NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...Alex Tan
NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure.
1. Multi-box, high-performance, high-availability, load-balancing architecture
2. Multi-host links: Performs smart routing to multiple hosts
3. Multiple channels: dial-ups, lease lines, GPRS, broadband
4. End-to-end encryption (E2EE) featuring multiple encryption algorithms : TEA, DES, 3DES, AES
5. Upstream/Downstream encryption
6. Multiple MACing algorithms : X9.9, X9.19, SHA-1 + X9.9, SHA-1 + X9.19
7. Multiple key management schemes: Unique key per terminal, unique key per transaction
8. Supports different messaging formats (full message encryption, selected field encryption)
9. Local and remote secure key injection capabilities
10. Supports leading terminal brands and models
11. PCI compliance
With NetMATRIX TLE, we addressed network security and fraud threats with a plug-and-play solution that requires no host changes. In providing critical capabilities such as remote key injection and management, NetMATRIX also addresses other administration and deployment issues such as mixed terminal environments, phased deployments, and key changeovers.
Despite its holistic approach to security and encryption, it is also scalable and highly available to meet the demands of mission-critical, high-volume transaction processing environments providing 3-in-1fuctionality: a combination Switching NAC, Concentrator NAC and TLE.
It is about the SET that how it was launched and what were the problems which it faced after launched and what was new after it as a solution of the problems as the security experts found.
NetMatrix TLE Terminal Line Encryption. SPVA certified, DUKPT, 3DES, DES, AES...Alex Tan
NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure.
1. Multi-box, high-performance, high-availability, load-balancing architecture
2. Multi-host links: Performs smart routing to multiple hosts
3. Multiple channels: dial-ups, lease lines, GPRS, broadband
4. End-to-end encryption (E2EE) featuring multiple encryption algorithms : TEA, DES, 3DES, AES
5. Upstream/Downstream encryption
6. Multiple MACing algorithms : X9.9, X9.19, SHA-1 + X9.9, SHA-1 + X9.19
7. Multiple key management schemes: Unique key per terminal, unique key per transaction
8. Supports different messaging formats (full message encryption, selected field encryption)
9. Local and remote secure key injection capabilities
10. Supports leading terminal brands and models
11. PCI compliance
With NetMATRIX TLE, we addressed network security and fraud threats with a plug-and-play solution that requires no host changes. In providing critical capabilities such as remote key injection and management, NetMATRIX also addresses other administration and deployment issues such as mixed terminal environments, phased deployments, and key changeovers.
Despite its holistic approach to security and encryption, it is also scalable and highly available to meet the demands of mission-critical, high-volume transaction processing environments providing 3-in-1fuctionality: a combination Switching NAC, Concentrator NAC and TLE.
It is about the SET that how it was launched and what were the problems which it faced after launched and what was new after it as a solution of the problems as the security experts found.
Security, Availability and Integrity are top concerns around DNS. Infoblox Secure DNS
* provides a secure platform to host DNS services
* provides resilient DNS services even under attack ( like DNS DDoS, exploits )
* prevents data theft by malware/APT that uses DNS
* maintains DNS integrity that can otherwise be compromised by DNS hijacking
PCI PIN Security Requirements provide guidelines on protecting PIN during offline and online transactions in ATM’s and POS terminals. This standard has serious overlaps with PCI DSS, POS Management and HSM utilization in a secure card environment.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
After an overview presentation, we will demonstrate live how HPE's multi-vendor Intelligent Management Center (IMC) software can be used to manage day to day operations for the datacenter. Introduction to HPE IMC focused on management for data center switching. Topics include REST API, virtualization integration and data center fabric management.
In this presentation, ControlCase discusses the following:
- About the cloud
- About PCI DSS
- PCI DSS in the cloud
- How to keep sensitive data secure as you move to the cloud
Security, Availability and Integrity are top concerns around DNS. Infoblox Secure DNS
* provides a secure platform to host DNS services
* provides resilient DNS services even under attack ( like DNS DDoS, exploits )
* prevents data theft by malware/APT that uses DNS
* maintains DNS integrity that can otherwise be compromised by DNS hijacking
PCI PIN Security Requirements provide guidelines on protecting PIN during offline and online transactions in ATM’s and POS terminals. This standard has serious overlaps with PCI DSS, POS Management and HSM utilization in a secure card environment.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Hardware Security Modules (HSMs) are widely use for cryptography key management in many areas such as PKI, card payment, trusted platform modules, etc. However they are rarely used in in-house software development.
