OVERCOMING CRITICAL SECURITY ISSUES A GUIDE TO PROPER ENCRYPTION KEY MANAGEMENT FOR RETAIL ISVs
As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don t always equal good security. 2
IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make sure this ebook will get you the right information: þ YOU ARE A RETAIL ISV, AND YOU ARE WORRIED THAT YOUR ENCRYPTION KEY MANAGEMENET DOESN T ADEQUATELY PROTECT CREDIT CARD DATA AND WOULDN T PROTECT YOU IN THE EVENT OF A DATA BREACH þ YOU ARE A RETAIL ISV STARTING AN ENCRYPTION KEY MANAGEMENT PROJECT, AND YOU WANT TO DO IT RIGHT THE FIRST TIME AROUND þ YOU ARE A RETAIL ISV, AND YOU WANT TO LEARN HOW TO COMPLY WITH PA-DSS, MEET KEY MANAGEMENT BEST PRACTICES, AND PREPARE YOUR BUSINESS FOR THE NEXT GENERATION OF SECURITY REGULATIONS þ YOU WOULD LIKE TO LEARN HOW A TOWNSEND SECURITY PARTNERSHIP CAN HELP YOU PROVIDE YOUR CUSTOMERS WITH FIPS 140-2 CERTIFIED KEY MANAGEMENT WITH AN EASY, COST EFFECTIVE, OEM HARDWARE SECURITY MODULE (HSM) 3
CONTENTS INTRODUCTION / 5 KEY MANAGEMENT FOR PCI COMPLIANCE / 9 ENCRYPTION & KEY MANAGEMENT BEST PRACTICES / 11 WHY PARTNER WITH TOWNSEND SECURITY? / 14 ABOUT TOWNSEND SECURITY / 18 4
A INTRODUCTION INTRODUCTION few years ago the security of payment applications took a big leap forward when the PCI Security Standards Council released the Payment Application Data Security Standard (PA-DSS) which requires encryption and encryption key management for applications that process credit card data. Today, All retail ISVs providing retail management software must certify their payment applications with PA-DSS, and Merchants expect this level of certification in payment applications they use. Although most retail ISVs have passed these certifications, many vendors skate by with poor encryption and encryption key management that does not use best practices, has been thrown together to meet the bare minimum requirements, and would not protect their customers in the event of a data breach. 5
ARE YOU FEELING EXPOSED WITH YOUR ENCRYPTION KEY MANAGEMENT STRATEGY? I n the rush to meet PA-DSS requirements for credit card encryption, many payment applications incorporate just enough technology to pass the certification requirements around encryption of sensitive data, but not enough to meet encryption key management best practices. As a result many payment applications are missing critical components of encryption key management including: Inadequate, untested, and uncertified encryption key generation techniques Inadequate physical and logical protection of data encryption keys (DEK) Inadequate or non-existing protection of data encryption keys by key encryption keys (KEK) Poor management of the life-cycle of encryption keys No certification of key management solutions to international standards such as NIST FIPS 140-2 and KMIP 6
DO CERTIFICATIONS ALWAYS EQUAL GOOD SECURITY? M any current payment applications carry the required PCI certifications, but don t meet basic security best practices for key management. When payment applications don t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, POS vendors leave their customers vulnerable to data breaches. For a lot of vendors, they see upgrading their key management as fixing something that isn t broken. All businesses have many priority projects and not enough budget. However, encryption key management in today s security world is broken. As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don t always equal good security. 7
YOUR CUSTOMERS ARE CONCERNED. YOU NEED DATA SECURITY THAT DOES MORE THAN LOOK GOOD ON PAPER M erchants are very worried about data breaches and the potential effect of a breach on their business. The average data breach costs a company $5.5 million, which includes the cost of fines as well as the costs associated with lost business, litigation, and brand damage. A successful exploit of poor data security can destroy years of work building brand reputation. Smaller businesses may never fully recover from a well-publicized data breach. Payment application vendors with poor encryption and key management are subjecting not only their customers to these risks, but themselves as well. Good encryption and key management for credit card numbers will also give retail ISVs an advantage over their competitors. PCI standards are not set in stone; data security is constantly evolving to meet new challenges and threats. CEOs and Product Managers in the retail ISV industry should be having a high-level discussion about data security. Now is the time to move to a second generation data security strategy for protecting customer credit card information. You need a solution that doesn t just look good on paper, but will protect you and your customers in the event of a breach. 8
