Agenda
PAYMENT & SECURITY TRENDS
Payments: The story so far… “… Globally, the drive to increase (card) payments efficiency and security is relentless…” “… ...
Vietnam embraces the electronic era “… Vietnam is regarded by the global banking industry as one of the most fertile growt...
Security: The story so far… “… increased incidences of ATM and card  skimming.…” “… the need to reassure cardholders about...
E2EE: What is it? Computer Desktop Encyclopedia “… is defined as the continuous protection of the confidentiality and inte...
E2EE: The story so far… Smart Card Alliance  Sept 2009
KEY CONCEPTS OF TLE
In cryptography,  encryption , is the process of transforming information to make it unreadable to anyone except those pos...
MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted ...
THE MALAYSIAN EXPERIENCE
Real Tapping Threats
Wire tapping threats
A brief look at history…
The Line Encryption Working Group
Design Parameters
Key  Considerations
<ul><li>Highest Score: 2-2-4-2-3-4 </li></ul><ul><li>Lowest Score: 1-1-1-1-1-1 </li></ul>Minimum Data Encryption Requireme...
General Approaches Host-based Host HSM NAC NAC-based Host Interception-based Host NAC SNAC NAC NAC NAC NAC NAC
Data Center Host NAC TLE: Typical Transaction Flow Terminal Encrypt selected fields in transaction 1 Send to Host 4 Decryp...
THE RESULTS
The Results… Source: Visa VPSS Payment Security Bulettin, 2006
The Results… Source: Visa VPSS Payment Security Bulettin, 2006
The Results… Source: Visa VPSS Payment Security Bulettin, 2006
The Results… Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Payments: The story today… Source:  BNM, 2009 Financial Stability and Payment Systems Report 2008
Payments: The story today “… (card fraud) losses continued to be insignificant, accounting for less than 0.04% of total ca...
PAYMENT SECURITY MYTHS
Encryption Myths
Summary: Considerations for TLE Addresses all threats Addresses Implementation issues Addresses Deployment Issues Addresse...
Additional References <ul><li>The Smart Card Alliance ( http://www.smartcardalliance.org/ ) </li></ul><ul><li>PCI Security...
WHAT IS NETMATRIX TLE?
NetMATRIX TLE (Terminal Line Encryption) is a plug-and-play solution for banks who wish to introduce  terminal line encryp...
NetMATRIX TLE: Approach Host-based Host HSM NAC NAC-based Host Interception-based Host NAC SNAC NAC NAC NAC NAC NAC
Key  Considerations
Key Features
Key Features
NETMATRIX ARCHITECTURE
Credit Card Host NII: 160 “ Typical” Transaction Flow Issuing  Bank Host Acquiring  Bank EDC Terminals Switching NAC Remot...
Credit Card Host NII: 160 NetMATRIX TLE NII: 161 Encrypted Transaction Flow Issuing  Bank Host Net MATRIX Acquiring  Bank ...
Encrypted Transaction Flow II Credit Card Host NII: 160 NetMATRIX TLE NII: 161 Net MATRIX Acquiring  Bank Acquiring Host I...
Data Center Host NAC NetMATRIX: How it Works Terminal Encrypt selected fields in transaction 1 Send to Host 4 Decrypt & va...
Efficiency: Clustering & Load-Balancing Load Balancing Host NAC TCP/IP Cluster
Business Continuity: Auto-Failover TCP/IP Failover Host NAC TCP/IP Cluster
GHL SYSTEMS
Our Mission To be the leading end-to-end  payment services enabler  in the Asia-Pacific region,  deploying world-class  pa...
Products & Services offerings World-class payment infrastructure, services and technology: Transaction routers & concentra...
Complete Payment Network Integration
Addressing Strategic Needs
GHL Systems Regional Presence <ul><li>Country Offices: </li></ul><ul><li>Bangkok  </li></ul><ul><li>Beijing  </li></ul><ul...
Accolades & Accomplishments <ul><li>MSC APICTA Asia/Pacific ICT Awards 2009: Security & Communications </li></ul><ul><li>M...
Malaysia Singapore Indonesia Vietnam Brunei Customer References
Philippines China / Hong Kong Middle East Romania Asia/Pacific Australia / New Zealand Thailand Customer References
Thank you Jason Phua VP, Product Marketing  & Strategic Alliances [email_address]   Lau Weng Tat AGM, Device & Security Ma...
Upcoming SlideShare
Loading in …5
×

NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES, End-to-end encryption (E2EE), Multiple MACing algorithms, Local and remote secure key injection

3,052 views

Published on

NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure.

