PCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015

Similar documents
Network Segmentation. June 30, :00 Noon Eastern

Mobile Commerce is Ready for Prime Time. July 31, :00 Noon Eastern

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

PCI Security Standards Council

PCI Compliance Overview

White Paper Solutions For Hospitality

White Paper PCI-Validated Point-to-Point Encryption

PCI PA-DSS Requirements. For hardware vendors

PCI Security Standards Council

Data Security Basics for Small Merchants

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

rguest Pay Gateway: A Solution Review

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Adyen PCI DSS 3.0 Compliance Guide

Sage ERP MAS I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

VeriFone VeriShield Total Protect Technical Assessment White Paper

Time to get off the fence?

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED

Sage 100 ERP I White Paper. Payment Processing Trends, Tips, and Tricks: What You Need to Know

Cash 257 Merchant Services and Revenue Collection

Fighting Today s Cybercrime

MPOS: RISK AND SECURITY

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Franchise Data Compromise Trends and Cardholder. December, 2010

Universal Transaction Gateway (UTG ), 4Go, and i4go are covered by

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

PCI COMPLIANCE AND WHAT IT MEANS TO YOU IN ENGLISH

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

How Secure is Your Payment Card Data?

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

The State of Security and Compliance for E- Commerce and Retail

CPIM Academy. Cash 257 Merchant Services and Revenue Collection

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE

Payment Card Industry (PCI) Point-to-Point Encryption

Mobile Payment Solutions: Best Practices and Guidelines

White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

PAYMENT SECURITY. Best Practices

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

HOW SECURE IS YOUR PAYMENT CARD DATA?

ICCCFO Conference, Fall Payment Fraud Mitigation: Securing Your Future

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

SellWise User Group. Thursday, February 19, 2015

What You Need to Know About PCI SSC Guiding open standards for global payment card security

Project Title slide Project: PCI. Are You At Risk?

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Payment Card Industry Data Security Standard (PCI DSS)

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

Healthcare Payment Security Is Your Patient s Card Data Exposed? May 24, 2016

Enterprise Payments for

PCI DSS Compliance Information Pack for Merchants

Point-to-Point Encryption

PCI Risks and Compliance Considerations

EMV Delivery of Mobile, Parking and Unattended Payments. Elavon

Credit Card Processing, Point of Sale, ecommerce

PCI Security as a Lifecycle: How to Plan for PCI in 2012 and Beyond

PCI Compliance 3.1. About Us

Payment Card Industry Compliance Overview

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

Payment Card Industry Data Security Standards

MASTERCARD PAYMENT GATEWAY SERVICES

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Transitioning from PCI DSS 2.0 to 3.1

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

How To Protect Visa Account Information

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

The Relationship Between PCI, Encryption and Tokenization: What you need to know

OKLAHOMA STATE UNIVERSITY STUDENT UNION HOW IT SERVES OTHERS THROUGH PCI COMPLIANCE

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

PCI DSS. CollectorSolutions, Incorporated

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Compliance for Healthcare

How To Comply With The New Credit Card Chip And Pin Card Standards

EMV in Hotels Observations and Considerations

Payment Card Industry (PCI) Point-to-Point Encryption

What Data Thieves Don t Want You to Know: The Facts About Encryption and Tokenization

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Credit Card Processing Overview

Thoughts on PCI DSS 3.0. September, 2014

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER

Josiah Wilkinson Internal Security Assessor. Nationwide

And Take a Step on the IG Career Path

Top PCI 3.0 Challenges for Chain Merchants. March 11, 2015

Why Data Security is Critical to Your Brand

Visa Inc. PIN Entry Device Requirements

How To Protect Your Business From A Hacker Attack

INFORMATION TECHNOLOGY FLASH REPORT

White Paper: Are there Payment Threats Lurking in Your Hospital?