This presentation will explain about why we need the key management and its fundamental, overview of HSM and how it take parts in key management, HSM selection criterias, and finally, an idea to make a web service wrapper easier to adopt by developers those lack of knowledge in cryptography programming.
After an overview presentation, we will demonstrate live how HPE's multi-vendor Intelligent Management Center (IMC) software can be used to manage day to day operations for the datacenter. Introduction to HPE IMC focused on management for data center switching. Topics include REST API, virtualization integration and data center fabric management.
In this presentation, ControlCase discusses the following:
- About the cloud
- About PCI DSS
- PCI DSS in the cloud
- How to keep sensitive data secure as you move to the cloud
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
- What is Log Management and FIM
- PCI DSS, EI3PA, ISO 27001 requirements
- Log Management and regulation requirements/ mapping
- File Integrity Monitoring and regulation requirements/ mapping
- Challenges
Protecting your business transactions from fraud is of paramount importance to your company’s financial success. EMV with Point-to-Point Encryption (P2PE) are the keys to combatting fraud with card-present/face-to-face transactions. Element’s session provides a comprehensive overview of EMV chip technology, why you need both EMV and P2PE and how Element’s innovative triPOS technology delivers an all-in-one solution to help you face the retailer liability shift.
Point to Point Encryption (P2PE) and Your Bottom LineCreditcall
CreditCall CTO Jeremy Gumbley explains at International Parking Institute Conference & Expo (IPI) in Fort Lauderdale May 2013 how scope of PCI DSS and PA-DSS for merchants and parking equipment manufacturers can be reduced through Point-to-Point-Encryption.
Point-to-point encryption technology evolved in response to emergence of new types of credit card fraud. Although SSL protection is always there, at communication level, point-to-point encryption provides additional protection layer for cardholder data. Find more information at #UniPayGateway unipaygateway.com
Vormetric data security complying with pci dss encryption rulesVormetric Inc
Download the whitepaper 'Vormetric Data Security: Complying with PCI DSS Encryption Rules from http://www.vormetric.com/pci82
This whitepaper outlines how Vormetric addresses PCI DSS compliance; it addresses Vormetric's position relative to the Payment Card Industry Security Standards Council's (PCI SSC) guidance on point-to-point encryption solutions. The whitepaper also features case studies of PCI DSS regulated companies leveraging Vormetric for PCI DSS compliance and maps PCI DSS requirements to Vormetric Data Security capabilities.
Vormetric Data Security helps organizations meet PCI DSS compliance demands with a transparent data security approach for diverse IT environments that requires minimal administrative support and helps companies to meet diverse data protection needs through an easy to manage solution.
For more information, join: http://www.facebook.com/VormetricInc
Follow: https://twitter.com/Vormetric
Stay tuned to: http://www.youtube.com/user/VormetricInc
- Requirements for PCI DSS, EI3PA, HIPAA, Business Associates, FFIEC and Banking Service Providers - What is Vendor Management - Why is Continual Compliance a challenge in Vendor Management - How to mix technology and manual processes for effective Vendor Management
ControlCase has an agentless Data Discovery tool, which allows you to scan for different types of data, produces scalable results and eliminated false positives.
Making PCI V3.0 Business as Usual (BAU)ControlCase
ControlCase GRC (CC-GRC) is a flexible platform that provides an integrated solution to managing all aspects related to Governance, Risk Management and Compliance Management in any sized organization. The platform consists of several integrated modules that enable various aspects of GRC management such as Compliance Management, Vendor Management, Audit Management, Policy Management, Asset Management and Vulnerability Management.
CC-GRC allows organizations to implement one or all modules at their own pace.
PCI version 3.0 mandates organizations to make compliance a business as usual activity instead of an annual audit. Contact ControlCase for more information on our GRC Platform which automates evidence collection and provides a configurable audit trail to track all record modifications and remediation workflows.
ControlCase discusses the following:
- What is Data Discovery
- Why Data Discovery
- PCI DSS requirements
- Need for Data Discovery in the context of PCI DSS
- Challenges in the Data Discovery space
ControlCase Data Discovery (CDD) addresses the risk of having encrypted, unknown, or otherwise prohibited cardholder data in your operational environment. It is one of the first comprehensive scanners to not only search for credit card data in file systems, but also in leading commercial and open source databases.
