Privacy Models in the Payments Industry*

Similar documents
Guide to Data Field Encryption

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Credit Card Processing Overview

Achieving PCI DSS 2.0 Compliance with Voltage Security

University Policy Accepting Credit Cards to Conduct University Business

CardControl. Credit Card Processing 101. Overview. Contents

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

End-to-end Encryption for E-Commerce Payments using Voltage SecureData Web

EMV and Small Merchants:

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

EMV in Hotels Observations and Considerations

ACQUIRER OR ACQUIRING BANK A financial institution (often a bank) where a merchant has an account to process transactions and card payments

HP SecureData Payments Solution - Processor Edition

Payment Card Industry (PCI) Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

Target Security Breach

Handling of card data in conformance with PCI DSS

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

The Comprehensive, Yet Concise Guide to Credit Card Processing

EMV and Encryption + Tokenization: A Layered Approach to Security

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

The Payments Ecosystem: Security Challenges in the 21st Century

Frequently Asked Questions

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Complying with PCI Data Security

Implementation Guide

Payment Gateways: Value and Security

A CLOUD SECURITY APPROACH FOR DATA AT REST USING FPE

Payment Card Industry (PCI) Data Security Standard

Josiah Wilkinson Internal Security Assessor. Nationwide

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Prevention Is Better Than Cure EMV and PCI

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

A Brand New Checkout Experience

A Brand New Checkout Experience

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Evaluating End-to-End Encryption: Decrypting Retail Card Data Security

GLOSSARY OF MOST COMMONLY USED TERMS IN THE MERCHANT SERVICES INDUSTRY

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

The Relationship Between PCI, Encryption and Tokenization: What you need to know

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Information about this New Guide

Policies and Procedures. Merchant Card Services Office of Treasury Operations

PCI Data Security Standards

PayLeap Guide. One Stop

EMV EMV TABLE OF CONTENTS

CREDIT CARD PROCESSING GLOSSARY OF TERMS

EMV and Restaurants What you need to know! November 19, 2014

NCR Secure Pay FAQ Updated June 12, 2014

Understanding the Value of Tokens

Optimizing the Payment Process in SAP

Glossary ACH Acquirer Assessments: AVS Authorization Back End: Backbilling Basis Point Batch

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

Payment Security Solution Processor Edition

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Data Security Standard

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

What Merchants Need to Know About EMV

Apple Pay. Frequently Asked Questions UK Launch

Fighting Today s Cybercrime

MPOS: RISK AND SECURITY

Becoming PCI Compliant

PCI Compliance Overview

UNLV Payment Card Merchant Policy Credit Card Handling Responsibilities and Procedures

Guideline on Debit or Credit Cards Usage

Agent Registration. Program Guide. (For use in Asia Pacific, Central Europe, Middle East, Africa)

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Coalfire Systems Inc.

EMV FAQs for developers

How To Comply With The New Credit Card Chip And Pin Card Standards

University Policy Accepting and Handling Payment Cards to Conduct University Business

Information Technology

Payment Card Industry (PCI) Data Security Standard

Payments simplified. 1

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

Payment Card Industry (PCI) PIN Security. Requirements and Testing Procedures. Version 2.0. December 2014

Accelerating PCI Compliance

Saint Louis University Merchant Card Processing Policy & Procedures

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

PaymentCardXpress - Executive Overview

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry (PCI) Data Security Standard

The Value of a Payment Gateway. White Paper

PCI DSS Compliance Services January 2016

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Transcription:

Privacy Models in the Payments Industry* Terence Spies Voltage Security * plus some editorializing

Why Real- World Crypto? If we define the Real World as enterprises. Academic Crypto Enterprise Crypto Security Methodology Define a model, show security in that model. Does this reduce risk, regulatory or audit cost? Credibility Peer- reviewed publicajon Standards (ie. NIST) acceptance Success Criteria Novelty, PublicaJon Cost- effecjve implementajon Real- world security models typically involve cost, legacy, and business process concerns that can be more complex than the underlying crypto model.

Why the disparity? Three factors: 1. Parsing crypto papers is extremely difficult 2. Crypto demos neglect the salient property 3. Cryptographers keep changing their minds A distributed system is a system where I can t get my work done because a computer has failed that I ve never even heard of. Leslie Lamport A real- world cryptographic system is a system where I can t secure my data because a computer has succeeded that I ve never even heard of. Every security customer ever

A Real- World Example: Payments What happens when a credit card is swiped at a retail terminal.surely that s encrypted, right? How payment systems work Cryptographic solujons in payments Future problems / models

DefiniJons PIN Personal IdenJficaJon Number, used to authenjcate ATM and Debit transacjons PAN Primary Account Number. The number printed on the front of a credit or debit card. Track Data Data read from the two magnejc stripes on the back of a credit card. POS Point- of- Sale. The terminal reading a payment card.

PIN Security PIN Entry Devices (PEDs) are provisioned with individual keys. Session or transacjon keys are created (X9.24) The PIN is encrypted with the session key and PAN as randomizer MulJple standards for DES and 3DES pinblock creajon- (ISO 9564) Key management standards require PINs do not appear outside HSMs.

Payment Standards Payment standards evolve very slowly 3DES is the default standard Some PIN blocks are sjll DES encrypted US and ISO AES pinblock standards in progress Why? Cost of physical upgrade No single party in charge Millions of retailers Hundreds of intermediaries Extremely complex business processes Recurrence, chargeback, preauth

Solving the PAN problem Payment systems were built with the assumpjon that PINs are private. But no assumpjon of PAN privacy Receipt prinjng uses last 4 PAN digits Card roujng uses first 2-6 digits Fuel cards use arbitrary digits PANs have value to ahackers Web transacjons PrinJng fraudulent cards Merchant PAN databases == breach risk Storage at processors, lodging, etc.

