End-to-End Encryption for Credit Card Processing

4,001 views

Published on

Discussion of different approaches to E2EE in the credit card industry.

Published in: Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,001
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
151
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • End-to-End Encryption for Credit Card Processing

    1. 1. END TO END ENCRYPTION Heartland’s Silver Lining?
    2. 2. Overview <ul><li>Heartland breach as impetus for End-to-End Encryption </li></ul><ul><li>Description of card transaction process </li></ul><ul><li>Heartland’s approach to End-to-End Encryption </li></ul><ul><li>Encryption and Key Management Methods used </li></ul><ul><li>Other Processor & Merchant solutions </li></ul><ul><li>Smartcard solutions </li></ul>
    3. 3. Heartland Payment Systems, Inc <ul><li>On Inauguration Day, HPS announced breach Occurred from May 2008 until January 2009 </li></ul><ul><li>Approximately100 million credit and debit cards compromised from 650 financial institutions </li></ul><ul><li>More electronic records were breached in 2008 than in the previous 4 years </li></ul><ul><li>Track (magnetic strip) Data was obtained which includes card number and sometimes Name. </li></ul>
    4. 4. The Beginning of End-to-End <ul><li>Robert Carr, CEO, has hosted a ‘preliminary planning meeting’ on May 7 th for the Accredited Standards Committee X9 at Heartland headquarters. As of 9/1/09, X9 did not have a standard yet. </li></ul><ul><li>The Goal – find a way to standardize End-to-End Encryption. This is being promoted as a panacea to external data threats. </li></ul><ul><li>Enabling E2EE would, in theory, limit the scope of PCI-DSS security requirements and audits for merchants and Processors. </li></ul>
    5. 5. The Credit Debit Process
    6. 6. The Credit Debit Process
    7. 7. The Credit Debit Process Loyalty Programs
    8. 8. The Credit Debit Process Loyalty Programs
    9. 9. The Heartland-Voltage Security Plan E3 <ul><li>Tamper Resistant Terminal encrypts PAN with AES </li></ul><ul><li>Equipment manages its own private keys </li></ul><ul><li>Encrypted data is passed to and from Processor </li></ul><ul><li>Unencrypted track data is not stored at Merchant </li></ul><ul><li>Merchant stores all encrypted card data in a HSM. </li></ul><ul><li>Encryption keys are stored with Processor </li></ul><ul><li>All encryption/decryption happens at Processor’s HSM </li></ul><ul><li>“ Securely Delivered” to the card brands </li></ul><ul><li>Token is Card Brand reference#, date stamp & last 4 digits of the PAN </li></ul><ul><li>Token is sent back to merchant for chargebacks and other post-processing </li></ul>1234-56XX-XXXX-7899
    10. 10. FFSEM Mode AES and IBE <ul><li>FFSEM – Feistel Finite Set Encryption Mode </li></ul><ul><li>Preserves the format of the data while encrypting the digits for system management purposes w/AES. </li></ul><ul><li>Encrypts numbers only and data must be between 9 and 19 digits. </li></ul><ul><li>Developed by Voltage, Heartland’s encryption partner, and not yet PCI authorized method. </li></ul><ul><li>IBE – Identity Based Encryption uses shared information about cardholder as the public key. Public and private keys are managed by a trusted third party called the PKG (private key generator). </li></ul>
    11. 11. Hardware Security Module <ul><li>Secure cryptoprocessor </li></ul><ul><li>Goals: </li></ul><ul><ul><li>Onboard secure key generation </li></ul></ul><ul><ul><li>Onboard secure storage </li></ul></ul><ul><ul><li>Use of cryptographic and sensitive data material </li></ul></ul><ul><ul><li>Offloading application servers for complete asymmetric and symmetric cryptography. </li></ul></ul><ul><li>Provides both logical and physical protection from non-authorized use. </li></ul>
    12. 12. Steven Elefant, CIO HPS <ul><li>“ When we peel back the onion and look at the so-called end-to-end solutions out there, we find that they're really point-to-point solutions…True end-to-end encryption to us, … [starts] from the time the digits leave the magstripe on the consumer's card, and is turned from analog data into digital data, [and continues] all the way through the terminal, through the wires, through our host processing network until we securely deliver it to the brands.” </li></ul>
    13. 13. Other Hats in the Arena <ul><li>First Data and RSA have teamed up for a tokenization approach where the encrypted card data is at the Processor site and the merchant has only the token, created by the Processor. </li></ul><ul><li>RBS Worldpay (another hacker victim) will market VeriFone secure swipe terminals. Also uses format-preserving AES encryption. </li></ul><ul><li>Merchants are pursuing their own tokenization schemes. Fingerhut will tokenize all of their card data-at-rest and store encrypted card numbers in an HSM. </li></ul>
    14. 14. E2EE - Problems <ul><li>Not all transactions are initiated at a swipe machine. How often have you made a payment over the phone or on the internet? </li></ul><ul><li>Virtual Point of Sale websites are replacing swipe machines, increasing web exposure to card data. </li></ul><ul><li>Many business need to un-encrypt card data for recurring transactions, returns, pay on ship, etcetra. </li></ul><ul><li>The one greatest point of weakness, the magnetic strip can still be lifted and cloned. </li></ul><ul><li>Most End-to-End solutions do not extend past the processor. </li></ul>
    15. 15. E2EE – How It Would Work <ul><li>Visa’s recommendations: </li></ul><ul><ul><li>Limit clear-text cardholder and authentication data </li></ul></ul><ul><ul><li>Use robust key management solutions that meet international standards </li></ul></ul><ul><ul><li>Use recognized cryptographic algorithms </li></ul></ul><ul><ul><li>Protect devices used to perform cryptographic functions </li></ul></ul><ul><ul><li>Consider Tokenization as a data surrogate in place of credit card numbers. </li></ul></ul><ul><li>They are essentially recommending the use of the smartcard(chip) or something like a Speedpass </li></ul>
    16. 16. Other Security Measures - Smartcards <ul><li>EMV – Microprocessor Chip Card popular outside the US. Expensive to implement: </li></ul><ul><ul><li>Cryptographic coprocessor </li></ul></ul><ul><ul><li>Public key certificate management at the terminal level </li></ul></ul><ul><ul><li>Card data is still being stolen and transferred to the US for fraudulent transactions with mag-strip cloned cards. </li></ul></ul><ul><li>Contactless Token – (i.e. speedpass) </li></ul>
    17. 17. Other Security Measures - Smartcards <ul><li>Contactless Smartcards with Online Dynamic Cryptograms </li></ul><ul><ul><li>Cryptogram is a type of digital signature </li></ul></ul>

    ×