O ENCRYPTION KEY MANAGEMENT FOR PCI COMPLIANCE HOW TO MEET THE CHALLENGE OF EVOLVING COMPLIANCE REGULATIONS ver the years the Payment Card Industry Security Standards Council (PCI-SSC) has set data security standards for businesses who need to protect customer credit and debit card data. Data security continues to be a growing threat to retail businesses, and as threats from hackers, dishonest employees, and employee mistakes continue to hurt businesses, PCI continues to heighten these regulations. It has become increasingly apparent that security devices such as network security, firewalls, and strong passwords are not enough to deter intruders. That's why PCI-DSS section 3 now requires the use of strong encryption and encryption key management to protect data in transit and data at rest. What does PCI-DSS v2.0 say about encryption and key management? Will your key management protect you in the event of a data breach? Use this PCI DSS v2.0 Compliance Matrix to discuss your key management strategy in your company. 9
T ENCRYPTION KEY MANAGEMENT FOR PCI COMPLIANCE oday, many payment application vendors rush their encryption and key management projects to save time and money, and they end up with a data security solution that meets PA-DSS but might not protect their customers in the event of a breach. We see this time and again in the news when retail businesses experience data breaches due to poor encryption and key management in their payment applications. In order to truly protect the data and keep customers safe, payment applications must use strong encryption and key management best practices. WHY IS UNPROTECTED DATA A BUSINESS PROBLEM? Watch the video: Patrick Townsend, CEO of Townsend Security, explains why unprotected data represents a huge business risk. 10
A ENCRYPTION & KEY MANAGEMENT BEST PRACTICES SECURING CARDHOLDER DATA WITH ENCRYPTION & KEY MANAGEMENT ll retail ISVs must offer certified data security for their payment applications, but not every retail ISV does the job right. In these cases, a retailer using a certified payment application may pass a PCI audit but still be vulnerable to a data breach. ISVs selling payment application software also need to know that although they have certified their solutions with PA-DSS, these standards, like all PCI standards, are not set in stone. Data security is a constantly evolving to meet the challenges of new threats that are always surfacing. Retail ISVs need to be aware that just because their solution has been certified, their encryption and key management practices might not be protecting customer data and might not suffice during their next certification. In order to protect customers from data breaches and prepare for evolving compliance requirements, retail ISVs should follow the guidelines of PA-DSS, assume stricter interpretation of these regulations, and strive to meet these encryption and key management best practices: 1. Use Strong Encryption Always use strong, industry standard encryption. The Advance Encryption Standard (AES) is the standard when it comes to data encryption. AES has been adopted as a standard by the US government and many state and local agencies. AES is the recommended encryption method for PCI, HIPAA/HITECH, GLBA and individual state privacy regulations. AES encryption uses an encryption key to encrypt the data, and that key must be protected. 11
2. Use Key Management Best Practices Your encryption is only as good as how well you protect the encryption keys. Encryption keys should be secured away from the encrypted data using an external piece of hardware such as a hardware security module (HSM). This secure device should implement controls including: Dual Control means that no one person should be able to manage your encryption keys. Creating, distributing, and defining access controls should require at least two individuals working together to accomplish the task. Separation of Duties means that different people should control different aspects of your key management strategy. This is the old adage don t put your eggs in one basket. The person who creates and manages the keys should not have access to the data they protect. And, the person with access to protected data, should not be able to manage encryption keys. Split Knowledge applies to the manual generation of encryption keys, or at any point where encryption keys are available in the clear. More than one person should be required to constitute or re-constitute a key in this situation. Key Lifecycle Documentation and Rotation Your key manager should be able to automatically or manually rotate encryption keys with complete documentation of key rollover and history. 12
