1. Futurex. An Innovative Leader in Encryption
Solutions.
• For over 30 years, more than 15,000 customers worldwide
• Hardware-based solutions with integrated applications provide the highest levels
of compliance and security
• Entrepreneurial culture, fostering agility and innovation in the development of
hardware encryption solutions
• Results-oriented engineering team based in our U.S. Technology Campus, with
significant experience
delivering First-to-Market Customer Initiatives
• Members of ANSI X9F and PCI Security Standards Council bodies, CTGA-certified
Solutions Architects
2. Enterprise Security Platform
• Cardholder data encryption
• Generate PINs & CVx codes
• PCI compliance
• P2PE and tokenization
• Key management
• Full support for EMV (chip) cards
• Mobile payment solutions
Scalable, Robust, and Cost-Effective Data Security Solutions
3. The Futurex Securus
Distributed Transaction Processing Infrastructure Management
• FIPS 140-2 Level 3-validated
tablet device for remote
configuration of Futurex
solutions
• PKI-secured remote loading
of Master File Key
• Rugged design for field usage
• Fully portable, with Wi-Fi connectivity
4. Guardian9000
Secure, Cloud-Based Management for Core Cryptographic Infrastructure
Guardian9000
Primary Site Backup / Disaster Recovery Site
SMTP Server SNMP Server
Host Server / Mainframe
Guardian9000
Excrypt SSP9000
Hardware Security
Module
Excrypt SSP9000
Hardware Security
Module
Excrypt SSP9000
Hardware Security
Module
Excrypt SSP9000
Hardware Security
Module
5. Guardian9000
Backup / Disaster Recovery HSM Site
Guardian9000
Primary HSM Site
Excrypt SSP9000 Excrypt SSP9000 Excrypt SSP9000 Excrypt SSP9000
Host Server / Mainframe
Securus
Kryptos TLS Server RKMS Series
Certificate Authority Server
Futurex Enterprise Security Platform - Detailed Overview
HSM
Firmware
updates,
settings, and
Master File
Key
Firmware
updates,
settings, and
Master File
Key
SKI9000
SAS9000Connections
between HSM and
host server TLS/SSL
encrypted
7. Role of HSM in EMV
Data Preparation and Card Personalization
Data Preparation
• Key/certificate management for authentication, data integrity and issuer scripting
• Offline and online PIN block generation for user authentication
• SDA / DDA / CDA signatures (for offline validation)
Integrated Circuit Card (ICC)
or Smart Card
Issuer Personalization
Data
Preparation
Personalization
• Key management for confidentiality, authentication, and data integrity
• Protection of sensitive personalization data
SSP9000 SSP9000
8. Role of HSM in EMV
Online Card Validation During Transaction
1. Authentication request from POI to issuer
Transaction
Acquirer
Payment Card Brand
3. Response Cryptogram
1. Request Cryptogram
Card Issuer
Point-of-Interaction
Cardholder
SSP9000
Host
2. Issuer validates request
3. Response from issuer to POI
2
9. The Role of HSMs in P2PE
Protecting Data in Transit: Device Key Management
• HSM for compliant key generation
SKI Series
Secure Injection Facility
RKMS Series
Datacenter Remote Device
• Key lifecycle management
• Remote or direct key injection
Generate
Distribute
Track Usage
Backup
Revoke
Terminate
Archive
10. Role of HSM in P2PE
Encryption, Decryption, Key Management & Tokens
• Encryption and Decryption
• Key Management
= Encryption/Decryption = Data At Rest
= Data In Transit
Switch
Host
Merchant
(POI)
Acquirer
Host
DBSSP9000 HSM
DB
= Token
• Tokens
* Case Study available upon
request
11. Futurex Enterprise Security Platform
• Remote Access
• Centralized
Administration
• High Availability
• Redundant
• Compliant
• Secured
• Customizable
Primary Site
HSM #1 HSM #2
Secure Management
Server
Redundant Failover
HSM #1 HSM #2
Secure Management
Server
Secondary Site
Direct Load Balancing
Automatic Synchronization* (All devices designated as Production within group)
Remote Access
Device
Editor's Notes
Don’t over elaborate on any one topic, keep this broad and quick
Emphasize that a Secure Cryptographic Device as defined by PCI is an HSM with FIPS 140-2 Level 3 and PCI HSM certification.Accredited Standards Committee X9 (ASC) standards can be found at www.x9.org.Dual Control with Split Knowledge - Process of utilizing two or more separate entities (usually persons) or mechanisms operating in concert to protect sensitive functions or information such that no entity has knowledge of nor can derive the protected information as a whole. This information may be cryptographic keys or other information used to protect underlying cryptographic keys.
Issuer scripts can also be updated, and the HSM is used to mac (sign) these scripts and encrypt if they contain sensitive dataInsert into terminal - chip and terminal perform risk assessment - defined by EMV tags/profile by issuerDynamic cryptogram created passed to issuer through acquirer and brandsIssuer validates and may send response cryptogram to chip so chip can auth the issuerMA between chip and issuerARPC is generally not performed because card is removed by time response arrivesChanges to terminal, messaging and authorization process3 components on card - chip os, each card vendor sell os to issue (prop or open) Multos is openEMV is a broad set of standards with many optionsEach brand has slightly diff implementation for contactless and contactVISA paywave, VSDC for contact MC PayPassWhat form of verification - online or offline - stab at time of personalization of the chipThe terminal is like the chip - every terminal has own os, each vendor has implemented an EMV kernel - baseline logic required to accept EMV cards, each model of terminal has to be certified by EMVco.
Tactical Benefits of Remote KeySignificantly quicker replacement of keysDecreased cost for replacement of keysReduced cost of TR-39 audit preparationStrategic Benefits of Remote KeyOn-demand replacement for compromised keysEasier key management Increased security during key replacementCardholder data to be encrypted is PAN, cardholder name, service code, expiration date, which is defined by PCI DSS.Sensitive authentication data is full mag stripe, CAV2/CVC2/CVV2/CID, PIN, encrypted PIN blockBDK = Base Derivation KeyKSN = Key Serial NumberDIK = DUKPT Initial Key