Vantiv eprtect iframe Technical Assessment Paper Prepared fr: Octber 13, 2015
P a g e 2 Cntents EXECUTIVE SUMMARY...3 OVERVIEW... 3 ABOUT VANTIV EPROTECT... 4 OPERATIONAL FLOW... 5 TECHNICAL ASSESSMENT...6 AUDIENCE... 6 ASSESSMENT SCOPE... 6 MERCHANT PCI DSS COMPLIANCE APPLICABILITY... 7 TECHNICAL SECURITY ASSESSMENT... 7 RECOMMENDED BEST PRACTICES... 11 SUMMARY FINDINGS AND CONCLUSIONS... 13 U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 3 E X E C U T I V E S U M M A R Y Overview As f July 2015, all eligible merchants and service prviders are required t be cmpliant with PCI DSS v3.1, which defines new scping guidelines fr utsurced web payment capture slutins that are nw cnsidered part f Cardhlder Data Envirnment (CDE). As a result, merchants and service prviders must define their respnsibilities in alignment with PCI DSS 3.1 when utsurcing their payment prcessing respnsibilities t validated third parties. Merchants wh utsurce their payment prcessing respnsibilities t PCI DSS-cmpliant third parties may still have t validate applicable security cntrls f their ecmmerce envirnment based n their specific implementatin apprach. Payment brands allw Level 2 1, Level 3, and Level 4 merchants wh d nt electrnically stre, prcess, r transmit cardhlder data n any f their systems r premises t validate their cmpliance using SAQ A r SAQ A-EP. Level 1 merchants wh utsurce their payment prcessing must discuss the validatin requirements with their QSAs, acquirers, r payment brands t cnfirm which applicable cntrls remain. Vantiv engaged Calfire Systems Inc., a respected Payment Card Industry (PCI) Qualified Security Assessr (QSA) cmpany, t cnduct an independent technical review f Vantiv s eprtect slutin (frmally knwn as Vantiv PayPage). Vantiv eprtect prvides card-nt-present data security fr merchants needing t reduce their risk by cmpletely eliminating the presence f cardhlder data frm their systems. Vantiv eprtect ffers multiple integratin appraches, and this technical assessment specifically addresses the Vantiv eprtect iframe integratin methdlgy. Calfire s findings describe hw the use f Vantiv eprtect iframe, implemented in alignment with the eprtect Integratin Guide (v4.5/1.2), will significantly reduce the risk f accunt data cmprmise within a merchant s ecmmerce envirnment, and hw merchants will expect t receive applicable cntrl reductin under PCI DSS v3.1. 1 Level 2 merchants that chse t cmplete annual self-assessment questinnaire must ensure staff engaged in self-assessment attend PCI SSC ISA Training and pass assciated accreditatin prgram annually in rder t cntinue ptin f self-assessment fr cmpliance validatin. Alternatively, Level 2 merchants may, at their wn discretin, cmplete an annual nsite assessment cnducted by a PCI SSCapprved Qualified Security Assessr (QSA) rather than cmplete an annual self-assessment questinnaire. MasterCard.cm U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 4 Abut Vantiv eprtect Vantiv eprtect is a cmprehensive card-nt-present data security slutin that helps merchants slve initial data capture and cardhlder data strage challenges by eliminating cardhlder data frm their systems, significantly reducing the threat f accunt data cmprmise and PCI applicable cntrls under PCI DSS v3.1. T eliminate capture f cardhlder data n their systems, merchants embed the iframe URL n their web page hsted by Vantiv s servers. Rich custmizatin f the style and layut f the checkut experience allws the merchant s site t lk and feel like the merchant s brand, while eliminating cardhlder data frm their systems. T eliminate pst-authrizatin cardhlder data strage, Vantiv s OmniTken slutin replaces clear cardhlder values with tkens that can be used in place f payment data thrughut merchant systems that virtually eliminate the risk f data theft. The Vantiv eprtect envirnment is validated against PCI DSS (Vantiv ecmmerce/litle & C. Attestatin f Cmpliance) until Dec. 19, 2015). Figure 1: Vantiv eprtect iframe Data Flw U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 5 Operatinal Flw 1. When a custmer is ready t enter their cardhlder data int the merchant's web page, the merchant web server delivers a frm t the custmer's web brwser. The brwser lads the iframe hsted by the eprtect server utilizing a third-party Cntent Delivery Netwrk (CDN) prvider t accelerate the cntent delivery. 2. The custmer enters their PAN, ptinal security cde (card verificatin values), and ptinal expiratin date int the iframe fields and clicks the submit buttn n the merchant's page calling the eprtect server. Within the hsted iframe, JavaScript encrypts cardhlder data with a 24-hur public-private key pair knwn nly by Vantiv (RSA/ECB/PKCS1 Padding 2048 bits) and sends the encrypted message t the eprtect server via HTTPS/TLS v1.2* (Getrust Glbal CA, SHA-1 with RSA 2048 bit encryptin) thrugh a third party CDN, using an HTTPS GET request. eprtect returns a nn-sensitive, lw-value tken called a Registratin ID in place f the Primary Accunt Number (PAN). 