Ahempt #1: SET / STT The STT and SET protocols ahempted to solve PAN privacy via public key encrypjon & signature. SET was cryptographically feature rich It was also extremely complex Programmer s Guide: 619 pages Protocol SpecificaJon: 250+ pages

Why SET Failed the Real- World Test SET had lots of interesjng features (dual signature, etc.), but.. Academic Crypto Enterprise Crypto Security Methodology Define a model, show security in that model. Does this reduce risk, regulatory or audit cost? Credibility Peer- reviewed publicajon Standards (ie. NIST) acceptance Success Criteria Novelty, PublicaJon Cost- effecjve implementajon þ ý þ?

PCI In 2004, the major card brands join to form the Payment Card Industry Data Security Standard (PCIDSS) Imposes a set of requirements, and sets up a Qualified Security Assessor (QSA) audit framework. Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data

PAN EncrypJon Goal: Encrypt at POS Does TLS or other protocols solve this problem? No. ExisJng payment system intermediaries Security for stored PANs

The Simple Case: Small Merchant Card swipe Processor / acquirer Card Brand Visa, MC, etc. Issuer Bank, Inc. (C) Voltage Security, Inc. All Rights Reserved 13

PIN Privacy Model Card swipe Processor / acquirer Card Brand PIN is private from entry unjl it is checked at the issuer. HSM based reencrypjon is done at the processor. Issuer (C) Voltage Security, Inc. All Rights Reserved 14

Simple PAN Privacy Model Card swipe Processor / acquirer In this case, link encrypjon actually would seem to do the job. Card Brand Issuer (C) Voltage Security, Inc. All Rights Reserved 15

More Complex Case Card swipe Switch / Gateway POS terminal Processor / acquirer Controller Card Brand Issuer (C) Voltage Security, Inc. All Rights Reserved 16

Payments Industry Authorization Transaction Flow Card Present Card Not Present e-commerce Consumers Countertop Terminals Integrated Terminals Mobile Terminals Mobile Wallets Call Center Order Processing Bill Pay Shopping Carts Point-of-Sale Systems Payment Applications Merchants MSRs Store Controllers Transaction Switches ERP Systems Recurring Payments Self-Hosted Webstore Gateways Card Processors Virtual Terminals Hosted Pay Pages Payments Services Version 1.1 Payment Networks Card Brands

Deployable PAN EncrypJon A realisjc solujon must: Be secure Not break every exisjng payment protocol Why not create a new protocol? Every processor has it s own message standard ISO 8583 defines a framework, but all processors modify it Only baseline is the PAN and track data itself

Format Preserving EncrypJon Build a cipher so ciphertext looks like plain Maintain length and alphabet Use a tweakable cipher to allow plain digits 4321 0001 0002 1234 Tweak 4321 00 1234 FPE Cipher K 4321 0098 3409 1234

History of FPE The first DES FIPS document (FIPS 74, in 1981) contains a secjon on character set preservajon! An example of a user asking the crypto community for a primijve. Smith and Brightwell, Using datatype- preserving encrypjon to enhance data warehouse security, 1997 NIST conference Defined the pracjcal need and use, but proposed no secure solujon Best alternajve was storing plaintext in a database, returning a random index in the right format.

Format Preserving EncrypJon n ` ` n ` B 0 n, T, 0 B 1 n, T, 1 F K C 0 F K ` A 0 B 0 C 0 = B 1 B 0 = A 1 n, T, 1 F K F K n, T, 0 Cryptographic challenge is to build a small domain cipher. Rogaway and Black in 2002 show the first provably secure techniques, using a PRP model. B 2 n, T, 2 B 3 C 1 F K C 2 A 2 = B 1 F K B 2 = C 1 n, T, 2 C 2 = B 3 B 2 = A 3 Work by Bellare, Ristenpart, Rogaway, Stegers shows improved results for construcjng FPE ciphers using Feistel networks. n, T, 3 F K n, T, 3 F K C 3 A 4 = B 3 B 4 = C 3 ration of FFX encryption when method =1 (left) and method =2 (right). The are shown. The divided boxes on the left are used to illustrate the re-partitioning of a e, string B 0 C 0 is exactly the string A 1 B 1, where C 0 = A 1 = l and B 0 = B 1 = n l. ioning occurs on the right, but strings get two names instead. All boxed strings are over radix 1}, while T is a byte string, n 2isanumber, and 1 l n 1 is the imbalance.

What about the intermediates? Card swipe Switch / Gateway POS terminal Processor / acquirer Now just have random PAN encrypjons Controller Card Brand Issuer TBTF Bank, Inc. (C) Voltage Security, Inc. All Rights Reserved 22

TokenizaJon Generically, the replacement of a PAN with a random subsjtute. TokenizaJon creates a 1:1 replacement, enabling protecjon of permanently stored PAN data. Enables limited computajon (idenjty) Encrypted PANs Tokenized PANs Processor / acquirer

Tokenized PAN Privacy Card swipe Switch / Gateway POS terminal Controller Processor / acquirer Card Brand Pass encrypted PAN. Use returned token equivalence and plain digits for computajon Issuer (C) Voltage Security, Inc. All Rights Reserved 24

Future Work MulJple standardizajon efforts (PCI and X9) are now working on security definijons for tokenizajon and encrypjon of card data. Database vs encrypjon vs hashing Are there real differences? How do we explain and build requirements? Next generajon PIN block and key management standards AES pinblock AES DUKPT

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information