PCI P2PE 2.0 What Does it Mean for Merchants and Processors? September 10, 2015
Agenda Housekeeping Presenters About Conexxus Presentation Q& A
2015 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company July Mobile Commerce Wesley Burress Don Friedman September Point 2 Point Encryption P2PE Rustin Miles September Asset Tracking in PCI 3.0 Olivia Rose Jenkins ExxonMobil P97 Bluefin Payment Systems Control Scan October NACS Show in Las Vegas No Webinar No Webinar November Open TBD December Conexxus Year end review TBD If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at cbayer@conexxus.org. * Update: September 9, 2015
Presenters Carl Bayer (cbayer@conexxus.org) Program Manager Conexxus Mark Carl (mcarl@echosat.com) CEO EchoSat Communications Group, Inc. Rustin Miles (rmiles@bluefin.com) Chief Information Officer, SVP PCI Professional (PCIP) Bluefin Payment Systems
Future Events The NACS Show October 11-14, 2015 Las Vegas Convention Center Las Vegas, Nevada 2016 Conexxus Annual Conference May 1 5, 2016 Loews Ventana Canyon Resort Tucson, Arizona
About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy
PCI P2PE 2.0 What Does it Mean for Merchants and Processors? September 10, 2015 Confidential and Proprietary
Webinar Overview Introduction PCI P2PE Overview What s New with PCI P2PE 2.0 Implications for Merchants Implications for Processors Integration Model Overview PCI & P2PE: The Road Ahead 8
Ruston Miles Bio Ruston Miles serves as Chief Innovation Officer of Bluefin Payment Systems. He has over 16 years of experience in payment processing, specializing in developing secure payment gateway technologies. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council Participating Organization (PO) Program. 9
Bluefin Introduction Founded in 2002, payment and security technology expertise Inc. 500/5000 honoree since 2011, First P2PE Solution provider to be PCI validated in North America. March, 2014. Participating Organization (PO) of the PCI Security Standards Council (SSC) Bluefin P2PE Silver Award for Best POS Innovation in the PYMNTS.com Innovation Awards Level 1 PCI Service Provider, fully redundant fault tolerant data centers in Atlanta and Tulsa. 10
Part 1 PCI P2PE Overview 11
The State of Payment Security What Lies Beneath 12
Layered Approach to Security P2PE Protect Data in Motion P2PE Protects Transmission Tokenization Protect Data at Rest Tokenization Protects Storage EMV Counterfeit Card Fraud Prevention EMV Protects Plastic 13
What is the Problem? What is the Solution? US CERT says the problem is Malware PCI Security Standards Council says the solution is Point to Point Encryption 14
PCI Malware Infographic The PCI Security Standards Council released a Malware infographic in November 2014 addressing POS Malware. To protect against malware, the infographic recommends: Consider implementing a: PCI approved point of interaction (POI) device with SRED functionality PCI approved point to point encryption (P2PE) solution
Won t EMV Fix This? The Short Answer: No After EMV (chip & pin) implementation in the UK, card not present fraud spiked 79% and continues at an alarming rate 5 years later. The complete 16 digit card number and 4 digit expiration date are transmitted in the clear in the EMV payload. Malware continues to steal the clear text data in the UK even with EMV. Fraudsters use this stolen data for online fraud and purchases. Sources: Aite Group and Financial Fraud Action UK 16
PCI P2PE Minimizes Scope, Safeguards Cardholder Data and Protects the Brand PCI Scope and Cost Reduction No Business can Afford to Lose Cardholder Data in a Breach 350 300 250 200 150 100 50 326 Questions To 26 Questions For P2PE merchants $201 per lost credit card record times millions of credit card records 0 Non P2PE Merchants P2PE Merchants Some breaches have cost major retailers more than $170 Million 17
Why Choose a PCI Validated P2PE Solution? FAQ 1162 18
PCI validated P2PE Solution When you select a non validated P2PE solution No chain of custody or dual control No assurance of hardware key management No assurance of device audit (PTS 3.x/4.x) or tamper resistance No assurance that hardware encryption is used (SRED) No assurance that the application/firmware has been PCI audited for encryption No assurance that all components of the solution have been integrated and configured properly No Objective Confidence. You must rely on vendor claims. 19
P2PE Requirements Chain of Custody Chain of Custody and Dual Control prevents substitution, theft and compromise Report on device custody required for annual PCI compliance assessment 20
PCI P2PE Case Study Available Now 21
Part 2 What s New with PCI P2PE 2.0? 22
What s New with PCI P2PE 2.0? In a word: Simplification of P2PE Standard P2PE s founding purpose was to simplify PCI Programs through Cardholder Data Environment (CDE) scope reduction. Many major processors found the P2PE Standard to be rigid and in flexible and could not get their in market encryption solutions through the P2PE audit. P2PE 2.0 does not lower the requirement bar, but rather modularizes the standard so that providers can outsource/partner for certain solution components. In a sentence: Simplification of PCI Program for providers and now also for merchants directly by modularizing the requirements into components and templatizing the PIM (P2PE Instruction Manual) Gamechanger: The PCI P2PE Program is now open to merchant managed solutions 23
What s New with PCI P2PE 2.0? Modularization: providers and merchants choose from a list of certified P2PE Components to create their P2PE Solutions Solution Provider Application Vendor Decryption Service Provider POI Device Management Service Provider KIFs/CA/RA Service Provider Domain 1: Encryption Domain 2: Applications Domain 3: Solution Management Domain 4: Merchant Managed Domain 5: Decryption Domain 6: Key Management Now Available!