3. The merchant page submits the Registratin ID and nn-cardhlder data elements t their web server fr rder prcessing. 4. Once the authrizatin request arrives at Vantiv, the Registratin ID is cnverted t a high-value tken called an OmniTken and returned t the merchant with the authrizatin respnse. N cardhlder data is ever transmitted t the merchant s servers, since the page never had access t the payment infrmatin submitted via the Vantiv eprtect iframe. * eprtect supprts TLS v1.0 and higher as it utilizes field-level encryptin with a public-private key pair prir t transmissin, and is nt limited by the TLS prtcl versin t meet applicable cntrl reductin under PCI DSS v3.1. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 6 T E C H N I C A L A S S E S S M E N T As part f the technical assessment, Calfire perfrmed applicatin and vulnerability testing, reviewed technical dcumentatin (including the eprtect Integratin Guide, v4.5/1.2), and interviewed subject matter experts t identify ptential risks t cardhlder data and reductin f applicable PCI DSS cntrls. Audience This technical assessment reprt has tw relevant audiences. I. Merchants, Develpers, and Integratrs: This audience will be able t clearly understand the reductin f applicable PCI DSS cntrls under v3.1 they will receive frm implementing this slutin. II. QSAs and the Internal Audit Cmmunity: This audience will be able t clearly identify the impact n PCI DSS v3.1 validatin n behalf f their merchants. Assessment Sc pe The scpe f Calfire s assessment fcused n the critical elements that validate the security and effectiveness f the Vantiv eprtect iframe slutin, the impact t the merchant s PCI respnsibility when implementing eprtect, and remaining nn-pci required security best practices. Calfire incrprated in-depth analysis f cmpliance fundamentals that are essential fr evaluatin. Calfire als utilized reviews and feedback btained frm members f the PCI cmmunity. Vantiv s eprtect iframe was assessed by Calfire between April 6-18, 2015. Calfire perfrmed testing n the iframe slutin via the Vantiv prvided test website: (https://www.testlitle.cm/iframe/index-calfire.gsp). The testing fcused n packet captures, data cntained in brwser requests (GET and POST), and web applicatin testing t cnfirm that Vantiv iframe is nt vulnerable t attacks. Calfire cnducted technical remte lab testing in Vantiv labs in Lwell, Mass., encmpassing merchant web pages, integratin, transactin testing, and encryptin in transmissin. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 7 Merchant PC I D S S Cmpliance Applicability Based n analysis and testing, Calfire recmmends that merchant ecmmerce envirnments that d nt electrnically stre, prcess, r transmit cardhlder data n their systems, and prvide an iframe t a PCI DSS cmpliant third-party prcessr fr payment prcessing, will be eligible t validate cmpliance with an SAQ A under PCI DSS v3.1. Discussed belw are tw use-cases when Vantiv iframe is deplyed by merchants. U s e Case I: Level 2 1, Level 3, and Level 4 merchants defined by the payment brands that d nt electrnically stre, prcess, and transmit cardhlder data in their ecmmerce envirnment, and implement eprtect iframe, will be eligible fr SAQ A in alignment with the PCI DSS 3.1 standard. Merchants are required t cnsult their acquirer(s) r payment brands abut individual PCI DSS validatin requirements and their eligibility fr submitting an SAQ. U s e Case II: Level 1 merchants will achieve reductin f applicable PCI cntrls fr their ecmmerce envirnment where cardhlder data is nt electrnically stred, prcessed, r transmitted n systems when eprtect iframe has been implemented t handle all cardhlder data respnsibilities. Eligible merchant envirnments with Vantiv s eprtect iframe can be validated against applicable cntrls t the SAQ A. Technical Security Assessment Calfire evaluated and tested Vantiv s eprtect iframe slutin t determine applicable cntrls fr PCI DSS v3.1. Verificatin f Vantiv eprtect iframe: Calfire simulated transactins that culd ccur n a merchant web page using knwn cardhlder data and fund nn-sensitive plain text-data n the web pages. Encrypted cardhlder data was bserved thrugh the sampled web pages. eprtect utilizes HTTPS TLS v1.2 as per PCI DSS 3.1 fr all cmmunicatins t and frm the eprtect envirnment. Cnfirmed Vantiv eprtect envirnment is PCI DSS validated. (Vantiv ecmmerce Attestatin f Cmpliance (AOC) valid until Dec. 19, 2015). Registratin ID (a nn-sensitive value as defined by the PCI DSS Tkenizatin Standard) in place f the accunt number was returned frm the Vantiv envirnment. eprtect iframe entirely remves expsure and strage f cardhlder data n merchant servers by securely transmitting cardhlder data directly frm the custmer s web brwser t the Vantiv eprtect server, returning nly tkenized data t the merchant envirnment. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 8 Perfrmed web applicatin penetratin test using Burp Suite applicatin scanning tl and cnfirmed that n vulnerabilities related t ecmmerce applicatin exist; hwever, culd be vulnerable t knwn susceptibilities like clickjacking, if merchants d nt handle their initiating web pages in a secure manner. Figure 2: Vantiv eprtect iframe Brwser Request frm a Sample Transactin GET Request t Vantiv eprtect frm merchant envirnment shws thse parameters cntaining PAN and Sensitive Authenticatin Data (CVV/ CVV /CVV2) are encrypted using public private key pair implemented by Vantiv. Figure 3: Vantiv eprtect iframe Request Parameters with Encrypted Data Calfire bserved and analyzed traffic via Wireshark tl and cnfirmed that the transmissin f data ccurs ver TLS v1.2. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 9 Figure 4: Wireshark Transactin Capture Assessment testing used transactins frm Visa and Discver cards. N PAN r Sensitive Authenticatin Data (CVC/CVV/CVV2) was fund unencrypted ver public netwrks. Cardhlder data was captured and transmitted n the Vantiv web pages, and n cardhlder data was returned t the merchant test web pages. Data parameters received n merchant pages included first six and last fur digits f initiating primary accunt number, registratin ID, transactin ID, and ther data elements essential fr perfrming peratins like returns, reversals, card verificatins, refunds, data analytics, and reprting. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 10 Figure 5: POST Request Data frm Vantiv eprtect iframe (N Full Credit Card Number r Sensitive Authenticatin Data Exist) U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 11 R E C O M M E N D E D B E S T P R A C T I C E S While merchants that implement Vantiv iframe may nt be required t validate applicable cntrls fr systems that d nt tuch cardhlder data, it is recmmended they review PCI DSS requirements fr elements f their ecmmerce infrastructure since cmprmise f the merchant s web pages culd ptentially result in a cmprmise f the iframe, and failure t implement the slutin in alignment with the eprtect Integratin Guide culd intrduce risk t the envirnment, and merchants may n lnger be eligible fr cntrl reductin. T help mitigate such risks within the merchant envirnment, Calfire and Vantiv recmmend the fllwing additinal security best practices fr merchants that have implemented Vantiv iframe slutin: Reviewing web pages peridically: Review the Vantiv eprtect surce that is called frm the merchant envirnment t validate the fllwing surce has nt changed. (Please nte the belw is URL frm test envirnment, merchants needs t ensure that the URL prvided by Vantiv fr prductin envirnment is apprpriately reviewed.) <script type="text/javascript" src=" https://request-prelive.np-secureeprtect-litle.cm/litleeprtect/js/payframe-client.min.jss"> </script> Initiating new website and servers, including applicable PCI DSS requirements. Having written agreements with Vantiv (third-party service prvider in this case) and ensuring they prtect cardhlder data n behalf f the merchant, in accrdance with PCI DSS. Securing the web page(s) cntaining the iframe. iframes culd be hijacked by sending custmers t false payment pages where credit card data culd be stlen. Calfire recmmends that merchants deply and maintain the web pages in a secure manner. Ensuring transactins are received by acquirer n regular basis. Recnciliatin f transactins can be perfrmed frequently t knw that surce n merchant website has nt been altered. Using TLS v1.2 r higher when transmitting cardhlder data. Cnsider implementing a web applicatin firewall r ther intrusin-detectin technlgies t ensure web server s initiating requests are prtected against attacks. Develping applicatins in alignment with PCI DSS cmpliance. Regularly mnitring links (URLs, iframes, APIs) frm a merchant s website t the payment prcessr t ensure they have nt been altered t redirect t unauthrized lcatins. Perfrm peridic web applicatin penetratin testing fr the hsted ecmmerce website. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 12 Requirement 9 and 12 f PCI DSS are cvered under SAQ-A. SAQ A-EP fcuses n the fllwing additinal areas: Requirement 1: Install and maintain a firewall cnfiguratin t prtect data (firewall and ruter cnfiguratins hardening). Requirement 2: D nt use vendr-supplied defaults fr system passwrds and ther security parameters (initiating web server cnfiguratins hardening). Requirement 3: Prtect stred cardhlder data (ensure card verificatin values r Persnal Identificatin Number (PIN) is nt stred after authrizatin). Requirement 4: Encrypt transmissin f cardhlder data acrss pen, public netwrks (ensure cardhlder data is transmitted nly thrugh Vantiv, and des nt facilitate transmissin via any ther means). Requirement 5: Prtect all systems against malware and regularly update anti-virus sftware prgrams. Requirement 6: Develp and maintain secure systems and applicatins (have prcess fr identifying security vulnerabilities, patching f systems, change cntrl prcesses, develp applicatins based n secure cding guidelines, and web applicatin firewall). Requirement 7: Restrict access t cardhlder data by business need t knw (access t cardhlder data envirnment systems shuld be limited). Requirement 8: Identify and authenticate access t system cmpnents (assign unique IDs, enable remte access nly when needed, fllw tw-factr and passwrd prcedures). Requirement 10: Track and mnitr all access t netwrk resurces and cardhlder data (mnitr the security f the server and applicatin ensuring that audit trails and alerts are in place - such as detecting and alerting upn unauthrized changes t the payment page). Requirement 11: Regularly test security systems and prcesses (engage an Apprved Scanning Vendr [ASV] t perfrm quarterly external vulnerability scans, and perfrm the penetratin testing and have change detectin mechanism deplyed within the cardhlder data envirnment, especially initiating web server). U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14
P a g e 13 S U M M A R Y F I N D I N G S A N D C O N C L U S I O N S Based upn interviews with Vantiv persnnel and review f supprted dcumentatin, it is Calfire s pinin that merchants wh prperly utilize Vantiv data security technlgies will reduce their risk f accunt data cmprmise and receive PCI DSS applicable cntrl reductin. Merchant ecmmerce envirnments that d nt tuch cardhlder data and implement Vantiv s eprtect iframe will be eligible fr SAQ A. The remaining security respnsibilities f the merchant s envirnment are nt applicable t PCI DSS. The fllwing are imprtant highlights f Calfire s technical evaluatin. A prperly designed and deplyed Vantiv iframe slutin can: Reduce the risk f cmprmise f cardhlder data fr a merchant envirnment. Reduce the attack surface and threat envirnment fr a merchant. Significantly reduce the number f applicable PCI DSS cntrls and validatin requirements fr merchants. Minimize the expsure f plain text cardhlder data fr the merchant when Vantiv eprtect is used. While achieving risk and PCI applicable cntrl reductin, implementing Vantiv eprtect des nt fully utsurce the merchant s payment respnsibilities. Vantiv eprtect iframe shuld nt lwer a merchant s sensitivity t the security f their ecmmerce envirnment, nr des it fully utsurce all their PCI DSS cmpliance respnsibilities. L e g a l Discl ai m er The pinins and findings within this evaluatin are slely thse f Calfire and d nt represent any assessment findings, r pinins, frm any ther parties. Calfire is slely respnsible fr the cntents f this dcument as f the date f publicatin. The cntents f this dcument are subject t change at any time based n revisins t the applicable regulatins and standards (HIPAA, PCI-DSS, et.al). Cnsequently, any frward-lking statements are nt predictins and are subject t change withut ntice. While Calfire has endeavred t ensure that the infrmatin cntained in this dcument has been btained frm reliable surces, there may be regulatry, cmpliance, r ther reasns that prevent us frm ding s. Cnsequently, Calfire is nt respnsible fr any errrs r missins, r fr the results btained frm the use f this infrmatin. Calfire reserves the right t revise any r all f this dcument t reflect an accurate representatin f the cntent relative t the current technlgy landscape. In rder t maintain cntextual accuracy f this dcument, all references t this dcument must explicitly reference the entirety f the dcument inclusive f the title and publicatin date; Neither party will publish a press release referring t the ther party r excerpting highlights frm the dcument withut prir written apprval f the ther party. If yu have questins with regard t any legal r cmpliance matters referenced herein, yu shuld cnsult legal cunsel, yur security advisr, and/r yur relevant standard authrity. U n i t e d S t a t e s C a n a d a L A C U n i t e d K i n g d m E u r p e 3 0 3. 5 5 4. 6 3 3 3 w w w. c a l f i r e. c m Calfire v. 09-14