Secure Payments Solution

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Transcription:

PCI P2PE 2.0 What Does it Mean for Merchants and Processors? September 10, 2015

Agenda Housekeeping Presenters About Conexxus Presentation Q& A

2015 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company July Mobile Commerce Wesley Burress Don Friedman September Point 2 Point Encryption P2PE Rustin Miles September Asset Tracking in PCI 3.0 Olivia Rose Jenkins ExxonMobil P97 Bluefin Payment Systems Control Scan October NACS Show in Las Vegas No Webinar No Webinar November Open TBD December Conexxus Year end review TBD If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at cbayer@conexxus.org. * Update: September 9, 2015

Presenters Carl Bayer (cbayer@conexxus.org) Program Manager Conexxus Mark Carl (mcarl@echosat.com) CEO EchoSat Communications Group, Inc. Rustin Miles (rmiles@bluefin.com) Chief Information Officer, SVP PCI Professional (PCIP) Bluefin Payment Systems

Future Events The NACS Show October 11-14, 2015 Las Vegas Convention Center Las Vegas, Nevada 2016 Conexxus Annual Conference May 1 5, 2016 Loews Ventana Canyon Resort Tucson, Arizona

About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy

PCI P2PE 2.0 What Does it Mean for Merchants and Processors? September 10, 2015 Confidential and Proprietary

Webinar Overview Introduction PCI P2PE Overview What s New with PCI P2PE 2.0 Implications for Merchants Implications for Processors Integration Model Overview PCI & P2PE: The Road Ahead 8

Ruston Miles Bio Ruston Miles serves as Chief Innovation Officer of Bluefin Payment Systems. He has over 16 years of experience in payment processing, specializing in developing secure payment gateway technologies. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council Participating Organization (PO) Program. 9

Bluefin Introduction Founded in 2002, payment and security technology expertise Inc. 500/5000 honoree since 2011, First P2PE Solution provider to be PCI validated in North America. March, 2014. Participating Organization (PO) of the PCI Security Standards Council (SSC) Bluefin P2PE Silver Award for Best POS Innovation in the PYMNTS.com Innovation Awards Level 1 PCI Service Provider, fully redundant fault tolerant data centers in Atlanta and Tulsa. 10

Part 1 PCI P2PE Overview 11

The State of Payment Security What Lies Beneath 12

Layered Approach to Security P2PE Protect Data in Motion P2PE Protects Transmission Tokenization Protect Data at Rest Tokenization Protects Storage EMV Counterfeit Card Fraud Prevention EMV Protects Plastic 13

What is the Problem? What is the Solution? US CERT says the problem is Malware PCI Security Standards Council says the solution is Point to Point Encryption 14

PCI Malware Infographic The PCI Security Standards Council released a Malware infographic in November 2014 addressing POS Malware. To protect against malware, the infographic recommends: Consider implementing a: PCI approved point of interaction (POI) device with SRED functionality PCI approved point to point encryption (P2PE) solution

Won t EMV Fix This? The Short Answer: No After EMV (chip & pin) implementation in the UK, card not present fraud spiked 79% and continues at an alarming rate 5 years later. The complete 16 digit card number and 4 digit expiration date are transmitted in the clear in the EMV payload. Malware continues to steal the clear text data in the UK even with EMV. Fraudsters use this stolen data for online fraud and purchases. Sources: Aite Group and Financial Fraud Action UK 16

PCI P2PE Minimizes Scope, Safeguards Cardholder Data and Protects the Brand PCI Scope and Cost Reduction No Business can Afford to Lose Cardholder Data in a Breach 350 300 250 200 150 100 50 326 Questions To 26 Questions For P2PE merchants $201 per lost credit card record times millions of credit card records 0 Non P2PE Merchants P2PE Merchants Some breaches have cost major retailers more than $170 Million 17

Why Choose a PCI Validated P2PE Solution? FAQ 1162 18

PCI validated P2PE Solution When you select a non validated P2PE solution No chain of custody or dual control No assurance of hardware key management No assurance of device audit (PTS 3.x/4.x) or tamper resistance No assurance that hardware encryption is used (SRED) No assurance that the application/firmware has been PCI audited for encryption No assurance that all components of the solution have been integrated and configured properly No Objective Confidence. You must rely on vendor claims. 19

P2PE Requirements Chain of Custody Chain of Custody and Dual Control prevents substitution, theft and compromise Report on device custody required for annual PCI compliance assessment 20

PCI P2PE Case Study Available Now 21

Part 2 What s New with PCI P2PE 2.0? 22

What s New with PCI P2PE 2.0? In a word: Simplification of P2PE Standard P2PE s founding purpose was to simplify PCI Programs through Cardholder Data Environment (CDE) scope reduction. Many major processors found the P2PE Standard to be rigid and in flexible and could not get their in market encryption solutions through the P2PE audit. P2PE 2.0 does not lower the requirement bar, but rather modularizes the standard so that providers can outsource/partner for certain solution components. In a sentence: Simplification of PCI Program for providers and now also for merchants directly by modularizing the requirements into components and templatizing the PIM (P2PE Instruction Manual) Gamechanger: The PCI P2PE Program is now open to merchant managed solutions 23

What s New with PCI P2PE 2.0? Modularization: providers and merchants choose from a list of certified P2PE Components to create their P2PE Solutions Solution Provider Application Vendor Decryption Service Provider POI Device Management Service Provider KIFs/CA/RA Service Provider Domain 1: Encryption Domain 2: Applications Domain 3: Solution Management Domain 4: Merchant Managed Domain 5: Decryption Domain 6: Key Management Now Available!

