This document summarizes a live webinar about point-to-point encryption best practices and PCI compliance updates. The webinar covered current security threats to payment card data, industry responses like EMV and PCI P2PE requirements, and examples of point-to-point encryption solutions and their implementation best practices. It also discussed internal threats, botnet attacks, combating threats with PCI and EMV standards, misconceptions about EMV, PCI domains and requirements for P2PE, types of P2PE solutions, considerations for P2PE solutions, and Merchant Link's P2PE product.
3. Agenda
• Current Threats
• Industry Response
– PCI Council
– EMV
• Point-to-Point Encryption
– PCI P2PE-HW requirements
– Solution types
– Implementation best practices
• Q&A
4. 69%
81%
7% 5%
10%
1% 0%
Leveraging malware/hacking... to steal data in transit
4.3%
28.0%
5.2%
62.5%
malware
hacking
The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report
in transit
stored
data
hybrid
data
redirection
Hackers’Preferred Method
5. Internal Threats
11%
17%
17%
22%
28%
28%
33%
50% Viruses, Malware, Worms, Trojans
Criminal Insider
Theft of Data-Bearing Devices
SQL Injection
Phishing
Web-Based Attacks
Social Engineering
Other
Types of malicious attacks
The Ponemon 2011 Cost of a Data Breach Study
Data-stealing malware
6. The Attack of the Bots
In this diagram we have a typical network. The
enterprise has two perimeter points of entry
connecting to the Internet
7. The Attack of the Bots
In this diagram, the Red Icon represents the BOT
Master who will be controlling and receiving
information through infected systems within the
larger Internet macrostructure.
8. The Attack of the Bots
The BOT Master has established two command
and control centers (C&Cs) here for his "army" to
check into to receive instructions. The BOT Master
generally will interface to these C&Cs via open
tools such as IRC.
9. The Attack of the Bots
In this final picture, through various means (social,
malware, etc.), BOTs have infiltrated the perimeter
of an enterprise. These BOTs may appear totally
harmless, using standard ports to transmit data to
Command & Control Centers. Often, the only way
to find them is to search from the perimeter for
common destinations
10. How to Combat the Threat?
• PCI Council Embraces P2PE
– Recent releases from the Council with recommendations and
requirements for implementing and providing P2PE solutions
– QSA Certification, Training, and Validated P2PE solution publishing
for solutions and providers
– Requirements for Hybrid (Hardware to Hardware/Software) P2PE
systems
• Card Associations Adopt EMV Standard
– Addressing the root of the problem by moving to a more secure
payment vehicle
– Extending the umbrella of security to authenticate the payment
card to the cardholder and adding a measure of track data security
to the POI
12. VALIDATED AND LISTED SOLUTION
PCI Domains and Requirements for P2PEPCI Domains and Requirements for P2PE
DOMAIN 1: Encryption Device Management
PTS Lab and
Device Vendor
QSA (P2PE) and
Integrator/Solution
Provider
1. Device is current and on
PTS list.
2. Device is managed
appropriately from key
injection to pre-use
including key management
per Domain 6.
PTS / SRED
approval
D4: Transmissions Between Encryption
and Decryption Environments
Merchant QSA (P2PE) and
Solution Provider
N/A – Device manages
segregation between
encryption and
decryption zones
N/A – Device manages
segregation between
encryption and decryption
zones per Domain 1
1. Secure device management
2. Devices monitored for anomalous behavior
3. HSM use
4. Key Management per Domain 6
5. PCI DSS compliance
QSA (P2PE) and Solution Provider
DOMAIN 5:
Decryption Environment/
Device Management
DOMAIN 2: Application Security
PA-QSA (P2PE) and
Application Vendor
QSA (P2PE) and
Solution Provider
Application is current on
P2PE list or assessed as
part of this P2PE solution.
1. Application developed
per device vendor
guidance, etc.
2. Application is assessed
as part of P2PE solution.
DOMAIN 3: Encryption Environment
QSA (P2PE) and
Solution Provider
Merchant
1. Follows solution
provider PIM for
device inventory,
tamper-checking,
physical security.
2. Annual SAQ if
required.
1. Solution provider’s
PIM is complete.
2. Device/solution
provider manages
remote access, logical
access, etc.
Domain 6 requirements for key
operations are applicable anywhere
that cryptographic keys are handled,
including the encryption device
environment.
QSA (P2PE) and
Solution Provider
DOMAIN 6: P2PE
Cryptographic Key
Operations
14. For a merchant to qualify
for PCI scope reduction
for P2PE, the solution
provider must be external
to the enterprise
15. On the PCI Horizon...
• The next version (v3.0) of the PCI Data
Security Standards (PCI DSS and PA-DSS)
will be released in October 2013
– No details yet
• Recent focus on more specialized education
for integrators, POS and device providers,
individuals/professionals... (beyond QSAs)
– P2PE Internal Security Assessor (ISA) program
– Qualified Integrators and Resellers (QIR) program
– Payment Card Industry Professional (PCIP) certification
16. Evaluate:
Encryption
industry-recognized standards
and methods vs. proprietary
The POI must be a PTS-
certified hardware device
Decryption
hardware security modules (HSMs)
how is key data transport handled?
Devices, Applications
The POI device must be
SRED 2.x (or higher) enabled
and active
PA-DSS validated application
Key Operations
who holds the keys?
who has access?
key injection process?
17. Consider:
Service / Support
Fast access to data and
ability to troubleshoot?
Responsive, redundant
support centers, 24x7x365?
Network Uptime
and Throughput
Redundant data centers?
Transactions per second?
Stability
Financial strength of
company? Number of years
experience?
Flexibility
Encryption via various POI
devices? Single vs. multi-use
tokens? Processor choice?
POS vendor/device choice?
18. TransactionShield®: Our P2PE Solution
• A flexible solution for the market today
– Ability to support many point of interaction
• card present, key-entered, e-commerce, virtual terminal
– Designed to integrate with most major encrypting devices
– Connectivity to all major processors
• No processor lock-in: Ability to easily change acquirers without
equipment changes, reprogramming or PIN re-injection
• Option to connect to multiple processors simultaneously
(AMEX, private label, gift cards, etc.)
• Protects data as it travels through
merchant IT environment
– Encrypts cardholder data using industry-recognized
standards and methods
– Utilizes cloud-based decryption
• C (QSA) validated
19. Conclusions
• Data in-transit is under attack.
– Hackers using a combination of techniques
• To protect data, merchants much also use a
combination of techniques (layers of security).
– EMV is a good layer, but it’s not the answer
• PCI has endorsed P2PE as an effective way to
enhance security and reduce PCI scope.
– Esp. hardware-based, third-party solutions
• Requirements and threats continue to expand
and change. Seek out a flexible, secure
solution that can meet your needs now and into
the future.
20. Contact us by email: sales@merchantlink.com
Engage: www.merchantlink.com/blog
Connect with us online: