Handling of card data in conformance with PCI DSS
|
|
- Noreen Collins
- 8 years ago
- Views:
Transcription
1 Handling of card data in conformance with PCI DSS Version 2 June 2010 Objective MasterCard, Visa, American Express, Diners and JCB have together created the framework PCI DSS (Payment Card Industry Data Security Standard). The purpose of PCI DSS is to ensure that card data is handled in a proper way. The PCI DSS framework stipulates among other things, that all companies' handling card data must be annually audited. For larger companies this is a relatively burdensome and costly process. One way to reduce this cost is to reduce the number of systems that handle card data. This document describes a number of technical solutions to protect card data. These can be applied to a large number of systems that currently use card data for purposes other than payment, such as loyalty schemes and check-in/check-out. Important This document is not intended to be a specification; it is intended to display a number of possible solutions for: Minimize the work to achieve PCI certification Increasing the protection of card data when used for other purposes than payment The PCI Security Standards Council (PCI SSC) has not yet specified the requirements for encrypted card data and its impact on the PCI requirements, therefore, this document is only a best guess based on Visa's best practice for the encrypted card data ref [vbestpr]. Page 1 of 19
2 Version History Date Version Change By: New Document Martin Svenns Updated key structure based on Martin Svenns information from the terminal supplier Added handling of fuel Martin Svenns transactions as well as Clearing & Settlement Updated Local Encrypt Card Data Martin Svenns Contents 1 REFERENCES LIMIT THE SCOPE OF PCI TYPES OF CARD DATA CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA THE ENCRYPTION OF CARD DATA FOR CLEARING AND SETTLEMENT MANAGEMENT OF CARD DATA IN PETROL PUMPS ENCRYPTION OF CARD DATA FOR PURPOSES OTHER THAN AUTHORISATION AND CLEARING KEY MANAGEMENT OF KEYS FOR ENCRYPTION OF CARD DATA TRANSFORMING CARD DATA INTO CARD NUMBER ALIASES CONLON CARD TOKENISATION ALGORITHM Schematic description of the Conlon Card Tokenisation Algoritm DISTRIBUTION OF KEYS FOR THE PROTECTION OF CARD DATA, (NOT PAYMENT) DISTRIBUTION TO TERMINALS DISTRIBUTION OF KEYS TO OTHER SYSTEMS LOAD GSALT LOAD UENC4CRD LOAD GENC4CRD LOCAL ENCRYPT CARD DATA RE-ENCRYPT CARD DATA FOR AUTHORISATION ENCRYPT CARD DATA GENERATE CARD NUMBER ALIAS Page 2 of 19
3 1 References [EFTPOS] [PPL] [PCI] ref [vbestpr] ref [salt] ref [sha-256] ref[bitmap] BCA Security Requirements for an EFTPOS Terminal Babs and CEKAB Program and Parameter Loading https: / / (cryptography) 2 Limit the scope of PCI Each computer that stores or processes card data will be subject to PCI DSS. The PCI DSS regulation requires that the sales company undergoes a comprehensive certification process every year. The aim of the PCI DSS certification process is to ensure that the card data is handled in a safe manner. The cost for PCI certification for a sales company can be very high, if card data is handled in many systems. One way to reduce the cost of this is to minimize the scope of PCI DSS certification by minimizing the number of systems and computers that contain or handle card data. This paper tries to describe a number of methods for removing the clear text handling of card data. For more information about PCI see ref [PCI]. 3 Types of card data PCI DSS regulations have defined two types of card data Cardholder Data Sensitive Authentication Data 3.1 Cardholder Data The following card data is defined as Cardholder Data: PAN (card number) Name of cardholder Expiry date Service Code All systems that handle Cardholder Data are subject to PCI regulations regardless of the system's task. PCI DSS certification will cover the entire system and all systems connected to it. Page 3 of 19
4 If any system on a computer handles Cardholder Data, then all systems that runs on the computer are subject to the PCI certification, regardless of whether they handle cardholder data or not. At present, there are two methods for converting Cardholder Data to something else and thus ensuring that the regulations' effect on the system is minimized. Encryption of card data Conversion of the card data to a card number alias, also called tokens or CNA (Card Number Alias). Proposals for solving this are described later in this document. 3.2 Sensitive Authentication Data The following card data is defined by PCI SSC as Sensitive Authentication Data: Full magnetic stripe Encrypted PIN-block CVV (card verification value) Sensitive Authentication Data must never be stored in any form and should not be used in any system for any purpose other than payments. 4 The encryption of card data for clearing and settlement Swedbank has updated the clearing interface to accept encrypted card data for clearing and settlement, see ref [bitmap] for technical info, this to enhance security and minimize the scope of PCI. To ensure that no one modifies the sensitive data in the clearing transaction and minimize the possibility of sabotage a digital signature is also included in the encrypted field. Note that the encryption operation must be conducted in a secure unit, to protect the cryptographic key. The field is structured as follows: Stripe 2 through and including the Service code Signed Amount Check Sum Encrypt ( ) Page 4 of 19
5 If the final amount of the purchase is known at the moment of authorization it must be entered as the signed amount. If the final amount is not known when the item is created the field must be set to 0. For more information on how encryption is implemented see ref [bitmap]. The checksum field is created as follows: ( Check sum (SHA-1) (SHA-1) ) Stripe 2 including Service code (Not CVV) Babs no. Amount Currency Code New terminals that use single message transaction must send this field in the authorisation transaction, so that the party who creates the clearing file can minimize the handling of card data in clear text. New integrated terminals that use separate messge for authorisation and settlement (dual message) can choose to: Send the field with the encrypted card data for clearing in the authorisation message Transfer data in the cash register integration protocol Both of the above options. If the clearing token is sent in the authorisation message, the clearing message can be created in more ways than if it takes place in the cash register integration protocol. If the authorisation transaction is re-encrypted (i.e. zone changed to HISO) before it is sent to SCS the clearing data must also be reencrypted in the same manner as the authorisation. 5 Management of card data in petrol pumps In most solutions for automated fuel dispensers a refuelling is performed in accordance with the following scenario; the customer puts the card into the payment terminal and performs an authorization. When the authorization is completed the customer takes out the card from the terminal and refuels the vehicle. After the refuelling is performed the right amount for the purchase is communicated to the card issuer. The messages between the payment terminal and the host system are: 1. An authorisation message for a fixed amount is sent before the customer starts to refuel. Page 5 of 19
6 2. An advice message that informs of the actual amount for the purchase is sent to the card issuer. This message is sent after the refuelling is completed and the card is no longer present in the reader. Both messages must contain encrypted card data, and a MAC (Message Authentication Code). Encryption and calculation of the MAC is carried out with a unique sequential key for each transaction. In order to meet safety requirements a key that has been used previously may not be reused in a subsequent transaction, i.e. there must be an ascending sequence. To keep the cost of technical equipment down, petrol companies often have several pumps connected to one payment terminal. This means that there may be several transactions where the authorisation message is sent but not the advice message. Therefore the MAC for advice messages cannot be calculated using the same key that the card data was encrypted with in the authorisation message. In order to manage this safely SCS proposes the following solution. 1. The customer puts the card into the terminal 2. The authorisation message is created 3. The card number is encrypted using a session key derived from UNC4CRD The session ID and encrypted card data is stored in the open area of the terminal or in the ECR. 4. When fuelling is completed and the purchase amount known, the following should be performed: 5. The encrypted card data is sent into the secure unit together with the amount purchased and clearing data and is identified with the session ID. This is used internally in the secure unit to re-encrypt the card data for the advice and clearing messages. The above procedure is in full compliance with PCI as card data is not stored in clear text and can not be re-created in clear text in the terminal. UENC4CRD will be distributed to the terminal via the IKFS file instead of being generated locally. To: Minimize requirements on the terminal, if it must be generated locally then the random number generator in the secure unit must be certified for key generation. If a safe unit fails, the encryption key can be reproduced centrally and the data decrypted. One unique key per transaction is used to ensure that an exhaustive search cannot Page 6 of 19
7 be done. The terminal/cash register must delete the locally encrypted card data when it is no longer needed. 6 Encryption of card data for purposes other than authorisation and clearing If a central system, for example a loyalty scheme, absolutely must deal with card data in clear text, the extent of PCI certification still can be limited to the terminal and the central system if the card data is encrypted in the secure unit of terminal and only the central system has the ability to decrypt the data for further processing. Note that card number alias is a safer and better model than encrypted card data if the system can be adapted to it. For intermediate systems that only handle encrypted card data, the scope of PCI certification may be limited, as the encrypted card data is not considered to be as sensitive as clear text data. If the central system handles card data in clear text, the system is subject to PCI DSS certification regardless of the input format. For the encrypted card data not to be considered sensitive from a PCI perspective the following rules must be fulfilled: Card data in clear text must not be available at any stage other than at the end points where it is encrypted/decrypted. All key management must be under the control of the acquirer Encryption must be carried out with a key whose sole purpose is to protect card data All storage and use of the cryptographic keys must be take place in a TRSM (PED or HSM). Encryption must be carried out with the DES algorithm, to be compatible with Swedbank's key distribution. If another approved algorithm is selected, the cost of adjusting the key system increases and the risk that the project is delayed increases. This model for protecting card data complies with VISA as best practice, which is today the only document regarding how card data must be securely handled, see ref[vbestpr]. Page 7 of 19
8 6.1 Key management of keys for encryption of card data PCI DSS requires that the keys that protect storage of card data are replaced annually. To avoid having to replace the key in the terminal annually, the encrypted block from the terminal must not be stored in a central system. If the central system needs to store the data in encrypted form the data shall be encrypted with a key dedicated for storage in the central system. The key used for protection of transport between the terminal and the central loyalty system may be the same for all terminals at the same sales company. The ideal solution utilises unique keys for every terminal but this is quite demanding and is not expected at present. 7 Transforming card data into card number alias Systems that need to connect a card number to an individual cardholder or an event For outer purposes than payment may choose to work with card number aliases instead of card number. Card number alias will probably become very popular and already has several names: CNA, short for Card Number Alias Token. Hashed card data The transformation of card data to a card number alias is performed by cryptography. The calculation will always generate the same CNA for the same card if the same crypto graphical key is used. The algorithm is a one way function so there will be no possibility to translate from a CNA to a card number. The algorithm used to generate a card number alias uses a DES key in to create a unique salt value. Thereafter a hash value is calculated over the salt value concatenated with the card number, the result from this operation is the card number alias. The key for this must be unique to every sales company/store chain, which means that the card number alias will be unique to each chain of stores. See ref [salt] for more information. One sale company may use more than one key. The salt value is used to make it impossible to conduct Brute Force attacks by compiling a database of all card number aliases. If the card number alias is used instead of the card number, both in the shop and in the central system then prerequisites exist for simplification of PCI certification of these systems. Card data converted to a card number alias with the algorithms below has the Page 8 of 19
9 prerequisites to not be deemed sensitive card data at a PCI audit. 7.1 Conlon Card Tokenisation Algorithm An algorithm that meets the above requirements is the Conlon Card Tokenisation algorithm. It has several advantages for Swedish solutions as only one extra DES key is distributed to the terminal. Mechanisms for distributing DES keys to the terminals and other systems exist today and can be reused. The Conlon Card Tokenisation algorithm requires: 1. That the DES key GSALT01 must be distributed to the terminal. The Conlon Card Tokenisation algorithm is as follows: 1. An 8-byte long MAC is calculated according to ISO over the card number with the key GSALT01 IV= Padding of card numbers in accordance with ISO , (Padding with zeros at even multiples of 8 bytes. If the card number is an even multiple of 8 bytes, no padding should be carried out). 2. The eight bytes long MAC value and the card number are merged in the following order: MAC, card data. 3. A hash value is calculated with the algorithm SHA-256 over the merged data byte KCV for 2 GSALT01 and the hash value are merged in the following order KCV, hash data. 5. The combined value is exported. Requirements: The entire operation must be carried out as an atomic function in a secure unit. If the secure device is a PED it must be approved in accordance with PCI PED If the secure unit is an HSM it must be approved in accordance PCI HSM More information about this approval see ref [pci]. 1) Note that ISO9797 requires that all the 8-bytes of the MAC calculated are not published. Here an exception is made to ensure that the salt value is not so short that 'brute force' attacks can be easily implemented. As the salt value is hashed together with the card data before it is published, this also poses no security risk. 2) Note that there is some probability that two keys may have the same KCV. When a new key is created, it must be verified that it does not collide with previously generated keys for generating SALT values. Page 9 of 19
10 7.1.1 Schematic description of the Conlon Card Tokenisation Algorithm KCV(GSALT01) 3 bytes Key:GSALT01 Card data IV= ISO method 3 and padding version 1 MAC 8 bytes Card data SHA-256 Card Token Hash 8 Distribution of keys for protection of card data Distribution of cryptographic keys to the terminal Distribution of cryptographic keys to a payment terminal that will connect to Swedbank is done via the PPL system. This relates to the distribution of additional keys to a terminal in production as well as the distribution of keys to a terminal that is not yet in production. Keys for the protection of card data with another purpose than payment must be distributed to the terminal in the IKFS file according to the following structure, see ref [EFTPOS] and ref [PPL] for more info: BKLK4SA BKLK4POS BKLK4BNK Page 10 of 19 GSALT01 UENC4CRD GENC4CRD
11 When the keys are to be distributed to the terminal the following constants must be used as key variants. GSALT GENC4CRD UENC4CRD The function of how the key variants are to be used is described in Ref [EFTPOS] chapter 8.3. The IKFS file with the cryptographic keys for the respective terminals is generated in a Key Management System. Swedbank's system for this (KMF) has support for generating IKFS files with the key for CNA. 8.2 Distribution of keys to other systems Other systems that use cryptographic keys to generate a card number alias must use an HSM to protect the keys. Under certain circumstances, a PCI PED can be approved as HSM. Distribution of the key to these occurs in the same manner as for the distribution of other cryptographic keys, i.e. a transport key is exchanged between the Babs KMF system and the receiving HSM system, the operational key is thereafter distributed in an encrypted file with a control vector for use according to ref [bcasecreq]. Page 11 of 19
12 Appendix A: Extended functions in PED application 8.3 Load GSALT01 Loads the GSALT key that comes in the IKFS file Function parameters: GSALT01 encrypted with the current version of BKLK4BNK with the variant for (GSALT01) applied. KCV for GSALT01 Processing: If the KCV for the existing GSALT is the same as the KCV for the key in the IKFS file, no further processing is to be done, return OK. Apply the version for GSALT of the current BKLK4BNK Decrypt GSALT01 with BKLK4BNK according to ref[etpos] Verify KCV for GSALT01 Store the key if proper verification of GSALT01 has been completed Update the flag for GSALT to indicate that GSALT01 is stored. Response parameters: OK. Possible Errors: Incorrect input Incorrect KCV BKLK4BNK not loaded at the terminal The version constant for the GSALT key is: Page 12 of 19
13 8.4 Load UENC4CRD Loading the UENC4CRD key that comes in the IKFS file Function parameters: UENC4CRD encrypted with the current BKLK4BNK with the variant for (UENC4CRD) applied. KCV for UENC4CRD Processing: If the KCV for the existing UENC4CRD is the same KCV as for the key in the IKFS file, no further processing is to be done, return OK. Apply the version for UENC4CRD of the current BKLK4BNK Decrypt UENC4CRD with BKLK4BNK according to ref[etpos] Verify KCV for UENC4CRD Store the key if proper verification of UENC4CRD has been completed Update the flag for UENC4CRD to indicate that UENC4CRD is stored. Response parameters: OK. Possible Errors: Incorrect input Incorrect KCV BKLK4BNK not loaded in the terminal The version constant for the UENC4CRD key is: Page 13 of 19
14 8.5 Load GENC4CRD Loading the GENC4CRD key that comes in the IKFS file Function parameters: GENC4CRD encrypted with the current BKLK4BNK with the variant for (GENC4CRD) applied. KCV for GENC4CRD Processing: If the KCV for the existing GENC4CRD is the same as for the key in the IKFS file, no further processing is to be done, return OK. Apply the version for GENC4CRD of the current BKLK4BNK Decrypt GENC4CRD with BKLK4BNK according to ref[etpos] Verify KCV for GENC4CRD Store the key if proper verification of GENC4CRD has been completed Update the flag for GENC4CRD to indicate that GENC4CRD is stored. Response parameters: OK. Possible Errors: Incorrect input Incorrect KCV BKLK4BNK not loaded in the terminal The version constant for the GENC4CRD key is: Page 14 of 19
15 8.6 Local Encrypt Card Data This function is used to encrypt card data (stripe 2 until and including service code) to be re-encrypted to the current DUKPT data encryption key, for the advice, adjustment and clearing message. Function parameters: Stripe two truncated after the service code, i.e. CVV value must never be included. Length of data. Requirements: To protect the terminal from brute force attacks there must be a barrier to these attacks, e.g. through limiting the number of calculations per unit of time. CardEncCounter is a 32 bytes long counter stored in the PED, CardEncCounter must be initialised to a random value when the terminal is first run. The counter must roll over when the maximum value is reached. Processing: Increase the previous CardEncCounter with 0x1 Calculate SHA-256 over CardEncCounter Save the first 24 bytes of the previous calculation as session ID. Encrypt the first 24 bytes of the session ID with UENC4CRD to calculate the session key ECB Mode. Pad the data as follows: Append a 1 byte length indicator Thereafter pad to even multiples of eight with 0x00, (including the length indicator). If the data + length indicator is an even multiple of 8 no padding is done. Set the length indicator to the number of pad bytes (0-7). Encrypt in CBC mode with IV = Response parameters: Encrypted data KCV Session ID (24 bytes) Possible Errors: Incorrect input. UENC4CRD not available Page 15 of 19
16 8.7 Re-encrypt Card Data for Authorisation The function re-encrypts the data that was previously encrypted with the function Local Encrypt Card Data, with the current DUKPT key for data encryption. This function creates an encrypted block of card data for: Advice or Adjustment Function parameters: Card data previously encrypted with the Local Encrypt Card Data function. Session ID Requirements: The whole operation must be completed as one call to ensure that the card data does not come to the open part of the terminal in clear text. Processing: Calculate the current key by encrypting the session ID with UENC4CRD ECB-mode Decrypt card data with the current session key, IV = , CBC-mode. Encrypt card data for advice/adjustment message as per the SPDH specification. Response parameters: Card Data for advice/adjustment messages encrypted with the current data encryption key. The KSN that the crypto block was calculated with Possible Errors: Incorrect input KSN used 255 times for data encryption UENC4CRD not available Page 16 of 19
17 8.8 Re-encrypt Card Data for Clearing The function re-encrypts the data that was previously encrypted with the function Local Encrypt Card Data with the current DUKPT key for data encryption. This function creates an encrypted block of card data for: Clearing Function parameters: Card data previously encrypted with the Local Encrypt Card Data feature. Babs no. Amount Currency Code Session ID Requirements: The whole operation must be completed as one call to ensure that the card data does not come to the open part of the terminal in clear text. Processing: Calculate the hash signature for the clearing message, as specified for clearing. A functional description can be found earlier in this document. Calculate the current key by encrypting the session ID with UENC4CRD. ECB-mode Decrypt card data with the current session key, IV = , CBC-mode. Encrypt card data for the clearing message as per the SPDH specification. Create the crypto block for the clearing transaction according to the BITMAP format. Response parameters: Card data for clearing encrypted with the current data encryption key. The KSN that the crypto block was calculated with. Possible Errors: Incorrect input KSN used 255 times for data encryption UENC4CRD not available Page 17 of 19
18 8.9 Encrypt Card Data This function must be used to encrypt card data for other purposes than purchase transactions. Normally the Card Data is encrypted, but other data may also be encrypted. Function parameters: Data for encryption. Length of data. Requirements: To protect the terminal from brute force attacks, there must be a barrier to these attacks e.g. through limiting the number of calculations per unit of time. Processing: Add 8-bytes with random data before the data that is to be encrypted. Pad the data to an even multiple of eight with zeros. If the data is divisible by eight from the beginning, no padding is to be done. Encrypt in CBC mode with IV = and the key GENC4CRD Parameters in the response: encrypted data 3-byte KCV can be used by the receiving system to select the correct key. Possible Errors: Incorrect input. GENC4CRD not available Page 18 of 19
19 8.10 Generate Card Number Alias This function generates a card number alias according to the Conlon Card Tokenisation algorithm described above. Function parameters: Card number Requirements: To protect the terminal from brute force attacks, there must be a barrier to these attacks e.g. through limiting the number of calculations per unit of time. Processing: Pad the card number to an even multiple of eight with zeros. If the data is divisible by eight from the beginning, no padding is to be done. Calculate an 8-byte long MAC in accordance with ISO , CBC mode IV= Concatenate the MAC and the card number Calculate a hash with the SHA-256 algorithm of the concatenated data Develop a three-byte long KCV (0) value Generate the card number alias by concatenating the KCV with the hash value <KCV + HASH> Response parameters 35-byte long card number aliases Possible Errors: Incorrect input. GSALT01 not loaded. 1) Note that ISO9797 requires that all the 8-bytes in the MAC calculated are not published. Here an exception is made to ensure that the salt value is not so short that 'brute force' attacks can be easily implemented. As the salt value is hashed together with the card number before it is published, this also poses no security risk. Page 19 of 19
Guide to Data Field Encryption
Guide to Data Field Encryption Contents Introduction 2 Common Concepts and Glossary 3 Encryption 3 Data Field Encryption 3 Cryptography 3 Keys and Key Management 5 Secure Cryptographic Device 7 Considerations
More informationPCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationE2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA
E2EE and PCI Compliancy Martin Holloway VSP Sales Director VeriFone NEMEA Security Breaches In The News 2 Security Breaches In The News 3 Security Breaches In The News 4 Security Breaches In The News 5
More informationSwedbank Payment Portal Implementation Overview
Swedbank Payment Portal Implementation Overview Product: Hosted Pages Region: Baltics September 2015 Version 1.0 Contents 1. Introduction 1 1.1. Audience 1 1.2. Hosted Page Service Features 1 1.3. Key
More informationPCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page
More informationReducing PCI DSS Scope with the TransArmor First Data TransArmor Solution
First Data First Data Market Market Insight Insight Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution SM Solution Organizations who handle payment card data are obligated to comply
More informationACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments
A TO Z JARGON BUSTER A ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments ATM Automated Teller Machine. Unattended,
More informationPCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core
PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566
More informationEMV PAYMENT TERMINAL SYSTEM FUNCTIONAL DESCRIPTION 21 October 2011 / V 4.2
1(19) table of contents 1. Introduction... 2 2. Definitions... 3 3. Payment terminal system... 6 4. Agreements and accepted cards... 6 5. Identifying cards and verifying their authenticity... 7 6. Purchases
More informationPCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security
White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationPrivacy Models in the Payments Industry*
Privacy Models in the Payments Industry* Terence Spies Voltage Security * plus some editorializing Why Real- World Crypto? If we define the Real World as enterprises. Academic Crypto Enterprise Crypto
More information2015-11-02. Electronic Payments Part 1
Electronic Payments Part Card transactions Card-Present Smart Cards Card-Not-Present SET 3D Secure Untraceable E-Cash Micropayments Payword Electronic Lottery Tickets Peppercoin Bitcoin EITN4 - Advanced
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationHeartland Secure. By: Michael English. A Heartland Payment Systems White Paper 2014. Executive Director, Product Development
A Heartland Payment Systems White Paper 2014 Heartland Secure. By: Michael English Executive Director, Product Development 2014 Heartland Payment Systems. All trademarks, service marks and trade names
More informationETSI TS 102 176-2 V1.2.1 (2005-07)
TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms
More informationPCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00
PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)
More informationCyberSource Payment Security. with PCI DSS Tokenization Guidelines
CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance
More informationEMV and Small Merchants:
September 2014 EMV and Small Merchants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service
More informationEMVCo Letter of Approval - Contact Terminal Level 2
May 18, 2015 Richard Pohl Triton Systems of Delaware, LLC 21405 B Street Long Beach MS 39560 USA Re: EMV Application Kernel: Approval Number(s): EMVCo Letter of Approval - Contact Terminal Level 2 Triton
More informationAuthentication requirement Authentication function MAC Hash function Security of
UNIT 3 AUTHENTICATION Authentication requirement Authentication function MAC Hash function Security of hash function and MAC SHA HMAC CMAC Digital signature and authentication protocols DSS Slides Courtesy
More informationSteps for staying PCI DSS compliant Visa Account Information Security Guide October 2009
Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009 The guide describes how you can make sure your business does not store sensitive cardholder data Contents 1 Contents
More informationStronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement"
!!!! Stronger(Security(and( Mobile'Payments'! Dramatically*Faster!and$ Cheaper'to'Implement" Here$is$a$simple,$cost$effective$way$to$achieve$transaction$security$for$ mobile$payments$that$allows$easy$and$secure$provisioning$of$cards.$
More informationWhite Paper. EMV Key Management Explained
White Paper EMV Key Management Explained Introduction This white paper strides to provide an overview of key management related to migration from magnetic stripe to chip in the payment card industry. The
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationREGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015)
REGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015) These regulations, the "Shop Regulations", apply to sales paid by Card through the use of a Terminal. The Shop Regulations comprise
More informationRegistry of Service Providers
Registry of Service Providers Program Guide Contents 1 2 1.1 What is the Registry of Service Providers? 2 1.2 Who can register? 3 1.3 Why register with Visa? 3 1.4 Implications for Visa Clients 4 2 5 2.1
More informationUnderstanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective
Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective Futurex. An Innovative Leader in Encryption Solutions. For over 30 years, more than 15,000 customers worldwide
More informationCredit Card Security
Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary
More informationMOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES
MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES Marko Schuba and Konrad Wrona Ericsson Research, Germany ABSTRACT This paper describes the Mobile Chip Electronic Commerce
More informationHow To Understand And Understand The Ssl Protocol (Www.Slapl) And Its Security Features (Protocol)
WEB Security: Secure Socket Layer Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - COMP581 - L22 1 Outline of this Lecture Brief Information on SSL and TLS Secure Socket Layer (SSL) Transport Layer Security
More informationFinance Office. Card Handling Policy
Finance Office Card Handling Policy Prepared by: Lyndsay Brown Issued: November 2012 1 Contents Page 1 Introduction 3 2 Responsibility 3 3 The PCI Data Security Standard 3 4 PCI DSS Requirements 4 5 Receiving/
More informationMiGS Virtual Payment Client Integration Guide. July 2011 Software version: MR 27
MiGS Virtual Payment Client Integration Guide July 2011 Software version: MR 27 Copyright MasterCard and its vendors own the intellectual property in this Manual exclusively. You acknowledge that you must
More informationSecurity standards PCI-DSS, HIPAA, FISMA, ISO 27001. End Point Corporation, Jon Jensen, 2014-07-11
Security standards PCI-DSS, HIPAA, FISMA, ISO 27001 End Point Corporation, Jon Jensen, 2014-07-11 PCI DSS Payment Card Industry Data Security Standard There are other PCI standards beside DSS but this
More informationThe Relationship Between PCI, Encryption and Tokenization: What you need to know
October 2014 The Relationship Between PCI, Encryption and Tokenization: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems,
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationJCB Terminal Requirements
Version 1.0 April, 2008 2008 JCB International Co., Ltd. All rights reserved. All rights regarding this documentation are reserved by JCB Co., Ltd. ( JCB ). This documentation contains confidential and
More informationPCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES
PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry
More informationThird Party Agent Registration and PCI DSS Compliance Validation Guide
Visa Europe Third Party Agent Registration and PCI DSS Compliance Validation Guide May 2016 Version 1.3 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration Process...