What s New with PCI P2PE 2.0? Clears up gray areas and potentially confusing overlaps Removes illogical logistical requirements that have been fleshed out through implementation Templatizing the PIM (P2PE Instruction Manual) simplifies and standardizes PIM creation so merchants know what to expect from providers. Check out P2PE Summary of Changes v1.1 to v2.0 in PCI Documents Library online for a req by req comparison 25

What s New with P2PE 2.0? You can do it! Perhaps the most groundbreaking change is that Merchant managed Solutions are now allowed Domain 4: Merchant managed Solutions is no longer a placeholder in the standard. This section has been completed and is ready for prime time. The P2PE 2.0 Program Guide and component listing to be made available from PCI before the PCI Community Meeting in Vancouver at the end of September, 2015. Ruston is speaking at the PCI Community Meeting in Vancouver. Bluefin is a sponsor and will have a booth. See you there. 26

Part 3 Implications for Merchants 27

Implications for Merchants More PCI validated P2PE Solution providers will be listed due to simplification and modularization of the standard Merchants have more leverage to push their providers to become PCI P2PE validated. E2EE is no longer good enough PCI standards and validations give merchants a common standard to rely on instead of relying on vendor claims and sales gymnastics Threat of merchants creating/managing their own P2PE Solutions will entice providers to validate Templatized PIM means merchants know what to expect from solution provider PIM s Only Provider Solutions and Components will be listed at PCI s website. Merchant managed Solutions will not be listed on the website. 28

Implications for Merchants No processor lock in: many merchants want to manage their own P2PE Solution rather than tying themselves into their processor s solution. Build vs. Buy: modularization means that merchants can outsource components of their P2PE Solution to P2PE listed component vendors instead of building it themselves. 29

Part 4 Implications for Processors 30

Implications for Processors Providers can P2PE enable their in market encryption solutions by selecting solution components from listed vendors. Faster time to market. Lower cost of entry in terms of dollars and technical resources which may currently be committed to EMV projects. Processors and gateways can still own the FEP (front end processing) and back end settlement but use decryption, key injection, chain of custody, and key management services from a listed component vendor. Templatization simplifies and accelerates the creation of the PIM. P2PE listed KIF s and clarity on RKI (remote key injection) will simplify fulfillment and rollout logistics PCI P2PE 2.0 is built for adoption 31

Part 5 Integration Model Overview 32

Integration Model Overview Processor P2PE: for merchants who connect to their processor for all payment and security services Telcom Gateway P2PE: for merchants who want minimal impact to existing operations No POS changes No Terminal Application/software changes Network Gateway sits in the middle of the processor and the device decrypting FPE card data on its way to the processor P2PE as a Service: for merchants who manage their own central office or switch Merchant use a virtual HSM to route card data in realtime for decryption over highspeed, private connectivity from the central office. Merchant Managed P2PE: for merchants show want to manage everything internally Merchant builds out P2PE system and is audited by a PCI P2PE QSA. Certain components can be provided by approved vendors 33

Part 6 PCI & P2PE: Then and Now 34

PCI & P2PE: Then and Now Are there any petro customers with Bluefin today? Rolled out validated P2PE to Tier 2, 3, and 4 customers throughout 2014 and 2015 to scale systems. Joined Conexxus to work with the Data Security Committee and the P2PE Working Group in P2PE standards for POS and AFD. EMV projects are taking much of the focus in 2015 for C store. P2PE is the focus for 2016 and beyond. Petro customers want to implement EMV and P2PE together before October 2017. PCI P2PE v1.0/1.1 gold standard P2PE 2.0 is built for adoption P2PE Eliminates the pain points Visa s commitment to PCI validated P2PE: Visa TIP, Visa DSP, Visa SAIP Let s discuss www. 35

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information