchant chargeback exposure. Contactless adoption does provide some PCI
audit relief. Evaluate based on consumer demand and cost/benefit analysis.
• Consider buying/selling in a bundle. When upgrading to P2PE and
tokenization, contactless and EMV should be part of the package.
Recommendations
8
Editor's Notes
Card authentication, protecting against counterfeit cards. The card is authenticated during the payment transaction, protecting against counterfeit cards. Online transactions contain a unique chip generated cryptogram validated by the issuer, offline transactions are validated with the terminal using PKI Data Authentication.
Cardholder verification, authenticating the cardholder and protecting against lost and stolen cards. EMV supports four issuer defined and prioritized cardholder verification methods (CVM): offline PIN, online PIN, signature, or no CVM (typically for unattended kiosks or small ticket transactions).
Transaction authorization, using issuer-defined rules to authorize transactions. The transaction is authorized either online or offline. Online, transaction information is sent to the issuer, along with a unique cryptogram, and the issuer either makes the authorization decision. Offline, the card and terminal communicate and use issuer-defined risk parameters in the chip to make the authorization decision. Offline transactions may be used when terminals do not have online connectivity, subject to card brand or network rules.
All merchants are Targets (no pun intended)
EMV would not have prevented the major breaches (like the one at Target)
P2PE and Tokenization would have, but only when used in combination with each other
The security layers each protect a different part of the merchant ecosystem (1, 2, 3)
Encryption and tokenization are best used together. Each involves an ongoing service to decrypt card data for processing, and to manage tokens and lookup tables.
In the hosted payments page, the consumer enters the transaction data into the service provider’s website so the merchant’s page never touches payment data. There are various ways to manage this to make sure that the consumer experience is seamless.
There’s lots of current press about a new type of tokenization provided by the payment networks and used by Apple Pay and Android Pay, and Samsung Pay (coming soon)
It’s often referred to as multi-layered security, but it’s not really multi-layered, which implies multiple security layers over each component of the payment process. It’s not that, it’s really end to end security where each component of the process is covered by a single security solution. The solutions complement each other, and need to be used in conjunction with each other for complete security.