HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
•Download as PPTX, PDF•
0 likes•251 views
From the education session "Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends" at the HITEC 2012 conference. Provides insight into what to consider when purchasing and implementing a tokenization or point-to-point encryption solution to protect payment data, with a particular focus on the hotel or lodging industry.
Recommended
More Related Content
What's hot
What's hot (10)
Viewers also liked
Viewers also liked (14)
Similar to HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
Similar to HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends (20)
Recently uploaded
Recently uploaded (20)
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
- 1. Geoff Krieg VP of Product Management, Merchant Link
- 2. A Flexible, Layered Approach to Security • Acquirer Neutral – Enable merchants and franchisees to process via the acquirer they prefer • Encryption Options – Leverage multiple point of interaction (POI) devices that can protect both keyed and swiped data • Tokenization Options – Support both single and multi-use tokens • Freedom to Change - Allow merchants to switch processors easily, without replacing tokenization system or encryption devices
- 3. Encryption-at-Swipe • OBJECTIVE: Data field encryption should be implemented at, or as close to card swipe or data entry as possible – ideally within the device’s read head or tamper resistant security module (TRSM) • REQUIREMENT: Merchant is removed from all key management responsibilities and has no access to decryption keys or the decryption process
- 4. Encryption Vendor Selection • Industry Standard Vendor (no licensing fees) – DUKPT 3DES encryption (AES forthcoming) – Every transaction receives a new key – Encryption occurs within read head • Proprietary Technology Vendor – Identity-based encryption eliminates need for secure injection room – Works on leading terminals, PIN pads, wedge, mobile devices – Supports browser-based page embedded encryption for secure eCommerce Both support EMV devices and encrypt manually entered cards HSMs located in Merchant Link’s data centers
- 5. Tokenization for Lodging • Folio Consolidation – Merge all guest transactions (room, dining, spa services, gift shop purchases, etc.) to one folio/card number • Guest Satisfaction – Preferences associated with the profile can flow to the • Operations reservation and tie to the – Requires less same token database storage • Loyalty / Marketing – Streamlines – Even if the guest has multiple accounting and stays (at multiple hotel audit functions locations with a chain) the token remains the same
- 6. Multi-Use Token Design • Length: 16 digits to easily replace card numbers in existing systems • Format: Last 4 digits of the token are the last 4 digits of the card number to work seamlessly with most PMS applications • Mod-10: Customizable - can be set to pass or not pass mod-10 validation • Expiration: Tokens will not expire – the token remains the same for a card that has been reissued with a new expiration date (within a particular chain/organization) • Token ≠ Valid Card #: Tokens should not be mistaken for legitimate payment card numbers • Token Boundaries: Only work within specific property/chain
- 7. Design Considerations • Bulk Tokenization/Conversion at Implementation – Automated utility converts all credit card numbers (historic, current and future) • Added Security w/Client Certificates – Helps interrogate which terminals are allowed to communicate with the vault • Tokens Used For... – Incremental and reversal authorizations – No show transactions – Refunds
- 8. Securing Payments in Lodging
- 9. Before You Buy, Consider … Scope – What Impact will my decision have on PCI Scope? Form – Single or Multi-Use Tokens? Format Preserving? What are my use cases? Function – Follow-on Transactions? Manual Entry? Offline? Logistics – Deployment and Replacement Considerations? Flexibility – Future Options? Hardware Provider? Processor?
- 10. Other Considerations Service / Support • Fast access to data and ability to troubleshoot • Responsive, redundant support centers available 24x7x365 Network Reliability / Financial Strength • Examine network uptime and throughput – Redundant data centers? – Transactions per second? • Examine stability and strength of company Flexibility • Encryption via various POI devices • Single vs. multi-use tokens • Processor choice • POS vendor/device choice
Editor's Notes
- Security experts along with the PCI Council agree, a layered approach to security is best, as there is no one technology that will make you secure or PCI compliant.Encryption and tokenization work together to protect both data in transit and data at rest.