1. Multi-box, high-performance, high-availability, load-balancing architecture
2. Multi-host links: Performs smart routing to multiple hosts
3. Multiple channels: dial-ups, lease lines, GPRS, broadband
4. End-to-end encryption (E2EE) featuring multiple encryption algorithms : TEA, DES, 3DES, AES
5. Upstream/Downstream encryption
6. Multiple MACing algorithms : X9.9, X9.19, SHA-1 + X9.9, SHA-1 + X9.19
7. Multiple key management schemes: Unique key per terminal, unique key per transaction
8. Supports different messaging formats (full message encryption, selected field encryption)
9. Local and remote secure key injection capabilities
10. Supports leading terminal brands and models
11. PCI compliance


With NetMATRIX TLE, we addressed network security and fraud threats with a plug-and-play solution that requires no host changes. In providing critical capabilities such as remote key injection and management, NetMATRIX also addresses other administration and deployment issues such as mixed terminal environments, phased deployments, and key changeovers.


Despite its holistic approach to security and encryption, it is also scalable and highly available to meet the demands of mission-critical, high-volume transaction processing environments providing 3-in-1fuctionality: a combination Switching NAC, Concentrator NAC and TLE.

Published in: Technology, Economy & Finance
1 Comment
2 Likes
Statistics
Notes
  • * concentrator nac
    * security
    * des
    * dukpt
    * encryption algorithms
    * data security
    * multiple macing algorithms
    * hsm
    * encryption
    * switching nac
    * tea
    * line encryption
    * spva
    * e2e
    * local and remote secure key injection
    * 3des
    * aes
    * netmatrix tle terminal line encryption spva certif
    * local and remote secure key injectio
    * end-to-end encryption e2ee
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
3,052
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
87
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide
  • Mixed environment Mix of encrypting / non-encrypting terminals Different terminal vendors Different terminal capabilities Coexistence of multiple encryption schemes Deployment Issues Terminal Key Injection Phased Rollout Security Holistic treatment of Security? Procedures, Processes, technology Addresses other possible attacks? Understanding of possible attacks &amp; risks? Terminal key storage? Performance Scalability Impact on host performance Impact on terminal performance Terminal Implementation Simplicity of terminal implementation Multi vendor implementation Impact on current infrastructure Host changes? Network &amp; terminal changes? Stability? Robustness? Performance? Response time? Impact of future changes Changes in message formats Different message versions Shared Network Tag-on terminal applications Future requirements Multiple hosts &amp; applications Different channels Cost Return on investment
  • GHL’s Interception based approach Introduction to Key Features slides
  • Does chip effectively prevent counterfeit fraud? The fraud statistics (Figure 1) for Malaysia clearly show the strong inverse relationship between increasing chip maturity and declining counterfeit fraud.
  • Does chip effectively prevent counterfeit fraud? The fraud statistics (Figure 1) for Malaysia clearly show the strong inverse relationship between increasing chip maturity and declining counterfeit fraud.
  • Does chip effectively prevent counterfeit fraud? The fraud statistics (Figure 1) for Malaysia clearly show the strong inverse relationship between increasing chip maturity and declining counterfeit fraud.
  • Does chip effectively prevent counterfeit fraud? The fraud statistics (Figure 1) for Malaysia clearly show the strong inverse relationship between increasing chip maturity and declining counterfeit fraud.
  • First &amp; foremost, let us establish some of the facts before us…. Collection began in 2002 – contrast numbers: 20,733.5
  • GHL’s Interception based approach Introduction to Key Features slides
  • NetMATRIX TLE - Terminal NetMATRIX TLE comes with SDK for terminal Secure key storage for terminal Guards against terminal-to-terminal copy Local &amp; Remote key injection capability NetMATRIX TLE – Host-side Plug N Play – Minimal change to infrastructure, no host changes 3-in-1 functionality – Digital SNAC, CNAC, TLE Form factors – Boxed solution Key Storage – HSM-based or Software-based (option) Selected-Field-Encryption (SFE), Full-Message-Encryption (FME) Multiple encryption algorithms: DES, 3DES, AES, TEA Multiple MACing algorithms: SHA-1+AES, SHA-1+RMAC Multiple key usage methodologies – unique-per-term, unique-per-txn Multiple hosts support Multiple key groups – different apps/vendors can have diff keys Multiple channels – dial-up, lease line, GPRS, GSM, broadband, etc Supports upstream &amp; downstream encryption &amp; MACing High-performance, high-availability, horizontal scalability (120 tps, 200 tps) ISO8583 compliant – will support any compliant NAC Utilities – Local &amp; remote key injection utility Extensible – Can be used for other applications
  • NAC sends transactions to NetMATRIX farm. NetMATRIX farm utilize a load-balancing service across the farm of machines, so that all these machines share the same virtual IP address. The NAC will try to establish a connection with this virtual IP address, and one of the NetMATRIX boxes will accept this connection request; thereafter, the NAC will have a persistent connection with this one box. Transactions from the NAC will subsequently be funneled through this connection and reach this primary NetMATRIX machine. The NetMATRIX box will then act to distribute these transaction messages to various other boxes in the farm for processing. Transaction load: &gt; 120 tps = 7,200 tpm = 432,000 tphr = 10.3 million tpd = 311 million tpmonth
  • NAC sends transactions to NetMATRIX farm. NetMATRIX farm utilize a load-balancing service across the farm of machines, so that all these machines share the same virtual IP address. The NAC will try to establish a connection with this virtual IP address, and one of the NetMATRIX boxes will accept this connection request; thereafter, the NAC will have a persistent connection with this one box. Transactions from the NAC will subsequently be funneled through this connection and reach this primary NetMATRIX machine. The NetMATRIX box will then act to distribute these transaction messages to various other boxes in the farm for processing.
  • NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES, End-to-end encryption (E2EE), Multiple MACing algorithms, Local and remote secure key injection