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationWhat are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
More informationGLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY
GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY Acquiring Bank The bank or financial institution that accepts credit and/or debit card payments for products or services on behalf
More informationPCI DSS and SSC what are these?
PCI DSS and SSC what are these? What does PCI DSS mean? PCI DSS is the English acronym for Payment Card Industry Data Security Standard. What is the PCI DSS programme? The bank card data, which are the
More informationIT Networks & Security CERT Luncheon Series: Cryptography
IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI
More informationRegistration and PCI DSS compliance validation
Visa Europe A Guide for Third Party Agents Registration and PCI DSS compliance validation October 2015 Version 1.1 Visa Europe 2015 Contents 1 Introduction... 4 1.1 Definitions of Agents... 4 2 Registration
More informationMPOS: RISK AND SECURITY
MPOS: RISK AND SECURITY 2 Evolution of Payment Acceptance Consumers want to get the best deal with the minimum pain Sellers want to ensure they never turn down a sale and maximise consumer loyalty 3 Evolution
More informationCredit Card Processing Overview
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationSmart Cards for Payment Systems
White Paper Smart Cards for Payment Systems An Introductory Paper describing how Thales e-security can help banks migrate to Smart Card Technology Background In this paper: Background 1 The Solution 2
More informationVirtual Payment Client Integration Reference. April 2009 Software version: 3.1.21.1
Virtual Payment Client Integration Reference April 2009 Software version: 3.1.21.1 Copyright MasterCard and its vendors own the intellectual property in this Manual exclusively. You acknowledge that you
More informationipayment Gateway API (IPG API)
ipayment Gateway API (IPG API) Accepting e-commerce payments for merchants Version 3.2 Intercard Finance AD 2007 2015 Table of Contents Version control... 4 Introduction... 5 Security and availability...
More informationPayment Card Industry (PCI) Policy Manual. Network and Computer Services
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1
Payment Card Industry (PCI) Data Security Standard Summary of Changes from PCI DSS Version 3.0 to 3.1 April 2015 Introduction This document provides a summary of changes from PCI DSS v3.0 to PCI DSS v3.1.
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationDetailed Specifications
1 of 6 Appendix Detailed Specifications 1. Standards The following standards are used in the document under the following abbreviations: - BASE32, BASE64, BASE64-URL: Network Working Group: Request for
More informationHow To Protect A Smart Card From Being Hacked
Chip Terms Explained A Guide to Smart Card Terminology Contents 1 AAC Application Authentication Cryptogram AID Application Identifier Applet ARQC Authorization Request Cryptogram ARPC Authorization Response
More informationRealex Payments Integration Guide - Ecommerce Remote Integration. Version: v1.1
Realex Payments Integration Guide - Ecommerce Remote Integration Version: v1.1 Document Information Document Name: Realex Payments Integration Guide Ecommerce Remote Integration Document Version: 1.1 Release
More informationElectronic Payments. EITN40 - Advanced Web Security
Electronic Payments EITN40 - Advanced Web Security 1 Card transactions Card-Present Smart Cards Card-Not-Present SET 3D Secure Untraceable E-Cash Micropayments Payword Electronic Lottery Tickets Peppercoin
More informationInformation Sheet. PCI DSS Overview
The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council. Compliance with PCI standards is mandatory. It is enforced by the major payment card
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationMessage authentication and. digital signatures
Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationPayment Processing for Retail Petroleum/Convenience
Payment Processing for Retail Petroleum/Convenience December 31, 2014 Version 1.1 Abstract This white paper describes some of the unique challenges and requirements for payment card processing in a retail
More informationAmerican Express. Merchant Services. Grow your business With POS terminals from American Express
American Express Merchant Services Grow your business With POS terminals from American Express POS Terminals Electronic Devices for fast, efficient and reliable card transaction processing to suit all
More informationTHE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP
THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP WHERE IS THE U.S. PAYMENT CARD INDUSTRY NOW? WHERE IS IT GOING? Today, payment and identification cards of all types (credit
More informationPCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson
PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson Overview What is PCI? MCCS Compliance PCI DSS Technical Requirements MCCS Information Security Policies
More informationWhite Paper On. PCI DSS Compliance And Voice Recording Implications
White Paper On PCI DSS Compliance And Voice Recording Implications PCI DSS within the UK is becoming a hot topic of conversation, with many contradictions and confusions being issued by suppliers and professionals
More informationCardControl. Credit Card Processing 101. Overview. Contents
CardControl Credit Card Processing 101 Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new and old
More informationPCI Policies 2011. Appalachian State University
PCI Policies 2011 Appalachian State University Table of Contents Section 1: State and Contractual Requirements Governing Campus Credit Cards A. Cash Collection Point Approval for Departments B. State Requirements
More informationHow To Comply With The New Credit Card Chip And Pin Card Standards
My main responsibility as a Regional Account Manager for IMD is obtain the absolute lowest possible merchant fees for you as a business. Why? The more customers we can save money, the more volume of business
More informationpaypoint implementation guide
paypoint implementation guide PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Point Transaction Systems
More informationCryptography and Network Security Chapter 15
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North
More informationSecurity Policy for Oracle Advanced Security Option Cryptographic Module
Security Policy for Oracle Advanced Security Option Cryptographic Module Version 1.0 September 1999 Prepared by Oracle Corporation A. Scope of Document This document describes the security policy for the
More informationEMV mobile Point of Sale (mpos) Initial Considerations
EMV mobile Point of Sale EMV mobile Point of Sale (mpos) Initial Considerations Version 1.1 June 2014 2014 EMVCo, LLC ( EMVCo ). All rights reserved. Any and all uses of the EMV Specifications ( Materials
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
More informationWhen checking the status of the Cardholder's Card (card status check) a so-called "zero value authorisation" shall always be used.