What s New with PCI P2PE 2.0? Clears up gray areas and potentially confusing overlaps Removes illogical logistical requirements that have been fleshed out through implementation Templatizing the PIM (P2PE Instruction Manual) simplifies and standardizes PIM creation so merchants know what to expect from providers. Check out P2PE Summary of Changes v1.1 to v2.0 in PCI Documents Library online for a req by req comparison 25
What s New with P2PE 2.0? You can do it! Perhaps the most groundbreaking change is that Merchant managed Solutions are now allowed Domain 4: Merchant managed Solutions is no longer a placeholder in the standard. This section has been completed and is ready for prime time. The P2PE 2.0 Program Guide and component listing to be made available from PCI before the PCI Community Meeting in Vancouver at the end of September, 2015. Ruston is speaking at the PCI Community Meeting in Vancouver. Bluefin is a sponsor and will have a booth. See you there. 26
Part 3 Implications for Merchants 27
Implications for Merchants More PCI validated P2PE Solution providers will be listed due to simplification and modularization of the standard Merchants have more leverage to push their providers to become PCI P2PE validated. E2EE is no longer good enough PCI standards and validations give merchants a common standard to rely on instead of relying on vendor claims and sales gymnastics Threat of merchants creating/managing their own P2PE Solutions will entice providers to validate Templatized PIM means merchants know what to expect from solution provider PIM s Only Provider Solutions and Components will be listed at PCI s website. Merchant managed Solutions will not be listed on the website. 28
Implications for Merchants No processor lock in: many merchants want to manage their own P2PE Solution rather than tying themselves into their processor s solution. Build vs. Buy: modularization means that merchants can outsource components of their P2PE Solution to P2PE listed component vendors instead of building it themselves. 29
Part 4 Implications for Processors 30
Implications for Processors Providers can P2PE enable their in market encryption solutions by selecting solution components from listed vendors. Faster time to market. Lower cost of entry in terms of dollars and technical resources which may currently be committed to EMV projects. Processors and gateways can still own the FEP (front end processing) and back end settlement but use decryption, key injection, chain of custody, and key management services from a listed component vendor. Templatization simplifies and accelerates the creation of the PIM. P2PE listed KIF s and clarity on RKI (remote key injection) will simplify fulfillment and rollout logistics PCI P2PE 2.0 is built for adoption 31
Part 5 Integration Model Overview 32
Integration Model Overview Processor P2PE: for merchants who connect to their processor for all payment and security services Telcom Gateway P2PE: for merchants who want minimal impact to existing operations No POS changes No Terminal Application/software changes Network Gateway sits in the middle of the processor and the device decrypting FPE card data on its way to the processor P2PE as a Service: for merchants who manage their own central office or switch Merchant use a virtual HSM to route card data in realtime for decryption over highspeed, private connectivity from the central office. Merchant Managed P2PE: for merchants show want to manage everything internally Merchant builds out P2PE system and is audited by a PCI P2PE QSA. Certain components can be provided by approved vendors 33
Part 6 PCI & P2PE: Then and Now 34
PCI & P2PE: Then and Now Are there any petro customers with Bluefin today? Rolled out validated P2PE to Tier 2, 3, and 4 customers throughout 2014 and 2015 to scale systems. Joined Conexxus to work with the Data Security Committee and the P2PE Working Group in P2PE standards for POS and AFD. EMV projects are taking much of the focus in 2015 for C store. P2PE is the focus for 2016 and beyond. Petro customers want to implement EMV and P2PE together before October 2017. PCI P2PE v1.0/1.1 gold standard P2PE 2.0 is built for adoption P2PE Eliminates the pain points Visa s commitment to PCI validated P2PE: Visa TIP, Visa DSP, Visa SAIP Let s discuss www. 35