    1. 2. Agenda
    2. 3. PAYMENT & SECURITY TRENDS
    3. 4. Payments: The story so far… “… Globally, the drive to increase (card) payments efficiency and security is relentless…” “… Globalisation is increasingly emphasising the need for widely accessible, seamless, & secure ways of effecting non-cash payments to facilitate consumer spending, and to reduce fraud and money laundering.…” “… More efficient, effective systems could also help lessen systemic risk & potentially provide a source of additional retail revenue for banks.…”
    4. 5. Vietnam embraces the electronic era “… Vietnam is regarded by the global banking industry as one of the most fertile growth hotspots in the world, particularly for cards and electronic payments….” VRL Financial News, October 2009
    5. 6. Security: The story so far… “… increased incidences of ATM and card skimming.…” “… the need to reassure cardholders about the safety and security of card transactions.…” “ Statistics from 2007 show the level of payment card fraud in Vietnam stood at 0.15 percent of total card payments, a much higher level than the global average of 0.06 percent.”
    6. 7. E2EE: What is it? Computer Desktop Encyclopedia “… is defined as the continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination.…”
    7. 8. E2EE: The story so far… Smart Card Alliance Sept 2009
    8. 9. KEY CONCEPTS OF TLE
    9. 10. In cryptography, encryption , is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (Wikipedia) en·cryp·tion /-'krip-sh&n/
    10. 11. MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted so only Sender/Receiver can form a real MAC and thus, allowing the receiver to authenticate & verify the message Message Authentication Code
    11. 12. THE MALAYSIAN EXPERIENCE
    12. 13. Real Tapping Threats
    13. 14. Wire tapping threats
    14. 15. A brief look at history…
    15. 16. The Line Encryption Working Group
    16. 17. Design Parameters
    17. 18. Key Considerations
    18. 19. <ul><li>Highest Score: 2-2-4-2-3-4 </li></ul><ul><li>Lowest Score: 1-1-1-1-1-1 </li></ul>Minimum Data Encryption Requirements <ul><ul><li>Encrypted Data Elements </li></ul></ul><ul><ul><ul><li>CVV </li></ul></ul></ul><ul><ul><ul><li>CVV and PAN / Track2 </li></ul></ul></ul><ul><ul><li>Terminal Key Storage </li></ul></ul><ul><ul><ul><li>Outside secure module </li></ul></ul></ul><ul><ul><ul><li>Within tamper reactive module </li></ul></ul></ul><ul><ul><li>Key Usage Methodology </li></ul></ul><ul><ul><ul><li>Unique-key-per-terminal </li></ul></ul></ul><ul><ul><ul><li>Unique-key-per-session-per-term </li></ul></ul></ul><ul><ul><ul><li>Unique-key-per-transaction </li></ul></ul></ul><ul><ul><ul><li>Derived Unique Key Per Txn (DUKPT) </li></ul></ul></ul><ul><ul><li>Key Differentiation </li></ul></ul><ul><ul><ul><li>Same key for ENC & MAC </li></ul></ul></ul><ul><ul><ul><li>Different key for ENC & MAC </li></ul></ul></ul><ul><ul><li>Encryption Algorithm </li></ul></ul><ul><ul><ul><li>TEA – Tiny Encryption Algorithm </li></ul></ul></ul><ul><ul><ul><li>DES – Data Encryption Standard </li></ul></ul></ul><ul><ul><ul><li>3DES/AES </li></ul></ul></ul><ul><ul><li>MAC Algorithm </li></ul></ul><ul><ul><ul><li>No MAC </li></ul></ul></ul><ul><ul><ul><li>CRC32 + MAC </li></ul></ul></ul><ul><ul><ul><li>CRC32 + RMAC </li></ul></ul></ul><ul><ul><ul><li>SHA-1 + RMAC, or SHA-1 + AES MAC </li></ul></ul></ul>MAC algorithm ENC algorithm Key Differentiation Key Usage Key Storage ENC Data elements 2 2 4 2 4 3
    19. 20. General Approaches Host-based Host HSM NAC NAC-based Host Interception-based Host NAC SNAC NAC NAC NAC NAC NAC
    20. 21. Data Center Host NAC TLE: Typical Transaction Flow Terminal Encrypt selected fields in transaction 1 Send to Host 4 Decrypt & validate transaction 2 Reform to original message 3 Response from Host 5 Encrypt & MAC response 6 Decrypt & validate response message 7
    21. 22. THE RESULTS
    22. 23. The Results… Source: Visa VPSS Payment Security Bulettin, 2006
    23. 24. The Results… Source: Visa VPSS Payment Security Bulettin, 2006
    24. 25. The Results… Source: Visa VPSS Payment Security Bulettin, 2006
    25. 26. The Results… Source: Visa VPSS Payment Security Bulettin, 2006
    26. 27. The Results…
    27. 28. Payments: The story today… Source: BNM, 2009 Financial Stability and Payment Systems Report 2008
    28. 29. Payments: The story today “… (card fraud) losses continued to be insignificant, accounting for less than 0.04% of total card transactions during the year.”
    29. 30. PAYMENT SECURITY MYTHS
    30. 31. Encryption Myths
    31. 32. Summary: Considerations for TLE Addresses all threats Addresses Implementation issues Addresses Deployment Issues Addresses Administration Issues Multi-channel & multi-device Support Remote Key Injection Vendor Independence Performance Cost-Effective
    32. 33. Additional References <ul><li>The Smart Card Alliance ( http://www.smartcardalliance.org/ ) </li></ul><ul><li>PCI Security Standards Council ( https://www.pcisecuritystandards.org/ ) </li></ul><ul><li>Visa Best Practices, Data Field Encryption Version 1.0 ( http://corporate.visa.com/_media/best-practices.pdf ) </li></ul><ul><li>Secure POS Vendors Association ( http://www.spva.org/index.aspx ) </li></ul><ul><li>GHL Systems ( http://www.ghl.com/netMATRIX ) </li></ul>
    33. 34. WHAT IS NETMATRIX TLE?
    34. 35. NetMATRIX TLE (Terminal Line Encryption) is a plug-and-play solution for banks who wish to introduce terminal line encryption into their POS network infrastructure Net MATRIX Terminal Line Encryption
    35. 36. NetMATRIX TLE: Approach Host-based Host HSM NAC NAC-based Host Interception-based Host NAC SNAC NAC NAC NAC NAC NAC
    36. 37. Key Considerations
    37. 38. Key Features
    38. 39. Key Features
    39. 40. NETMATRIX ARCHITECTURE
    40. 41. Credit Card Host NII: 160 “ Typical” Transaction Flow Issuing Bank Host Acquiring Bank EDC Terminals Switching NAC Remote NAC Remote NAC Net MATRIX Acquiring Host 160 Message
    41. 42. Credit Card Host NII: 160 NetMATRIX TLE NII: 161 Encrypted Transaction Flow Issuing Bank Host Net MATRIX Acquiring Bank Acquiring Host EDC Terminals Switching NAC Remote NAC Remote NAC 161 Enc Message 160 Enc Message
    42. 43. Encrypted Transaction Flow II Credit Card Host NII: 160 NetMATRIX TLE NII: 161 Net MATRIX Acquiring Bank Acquiring Host Issuing Bank Host EDC Terminals Switching NAC Remote NAC Remote NAC 161 Enc Message 160 Enc Message
    43. 44. Data Center Host NAC NetMATRIX: How it Works Terminal Encrypt selected fields in transaction 1 Send to Host 4 Decrypt & validate transaction 2 Reform to original message 3 Response from Host 5 Encrypt & MAC response 6 Decrypt & validate response message 7
    44. 45. Efficiency: Clustering & Load-Balancing Load Balancing Host NAC TCP/IP Cluster
    45. 46. Business Continuity: Auto-Failover TCP/IP Failover Host NAC TCP/IP Cluster
    46. 47. GHL SYSTEMS
    47. 48. Our Mission To be the leading end-to-end payment services enabler in the Asia-Pacific region, deploying world-class payment infrastructure, technology and services
    48. 49. Products & Services offerings World-class payment infrastructure, services and technology: Transaction routers & concentrators Terminal Line Encryption technologies Loyalty & Online Payment solutions Smartcard technologies 24x7 Managed Network Services Consulting Services Terminal Management Solutions Contactless Payments
    49. 50. Complete Payment Network Integration
    50. 51. Addressing Strategic Needs
    51. 52. GHL Systems Regional Presence <ul><li>Country Offices: </li></ul><ul><li>Bangkok </li></ul><ul><li>Beijing </li></ul><ul><li>Hong Kong </li></ul><ul><li>Kuala Lumpur </li></ul><ul><li>Manila </li></ul><ul><li>Singapore </li></ul><ul><li>Hanoi </li></ul><ul><li>Ho Chi Minh City </li></ul><ul><li>Wuhan </li></ul><ul><li>Products Deployed: </li></ul><ul><li>Australia </li></ul><ul><li>Bangladesh </li></ul><ul><li>Bhutan </li></ul><ul><li>Brazil </li></ul><ul><li>Brunei </li></ul><ul><li>Cambodia </li></ul><ul><li>China </li></ul><ul><li>Guam </li></ul><ul><li>Hong Kong </li></ul><ul><li>KSA </li></ul><ul><li>India </li></ul><ul><li>Indonesia </li></ul><ul><li>Future Expansion: </li></ul><ul><li>Australia/NZ </li></ul><ul><li>Brazil </li></ul><ul><li>India </li></ul><ul><li>Qatar </li></ul><ul><li>Romania </li></ul><ul><li>UAE </li></ul><ul><li>United Kingdom </li></ul><ul><li>USA </li></ul><ul><li>New Zealand </li></ul><ul><li>Pakistan </li></ul><ul><li>Philippines </li></ul><ul><li>Qatar </li></ul><ul><li>Romania </li></ul><ul><li>Sri Lanka </li></ul><ul><li>Seychelles </li></ul><ul><li>Taiwan </li></ul><ul><li>Thailand </li></ul><ul><li>Vietnam </li></ul><ul><li>United Kingdom </li></ul>
    52. 53. Accolades & Accomplishments <ul><li>MSC APICTA Asia/Pacific ICT Awards 2009: Security & Communications </li></ul><ul><li>MSC APICTA Asia/Pacific ICT Awards 2008: Financial Applications & Communications </li></ul><ul><li>MasterCard Worldwide PayPass Best Product Solutions Partner 2008 </li></ul><ul><li>Largest Third-Party Debit Acquirer in Malaysia 2008 - CardPay </li></ul><ul><li>VeriFone’s VIP (distributor) in Malaysia since 1999 </li></ul><ul><li>Verifone President’s Club Award 2000, 2002, 2003, 2004, 2005 Award for outstanding performance in Asia-Pacific </li></ul><ul><li>VeriFone Innovation Award 2001, 2002, 2003 & 2007 </li></ul><ul><li>Ingenico / Sagem-Monetel OEM Partner 2006, 2007, 2008 & 2009 </li></ul><ul><li>Sagem-Monetel Partner Value Added Reseller for Malaysia/South East Asia 2006-2007 </li></ul><ul><li>Sagem Defense Securite SHARK Club Member 2006 </li></ul><ul><li>D’ucoty Awards Market Leadership Malaysia 2005 </li></ul><ul><li>D’ucoty Awards Banking – Product Innovation Southeast Asia Gold Award 2006 </li></ul><ul><li>Frost & Sullivan Industrial Technologies Award - Vertical Market Penetration Leadership: Smart Cards Financial Application Market (Malaysia) 2006 </li></ul><ul><li>VISA VPSS-Certified Post Equipment Vendor 2006 </li></ul>
    53. 54. Malaysia Singapore Indonesia Vietnam Brunei Customer References
    54. 55. Philippines China / Hong Kong Middle East Romania Asia/Pacific Australia / New Zealand Thailand Customer References
    55. 56. Thank you Jason Phua VP, Product Marketing & Strategic Alliances [email_address] Lau Weng Tat AGM, Device & Security Management [email_address]

    ×