AGENDA:
- About PCI DSS, ISO 27001, NERC, HIPAA, FISMA and EI3PA
- Best Practices and Cloud Implications for Integrated Compliance within IT Standards/Regulations
- Challenges in the Integrated Compliance Space
- Q&A
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
Provides an introduction to the Futurex SKI9000 Secure Key Injection solution as well as an overview of DUKPT, the most widely use type of key in retail point of sale devices. this s
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
As of January 2015, organization are now required to comply with PCI DSS AND PA DSS Version 3.0.
Contact us at contact@controlcase.com for information on how we can help you achieve and maintain compliance with the new standard.
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
Point-to-point encryption (P2PE) is gaining momentum as one of the most effective ways to secure payment data as it moves through and from the merchant environment. Recently, the technology got the official nod from the PCI Council with the release of their final requirements to safely deploy P2PE solutions.
In this webinar, recorded on 9-26-12, attendees were able to:
* Find out what was discussed at the PCI Community Meeting and where the Council is headed as it relates to P2PE and PCI compliance
* Learn best practices for P2PE implementation and encryption key management
* Identify different types of P2PE solutions and evaluate which one is right for you
* Understand how the upcoming move to EMV will impact and integrate with P2PE
The HPE SecureData Payments solution is intended to increase the security of card-present payments
without impacting the buyer experience. Solutions based on HPE SecureData Payments reduce
merchant risk of losing credit card data and potentially reduce the number of PCI DSS controls applicable
to the retail payment environment substantially.
HPE SecureData Payments implements encryption of sensitive credit card data in point-of-interaction
(POI) devices’ firmware, immediately on swipe, insertion, tap, or manual entry. Sensitive card information
can only be decrypted by the solution provider, typically a payment service. Even a compromise of the
point-of-sale (POS) system does not expose customers’ sensitive data.
Merchants can also realize reduction in DSS compliance scope by implementing their own HPE
SecureData Payments solution.
AUDIENCE
This assessment white paper has three target audiences:
1. First, merchants using HPE SecureData Payments to create proprietary encryption solutions for
card-present payments
2. The second is service providers, like processors, and payment services that are developing cardpresent
encryption services that utilize HPE SecureData Payments
3. The third is the QSA and internal audit community that is evaluating solutions in both merchant
and service provider environments using the HPE SecureData Payments solution
ASSESSMENT SCOPE
HPE contracted with Coalfire to provide an independent compliance impact review of the HPE
SecureData Payments solution. The intent of this assessment was to analyze the impact on PCI DSS
scope of applicable controls for merchants that implement an HPE SecureData Payments solution for
their card-present sales.
While data breaches are not exactly news - since The Target breach of 2014 they’ve gone from being something that was little considered outside a fairly rarified group of people to something that quickly became top of mind of consumers, merchant and card issuers everywhere.
ControlCase covers the following based on PCI SSC FAQs, blogs, and PCI SSC presentations from Community Meetings and other PCI SSC public events:
•Current status of PCI DSS (including information publicly available on PCI DSS ver. 4.0)
•PA DSS and upcoming Software Security Framework overview
•P2PE updates and new concepts
•PCI PIN, PCI 3DS and Card Production overview
•Chronological Time-frame for various standards
Mobile acceptance and guidance for Merchants, Service Provider and End user. Securing account data on Mobile Acceptance is very important.
Mobile Payment Acceptance Security risks are inherent to the application, underlying infrastructure, and increased by removable components like SIM and memory card. Vendor and manufacturer debugging and logging configuration can add to it. All Mobile Applications cannot be PA DSS validated (only category 1 and 2 can go for PA DSS listing)
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
Data protection on premises, and in public and private cloudsUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about the Identity and Data Protection solutions for enterprise security organizations can take a data-centric approach to their security posture.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about the guidance and standards from FFIEC, PCI DSS, ISO and NIST.
Learn about the new API Economy and eCommerce trends and how to control sensitive data — both on-premises, and in public and private clouds.
This session is for worldwide directors and managers in Fin services, healthcare, energy, government and more
Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking. However, with the right approach it can be substantially less burdensome. In this webcast, we will provide background and recommendations to help you make the best possible decisions regarding PCI for your PaaS-based application. If you currently accept, or are contemplating accepting a payment card on your web application, this webcast is for you.
In this presentation you will learn about:
-An overview of PCI
-How to scope your environment for PCI compliance
-Ways to make compliance more manageable, and
-Things to consider when approaching PCI compliance on a PaaS provider.