3. Use Certified Solutions Always use NIST validated AES encryption and NIST FIPS 140-2 compliant encryption key management. These certifications ensure that your key management has been tested by a third-party against government standards and will stand up to scrutiny in the event of a breach. NIST Validated Encryption - Established by the National Institute of Standards and Technology (NIST) as the highest standard for encryption, the most widely accepted cryptographic standard is the Advanced Encryption Standard (AES). AES supports nine modes of encryption, and NIST defines three key sizes for encryption: 128-bit, 192-bit, and 256-bit keys. Any encryption that you use should be AES standard encryption. FIPS 140-2 Compliant Key Management - The highest standard for encryption key management is the Federal Information Processing Standard (FIPS) 140-2 issued by NIST. A key management hardware security module (HSM) with NIST FIPS 140-2 compliance will offer the highest level of security for your company. WHERE ARE YOUR KEYS? 13
D WHY PARTNER WITH TOWNSEND SECURITY o you want to offer your customers industry standard encryption and encryption key management in your payment applications to secure credit card information, prevent data loss, avoid data breach notification, and possibly save your customers millions of dollars in data breach costs? Doing encryption and encryption key management the right way will not only increase your security posture and industry leadership, but will provide you with a competitive advantage and prepare you for your next PCI certification. In this chapter, learn how Townsend Security has redefined what it means to be a technology partner. 14
T WHY PARTNER WITH TOWNSEND SECURITY ownsend Security is committed to both our end-users and partner channel. We provide our partners with Enterprise ready appliances for all legacy platforms with simplified distribution models that make it easy for OEMs, ISVs, and System Integrators to be successful. Our team is dedicated to providing training, back-end support, and marketing materials to your technical and sales staff and remains accessible long after the training is complete. Reduced Cost & Complexity Key Management s reputation for being both costly and difficult often results in projects that are rushed through certifications using the bare minimum requirements. That reputation was accurate ten years ago, but today certified key management using best practices can be achieved quickly, easily, and at an affordable price. We help our partners achieve this by offering encryption key management that is competitively priced, easy and fast to deploy, and has an easy and cost effective licensing model. 15
WHY PARTNER WITH TOWNSEND SECURITY OEM Integration We don t believe branding should get in the way of good security. Townsend Security will OEM or white label our key manager in order to make implementation easy for our partners. Specialized Solutions Townsend Security delivers powerful, highly specialized encryption key management solutions for every legacy platform including SQL Server, Windows, Oracle, IBM I, and the cloud. We provide sample code, binary libraries, applications, key retrieval and other tools you need to implement encryption and encryption key management easily at no additional cost. 16
WHY PARTNER WITH TOWNSEND SECURITY The Partner You Wish You Had Townsend Security has redefined what it means to partner with a security company. With our NIST and FIPS certified encryption and encryption key management solutions, retail ISVs can offer their customers easy, affordable, and powerful data security. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. You focus on what you do best, and we ll help you turn encryption and encryption key management into a revenue generating option to help build your business and protect your valued customers. Data breaches are no longer a matter of if, but, when. Are you ready to improve your encryption key management to protect your customers, prepare yourself for a data breach, generate new revenue, and become your company s hero? Contact Townsend Security Now. 17
D ABOUT TOWNSEND SECURITY eploying encryption and key management across the enterprise involves work on the part of application developers on each enterprise computing platform. This work can be easier or harder depending on the key management vendor s dedication to appropriate implementations on each platform, ease of use of the key retrieval interface, and the availability of sample source code. Townsend Security has more than 20 years of experience supplying encryption and key management solutions to over 3,000 companies worldwide. With NIST-certified AES encryption and FIPS 140-2 certified key management, we help our customers achieve data privacy compliance at an affordable price and with a personalized touch. Web: www.townsendsecurity.com/partners Email: info@townsendsecurity.com Phone: (800) 357-1019 or (360) 359-4400 Twitter: @townsendsecure 18