SlideShare a Scribd company logo

Encryption vs tokenisation (for share)

A
AndrewRJamieson

The document is a slide presentation on the topics of encryption and tokenization. It provides information on the differences between encryption and tokenization, including how they both map input values to output values based on secrets but encryption uses a reversible encryption algorithm while tokenization may use various methods. It also discusses format preserving encryption and related standards for point-to-point encryption and secure hardware tokens.

Technology
1 of 28
Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
FPE Algorithm Example EG: Encrypt PAN4123456789012349 ,[object Object]
Discard Luhn checkMod10 addition Output PAN = 4748232137547657 ,[object Object]
Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream  Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26

Recommended

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
10-1 Vocab of Terms
10-1 Vocab of Terms10-1 Vocab of Terms
10-1 Vocab of TermsAlan Nochenson
 
Cryptography
CryptographyCryptography
Cryptography
vidhiyarahul
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008
Nate Koechley
 
Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile development
Grgur Grisogono
 
Securing Client Side Data
Securing Client Side Data Securing Client Side Data
Securing Client Side Data
Grgur Grisogono
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?
Zach Gardner
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UX
JWORKS powered by Ordina
 

Recommended

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
10-1 Vocab of Terms
10-1 Vocab of Terms10-1 Vocab of Terms
10-1 Vocab of TermsAlan Nochenson
 
Cryptography
CryptographyCryptography
Cryptography
vidhiyarahul
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008
Nate Koechley
 
Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile development
Grgur Grisogono
 
Securing Client Side Data
Securing Client Side Data Securing Client Side Data
Securing Client Side Data
Grgur Grisogono
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?
Zach Gardner
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UX
JWORKS powered by Ordina
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
Mobile payments v1 1
Mobile payments v1 1Mobile payments v1 1
Mobile payments v1 1AndrewRJamieson
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Thorne & Derrick International
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Saibal Bishnu
 
Portable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementPortable pH Meter for Process Measurement
Portable pH Meter for Process Measurement
Alliance Technical Sales, Inc.
 
Mk9500
Mk9500Mk9500
Mk9500Telectronica
 
Atel Value Proposition
Atel Value PropositionAtel Value Proposition
Atel Value PropositionGianandrea Daverio
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali
PT. Siwali Swantika
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetPaul Harrison J.P.
 
Cryptography&Security
Cryptography&SecurityCryptography&Security
Cryptography&Security
Sanjeev Kumar Jaiswal
 
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000visCcd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
世满 江
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization
6PM Solutions
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVELajldr
 
Helix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeuHelix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeu
CSUC - Consorci de Serveis Universitaris de Catalunya
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1Nguyen Hien
 
Catalogo general unitronics 2010
Catalogo general unitronics 2010Catalogo general unitronics 2010
Catalogo general unitronics 2010
INTRAVE IndustrialAutomation
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data Centers
Brian Trentacost
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application NotesTristan King
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3
Linkwise Technology
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 

More Related Content

Similar to Encryption vs tokenisation (for share)

Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Thorne & Derrick International
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Saibal Bishnu
 
Portable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementPortable pH Meter for Process Measurement
Portable pH Meter for Process Measurement
Alliance Technical Sales, Inc.
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali
PT. Siwali Swantika
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetPaul Harrison J.P.
 
Cryptography&Security
Cryptography&SecurityCryptography&Security
Cryptography&Security
Sanjeev Kumar Jaiswal
 
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000visCcd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
世满 江
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization
6PM Solutions
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVELajldr
 
Helix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeuHelix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeu
CSUC - Consorci de Serveis Universitaris de Catalunya
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1Nguyen Hien
 
Catalogo general unitronics 2010
Catalogo general unitronics 2010Catalogo general unitronics 2010
Catalogo general unitronics 2010
INTRAVE IndustrialAutomation
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data Centers
Brian Trentacost
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application NotesTristan King
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3
Linkwise Technology
 

Similar to Encryption vs tokenisation (for share) (20)

Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
Encryptionvstokenisationforshare
 
Mobile payments v1 1
Mobile payments v1 1Mobile payments v1 1
Mobile payments v1 1
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper Products
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
 
Portable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementPortable pH Meter for Process Measurement
Portable pH Meter for Process Measurement
 
Mk9500
Mk9500Mk9500
Mk9500
 
Atel Value Proposition
Atel Value PropositionAtel Value Proposition
Atel Value Proposition
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data Sheet
 
Cryptography&Security
Cryptography&SecurityCryptography&Security
Cryptography&Security
 
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000visCcd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
Ccd spectroradiometer-integrating-sphere-compact-system-for-led-7000vis
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVEL
 
Helix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeuHelix Nebula: Ajudant al desenvolupament científic europeu
Helix Nebula: Ajudant al desenvolupament científic europeu
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1
 
Catalogo general unitronics 2010
Catalogo general unitronics 2010Catalogo general unitronics 2010
Catalogo general unitronics 2010
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data Centers
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

Encryption vs tokenisation (for share)

  • 1. Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
  • 2. Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
  • 3. Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
  • 4. Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
  • 5. Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
  • 6. Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
  • 7. Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
  • 8. Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
  • 9. Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
  • 10. Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
  • 11. Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
  • 12. Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
  • 13. What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
  • 14. Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
  • 15. FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
  • 16. Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
  • 17.
  • 18.
  • 19. Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
  • 20. Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
  • 21. P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
  • 22. TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
  • 23. Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
  • 24. AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream  Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
  • 25. PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
  • 26. What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
  • 27. SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
  • 28. Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26
  • 29. Tokenisation Auditing How is the tokenisation performed? (Non) Random? Encryption? Details! What is the attack surface of this method? Key, algorithm, DB, system, network, etc Does one exploit result in multiple exposures? Security of tokenisation system At least as per PCI DSS reqs 1.x and 2.x FPE methods used for tokenisation? Refer encryption reqs. Ask for details! Ask for evidence of peer review output Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 27
  • 30. Questions? For further information please contact Andrew Jamieson Technical Manager Witham Laboratories Email: andrew.jamieson@withamlabs.com Phone: +61 3 9846 2751 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 28