- According to Verizon’s 2012 Data Breach Investigations Report, the most common external breach techniques utilize a combination of hacking and malware (61%). Along the same lines, Trustwave reported that hackers are having a far greater degree of success stealing data “in transit” (62.5%) versus stored data (28%) in their 2012 Global Security Report.Merchant Link’s objective, well before PCI published its P2PE solution requirements, was to completely remove merchants from key management and the decryption process.
- When looking at options to protect data in-flight, we chose not to reinvent the wheel but rather to partner with industry leading vendors.Our aim is to provide the most secureand flexible point-to-point encryption solution in the marketplace today.Our goal is to support various points of interaction POI with interfaces to different hardware vendors to offer merchants as much choice as possible.Unlike processor-based encryption, oursolution allows merchants to switch processors easily and without changing tokenization or encryption methodologies.DUKPT = Derived Unique Key Per Transaction =a key management technique in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily.
- Hoteliersfind a great deal of value in multi-use tokens.
- Other key aspects we considered when designing into our tokenization solution:Bulk Tokenization / Conversion at Implementation: Merchant Link provides a bulk Get Token only transaction to speedily convert many card numbers to tokens during tokenization installation. Many currently operational hotels have future reservations, current guests, and X number of past historical credit cards that they want to retain and turn into tokens. Added Security w/Client Certificates: Merchant Link deploys client certificates to further secure the communication between the hotelier’s systems and our data vault. Client certificates help interrogate which terminals are allowed to communicate with the vault.Tokens Used For...Incremental and reversal authorizationsNo show transactionsRefunds
- Scope:Am I aligned with industry best practices? What will my QSA say? Have I addressed manual entry? Gift Cards? Private Label?Form:Single Use or Multi-Use? What are the use cases?Function: Does my tokenization solution support follow on transactions, especially no show charging? Do your systems have a reservationthat tokenizes for multiple hotelsand is there a need to share tokensbetween hotels PMS or a reservation system?Do I have systems that allowcustomers to post a card number to a loyalty membership? Does it make sense if a husband and wife have two loyalty memberships to have different tokens if it’s the same credit card number? Logistics:How many devices to I need to obtain? What happens if the encrypting device fails? How long is the injection/shipment/delivery process for a new device?General Have I identified all the use cases ofhow credit cards interact with mysystems?Do I have the IT personnel tosupport the technology I’m goingto deploy?EncryptionIs POI a tamper-resistantdevice? Solution should be alignedwith industry best security practices for data field encryptionHow many devices to I need to obtain? What happens if the encrypting device fails? How long is the injection/shipment/delivery process for a new device?How does the encrypting device handle non-payment cards? (gift cards, membership cards, employee sign in cards, etc…) Should I buy encrypting devices that are EMV and contactless-capable?Do I need a solution that supports multiple hardware vendors?TokenizationHow much historical data do I really need to keep? (We recommend you purge as much unneeded data as possible.)Do my systems and applications that consume credit cards require mod 10 passable cards or not?Do I have systems that would benefit from having a consistent token to perform customer tracking and purchase behavior/history?Do I have systems that allowcustomers to post a card number toa loyalty membership?Do your systems have a reservationthat tokenizes for multiple hotelsand is there a need to share tokensbetween hotels PMS or a reservation system?Does my tokenization solution support follow on transactions, including no show charges?
- A few other things to keep in mind...Implementing these technologies will further distance you from the actual credit card numbers – which is a good thing for security and compliance – but it means is that having high-touch service and support is more important. Make sure your provider has support that is responsive, available 24x7x365, that can help you track down and immediately resolve problems. Second, take a look at the company’s network reliability and financial strength.And finally, in today’s payments landscape where security threats and payment methods are constantly evolving, I would encourage you to invest in solutions that offer multiple options and flexibility in terms of the devices, points of interaction (POI) and processors supported.