To view the full webcast on-demand: http://pages.engineyard.com/an-introduction-to-pci-compliance-on-a-paas.html
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Digital Identity Centric Approach to Accelerate HKMA OpenAPI Phase3/4 Compliance
Ajay Biyani, Regional Vice President, ASEAN at ForgeRock
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Digital Identity Centric Approach to Accelerate HKMA OpenAPI Phase3/4 Compliance
Ajay Biyani, Regional Vice President, ASEAN at ForgeRock
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
ControlCase will cover the following:
• Description of "Token Service Provider" (TSP)
• Eligibility and steps to become a TSP
• Scope and implementation
• Review of TSP Standard.
What problems are we exist between IT Security and Cyber Insurance?
Correlation between Cyber Maturity and Cyber Insurance
Why is this Urgent?
What You can Do Today to Reduce Risk?
2022 Webinar - ISO 27001 Certification.pdfControlCase
ControlCase Introduction
What is ISO 27001?
What is ISO 27002?
What is ISO 27701, ISO 27017, & ISO 27018?
What is an ISMS?
What is ISO 27001 Certification?
Who Needs ISO 27001?
What is Covered in ISO 27001?
How Many Controls in ISO 27001?
What is the ISO 27001 Certification Process?
How Often Do You Need ISO 27001 Certification?
What are the Challenges to ISO 27001 Compliance?
Why ControlCase?
Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover:
History of PCI DSS (including current version 3.2)
PCI DSS v4.0 High-Level Changes
PCI DSS v4.0 Timeline
Deep Dive into notable changes:
Promote Security as a Continuous Process
Increased Flexibility and Customized Approach
Increased Alignment between PCI ROC and PCI SAQ
Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.)
ControlCase Methodology for v4.0
Q&A
In this deck ControlCase will discuss the following:
What is CMMC 2.0?
Who does CMMC 2.0 apply to?
What is the accreditation body (CMMC-AB)?
What is a CMMC Third Party Organization (C3PAO)?
What does CMMC mean for Cybersecurity?
What are the CMMC certification levels?
How often is CMMC needed?
CMMC and NIST
What is the CMMC Assessment process?
ControlCase CSO, Kishor Vaswani, and HITRUST VP of Adoption, Mike Parisi take a deep dive into HITRUST.
This webinar covers the basics of HITRUST and introduces the new updates including; HITRUST Basic Assessment, HITRUST i1 Validated Assessment and HITRUST R2 Validated Assessment.
The webinar agenda includes the following:
- What is HITRUST
- What is HITRUST CSF?
- What are the HITRUST Implementation levels?
- What are the HITRUST Domains?
- What is a HITRUST Report?
- What is the HITRUST bC Assessment
- What is the HITRUST I1 Assessment?
- What is the HITRUST r2 Assessment?
- What can go wrong with a HITRUST Assessment?
- ControlCase methodology for HITRUST Compliance
ControlCase covers the following:
- What is CMMC?
- Who does CMMC apply to?
What is the accreditation body (CMMC-AB)?
- What is a CMMC Third Party Organization (C3PAO)?
- What does CMMC mean for Cybersecurity?
- What are the CMMC certification levels?
- How often is CMMC needed?
- CMMC and NIST
- What is the CMMC Assessment process?
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
ControlCase covers the following:
- What does SOC stand for?
- What is SOC 2 compliance?
- What is SOC 2 certification?
- What is a SOC 2 report?
- Who can perform a SOC 2 audit?
- How do managed service providers comply with SOC 2
- How to lower cost of SOC 2 audit?
- ControlCase methodology for SOC 2 compliance
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
OneAudit™ - Assess Once, Certify to ManyControlCase
ControlCase covers the following:
•About PCI DSS, ISO 27001, NERC, HIPAA, and FISMA
•Best Practices and Cloud Implications for Comprehensive Compliance within IT Standards/Regulations
•Challenges in the Comprehensive Compliance Space
7. Industry groups represented by
percent of breaches
Source: 2012 data breach investigations report by Verizon
7
8. Top 10 Threat Action Types by number
of breaches and records
Source: 2012 data breach investigations report by Verizon
8
9. Where should Mitigation efforts be
focused?
9 Source: 2012 data breach investigations report by Verizon
10. Addition of member in PCI Family
Acquires,
Payment
Software Gateways Merchant &
Manufacturers Developers Software Processors
PCI PTS PCI PA – DSS Developers, PCI DSS
Pin Entry Payment KIFs
Data Security
Devices Application
Vendors PCI Standard
P2PE
10
11. What is PCI P2PE?
It is either a solution or Application.