REGULATIONS FOR SALES PAID BY CARD REMOTE TRADING (Card Not Present) (May 2015) These regulations, the "Remote Trading Regulations", apply to sales paid by Card in Remote Trading. "Remote Trading" refers
More informationEMV and Restaurants: What you need to know. Mike English. October 2014. Executive Director, Product Development Heartland Payment Systems
October 2014 EMV and Restaurants: What you need to know Mike English Executive Director, Product Development Heartland Payment Systems 2014 Heartland Payment Systems, Inc. All trademarks, service marks
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationSecurity Analysis. Hashing Credit Card Numbers: Unsafe Application Practices
February 27, 2007 Security Analysis Hashing Credit Card Numbers: Unsafe Application Practices OVERVIEW Cryptographic hash functions seem to be an ideal method for protecting and securely storing credit
More informationOXY GEN GROUP. pay. payment solutions
OXY GEN GROUP pay payment solutions hello. As UK CEO, I m delighted to welcome you to Oxygen8. We ve been at the forefront of multi-channel solutions since 2000. Headquartered in Birmingham, UK, we have
More informationStrategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC mdavis@securestate.com SecureState Founded in 2001, Based on Cleveland Specialized
More informationAheevaCCS and the Payment Card Industry Data Security Standard
Account Data PCI DSS White Paper by Aheeva, January 2012 AheevaCCS and the Payment Card Industry Data Security Standard Introduction In 2006, the major payment brands including American Express, MasterCard
More informationInformation about this New Guide
Information about this New Guide New Guide This PayPass POS Host/Payment Software Implementation Guide, dated September 2007, is an entirely new guide. Contents This guide helps point-of-sale (POS) host/payment
More informationElectronic Payment Systems
Electronic Payment Systems In any commercial transaction payment is an integral part for goods supplied. Four types of payments may be made in e-commerce they are Credit card payments Electronic cheque
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
More informationEMV 96 Integrated Circuit Card Terminal Specification for Payment Systems
EMV 96 Integrated Circuit Card Terminal Specification for Payment Systems Version 3.0 June 30, 1996 1996 Europay International S.A., MasterCard International Incorporated, and Visa International Service
More informationRF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards
RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:
More informationUniversity Policy Accepting and Handling Payment Cards to Conduct University Business
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
More informationCorbin Del Carlo Director, National Leader PCI Services. October 5, 2015
PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationGlobal Iris Integration Guide ecommerce Remote Integration
Global Iris Integration Guide ecommerce Remote Integration February 2013 Table Of Contents 1 About This Guide... 3 1.1 Purpose... 3 1.2 Audience... 3 1.3 Prerequisites... 3 1.4 Related Documents... 3 2
More informationHow Secure are Contactless Payment Systems?
SESSION ID: HT-W01 How Secure are Contactless Payment Systems? Matthew Ngu Engineering Manager RSA, The Security Division of EMC Chris Scott Senior Software Engineer RSA, The Security Division of EMC 2
More informationPLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01
PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01 Information updated: 21 October 2012 SAFEGUARDING CARDHOLDER
More informationRules. Procedure for the Security Certification of POI devices. Version 2.01 7 April 2015 proc.cert.poi devices
Procedure for the Security Certification of POI devices Version 2.01 7 April 2015 proc.cert.poi devices Contents 1. General 4 1.1 Certification entity 4 1.2 Scope 5 1.3 Certification of non-ped POI devices
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationA MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
More informationElavon Payment Gateway Integration Guide- Remote
Elavon Payment Gateway Integration Guide- Remote Version: v1.1 Table of Contents 1 About This Guide 3 1.1 Purpose 3 1.2 Audience 3 1.3 Prerequisites 3 1.4 Related Documents 3 2 Elavon Payment Gateway Remote
More information