P2PE Solution
A point-to-point encryption solution consists of point-to-point encryption and
decryption environments, the configuration and design thereof, and the P2PE
Components that are incorporated into, a part of, or interact with such environment.
P2PE Application
A software application that is included in a P2PE Solution and assessed per P2PE
Domain 2 Requirements, and is intended for use on a PCI-approved point-of-
interaction (POI) device or otherwise by a merchant.
P2PE Components
Any application or device that stores, processes, or transmits account data as part
of payment authorization or settlement, or that performs cryptographic key
management functions, and is incorporated into or a part of any P2PE Solution.
11
12. P2PE Concept
Encrypted at POI
Encrypted at POI
Encrypted at POI
POI HSM
Encrypts data Decrypted by HSM at
immediately after P2PE Solution
reading Provider
Acquirer / PG
12
13. P2PE Concept cont..
Encrypted at POI
Encrypted at POI
Encrypted at POI
PTS devices with
SRED (secure HS
reading and
exchange of M
FIPS 140-2 Level 3
data) listed as a (or higher) certified
“function provided”. or PCI-approved
Acquirer / PG
13
14. Benefits
Stakeholders in the payments value chain benefit from these requirements in a
variety of ways, including but not limited to the following:
Customers may choose to implement Validated P2PE Solutions in order to
reduce the scope of their PCI DSS assessments.
Listed P2PE Solutions have been validated as compliant with the P2PE
Standard by P2PE Assessors.
Recognized by all Participating Payment Brands
14
15. Characteristics for Merchants Eligible for Reduced
Scope for PCI DSS via P2PE Solutions
Use validated P2PE solution
Never stores, processes, or transmits clear-text account data within
their P2PE environment outside of a PCI-approved POI device.
Physical environment controls for POI terminals, third-party
agreements, and relevant merchant policies and procedures are in
place.
Followed the P2PE Instruction Manual (PIM), provided to the
merchant by the P2PE Solution Provider.
Adequately segmented (isolated) the P2PE environment from any
non-P2PE payment channels or confirmed that no other channels
exist.
Removed or isolated any legacy cardholder data, or systems that
stored, processed, or transmitted cardholder data, from the P2PE
environment.
15
16. P2PE – Key Points
It is OPTIONAL
P2PE scenarios (e.g. hardware-hardware)
Requires the use of SCDs for encryption and decryption of account data and
management of cryptographic keys.
POI devices must be PCI SSC approved PTS devices with SRED (secure
reading and exchange of data) listed as a “function provided.”
HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-approved
(listed on the PCI SSC website, with a valid SSC listing number, as Approved
PCI PTS Devices under the approval class “HSM”).
Applications with access to clear-text account data must undergo validation per
all P2PE Domain 2 Requirements
16
17. Relationship between P2PE and other PCI
standards (PCI DSS, PA-DSS, PTS, and PIN)
POI devices must meet PIN Transaction Security (PTS)
requirements validation.
Cryptographic-key operations for both encryption and
decryption environments use key-management practices
derived from the PTS PIN Security Standard.
Applications on POI devices meet requirements derived
from the Payment Application Data Security Standard
(PA-DSS).
The decryption environment is PCI DSS compliant.
P2PE standard does not supersede or replace any
requirements in the PCI PIN Security Requirements
17
18. PA-DSS Applicability to P2PE
Applications used within P2PE Solutions may
or may not be eligible for PA-DSS validation.
Both are distinct PCI SSC standards with
different requirements
Validation against one of these standards does
not guarantee or provide automatic validation
against the other standard.
18
19. P2PE Domains
Domain 1
Encryption Device
Domain 2 Domain 3
Management Application Security Encryption Environment
Use Approved devices and Secure applications in the Secure environments where
protect devices from P2PE environment POI devices are present
tampering
Domain 4 Domain 5 Domain 6
Transmission between Decryption Environment
P2PE Cryptographic Key
encryption and Decryption and Device Management
Operations
Environments Secure decryption
environments and decryption Use strong cryptographic
Secure operations between keys and secure key-
encryption and decryption devices
environments management functions
19
20. Domain 1
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE validation P2PE validation
Requirements Responsibility
Domain 1: • POI is a PCI- 1A Build PCI-approved P2PE Solution Provider
Encryption Device approved POI POI devices.
Management device.
1B Securely manage
Use secure encryption • POI device managed equipment used to
devices and protect by solution provider. encrypt account data.
devices from
tampering. • Hardware encryption
performed by device.
20
21. Domain 2
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE validation P2PE validation
Requirements Responsibility
Domain 2: • Application on a PCI- 2A Protect PAN and Application Vendor
Application Security approved POI SAD.
device. P2PE Solution Provider
Secure applications in 2B Develop and
the P2PE • All applications are maintain secure
environment. assessed as part of applications.
the validated P2PE
solution. 2C Implement secure
application
management
processes.
21
22. Domain 3
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE P2PE validation
validation Responsibility
Requirements
Domain 3: • No storage of CHD after 3A Secure POI P2PE Solution Provider
Encryption transaction processes are devices throughout
Environment complete. the
• Within the segmented device lifecycle.
Secure applications P2PE environment, no
in the P2PE CHD stored, processed, or 3B Implement
environment. transmitted through secure device
channels or methods management
external from an approved processes.
SCD.
• All device-administration 3C Maintain P2PE
and cryptographic Instruction Manual
operations are managed by for
solution provider. merchants.
• The P2PE Instruction
Manual (PIM) for
22 merchants, with instructions
on how to implement and
23. Domain 4
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE validation P2PE validation
Requirements Responsibility
Domain 4: • All decryption
Segmentation operations managed
between Encryption by solution provider.
and Decryption • Merchant has no
Environments access to the Domain 4 has no applicable requirements for
encryption this hardware/hardware scenario.
Segregate duties and environment (within
functions between POI device) or
encryption and decryption
decryption environment.
environments. • Merchant has no
involvement in
encryption or
decryption
operations.
23
24. Domain 5
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE validation P2PE validation
Requirements Responsibility
Domain 5: • Decryption 5A Use approved P2PE Solution Provider
Decryption environment decryption devices.
Environment and implemented at and
Device Management managed by solution 5B Secure all
provider. decryption systems and
Secure decryption • Merchant has no devices.
environments access to the
and decryption decryption 5C Implement secure
devices. environment. device management
• Decryption processes.
environment must be
PCI DSS compliant. 5D Maintain secure
decryption environment.
24
25. Domain 6
Environments with Encryption, Decryption, and Key Management within Secure
Cryptographic Devices
Domain Characteristics P2PE validation P2PE validation
Requirements Responsibility
Domain 6: P2PE • All key- 6A Use secure encryption P2PE Solution Provider
Cryptographic management methodologies.
Key Operations functions
implemented and 6B Use secure key generation
Use strong managed by methodologies.
cryptographic solution provider
keys 6C Distribute cryptographic
and secure key- • Merchant has no keys in a secure manner.
management involvement in key
functions. management 6D Load cryptographic keys in
operations a secure manner.
6E Ensure secure usage of
cryptographic keys.
6F Ensure secure
25 administration of
cryptographic keys.
26. At a Glance – Illustration of a typical P2PE
Implementation and Associated Requirements
26
27. Developing and Validating a P2PE Solution
Note: Domain 4 is greyed out in the diagram below as there are no applicable
27 requirements in this Domain for the current phase of P2PE.
28. Overview of P2PE Solution Validation Processes
The P2PE Solution Provider selects a P2PE Assessor
The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE
Assessor
The P2PE Assessor determines the scope and assesses key-injection facilities,
Certification Authorities and others, Device, Applications
Preparation of P-ROV and P-ROV (if applicable) and submitting to PCI SSC for Review
Review of P-ROV and Application P-ROV (if applicable) by PCI SSC
28
29. How to Prepare for P2PE Assessment
Prepare following
1. Be ready with approved POI Devices, HSM
2. List of applications used
3. Detailed cryptographic key matrix
4. P2PE Instruction Manual
5. Implementation Guides for applications
assessed against Domain 2
6. Key-management procedures and
7. Change control documentation
29
30. Revalidation of P2PE
Yearly Interim Assessment (Healthcheck)
Full Re-assessment after 2 years
30
31. ControlCase P2PE offerings
Guidance on designing P2PE Solutions
Review of P2PE Solution design
Guidance on preparing the P2PE Instruction
Manual
Pre-assessment (“gap” analysis) services
Guidance for bringing the P2PE Solution into
compliance with the P2PE Standard if gaps or
areas of non-compliance are noted during the
assessment.
Certifying P2PE solutions and Applications
31