White Paper PCI-Validated Point-to-Point Encryption



Similar documents
White Paper PCI-Validated Point-to-Point Encryption On Microsoft Azure. By Christopher Kronenthal, Chief Technology Officer

rguest Pay Gateway: A Solution Review

White Paper Solutions For Hospitality

Solutions For Higher Education: Reducing Compliance Scope Across Campus With PCI Validated P2PE

Payment Card Industry (PCI) Point-to-Point Encryption

Point-to-Point Encryption (P2PE)

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Point-to-Point Encryption

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES

Adyen PCI DSS 3.0 Compliance Guide

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Payment Card Industry (PCI) Point-to-Point Encryption

PCI PA-DSS Requirements. For hardware vendors

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

PCI Compliance Overview

SELLING PAYMENT SYSTEMS SERVICES & SOLUTIONS

PCI Compliance. Crissy Sampier, Longwood University Edward Ko, CampusGuard

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

PCI DSS. CollectorSolutions, Incorporated

PCI P2PE 2.0. What Does it Mean for Merchants and Processors? September 10, 2015

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

PCI DSS v3.0 SAQ Eligibility

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

Payment Card Industry (PCI) Data Security Standard. Attestation of Compliance for Self-Assessment Questionnaire C-VT. Version 2.0

Payment Card Industry (PCI) Data Security Standard

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Payment Card Industry (PCI) Data Security Standard

PCI Compliance for Cloud Applications

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Data Security Basics for Small Merchants

Making Cloud-Based Mobile Payments a Reality with Digital Issuance, Tokenization, and HCE WHITE PAPER

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

VeriFone VeriShield Total Protect Technical Assessment White Paper

PCI Security Standards Council

Becoming PCI Compliant

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

PCI DSS Compliance Services January 2016

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

PCI DSS. Payment Card Industry Data Security Standard.

PCI Compliance. Top 10 Questions & Answers

10 Step PCI Certification Process for Merchants and Service Providers

How To Protect Visa Account Information

Credit Card Processing, Point of Sale, ecommerce

Transitions in Payments: PCI Compliance, EMV & True Transactions Security

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

PCI Data Security Standards

Accelerating PCI Compliance

Frequently Asked Questions

Introduction to PCI DSS Compliance. May 18, :15 p.m. 2:15 p.m.

To ensure independence, PSC does not represent, resell or receive commissions from any third party hardware, software or solutions vendors.

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Revenue Security and Efficiency

University Policy Accepting Credit Cards to Conduct University Business

MPOS: RISK AND SECURITY

Understanding the SAQs for PCI DSS version 3

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance Top 10 Questions and Answers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payments simplified. 1

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Point Secure Commerce Application (SCA) 2.x PCI PA-DSS Out of Scope White Paper

PAYMENTS AS A SERVICE. Fully managed multi-channel card acceptance for all business environments.

mobile payment acceptance Solutions Visa security best practices version 3.0

Enterprise Payments for

Security & Encryption in Healthcare Payments PCI DSS Technical Assessment White Paper

Payment Card Industry - Achieving PCI Compliance Steps Steps

Payment Card Industry (PCI) Data Security Standard

PCI Compliance 3.1. About Us

NCR Secure Pay FAQ Updated June 12, 2014

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry (PCI) Data Security Standard

PCI DSS Overview and Solutions. Anwar McEntee

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

Is the PCI Data Security Standard Enough?

Technology Innovation Programme

Payment Card Industry (PCI) Data Security Standard

Understanding the Value of Tokens

The Relationship Between PCI, Encryption and Tokenization: What you need to know

An article on PCI Compliance for the Not-For-Profit Sector

Encryption and Tokenization: Protecting Customer Data. Your Payments Universally Amplified. Tia D. Ilori Sue Zloth September 18, 2013

ICS Presents: The October 1st 2015 Credit Card Liability Shift: This Impacts Everyone!

Transcription:

White Paper PCI-Validated Point-to-Point Encryption By Christopher Kronenthal, Chief Technology Officer Contributors

Executive Summary Merchants are navigating a payments landscape that continues to evolve, as new technologies and new threats emerge with increasing regularity. Therefore, the Payments Card Industry (PCI) council has established a set of standards that seek to make payments more secure and easier for merchants to manage. Specifically, PCI s Point-to-Point Encryption (P2PE) standard meticulously defines the procedures that a payment solution provider must adhere to, and in doing so, enables merchants to process payments securely while keeping their network environment completely out of scope for PCI security audits. FreedomPay s P2PE solution, fully audited and validated by PCI, supports traditional and emerging payment technologies such as EMV, and offers integrations into multiple Point of Sale systems and payment processors. With the coveted PCI validation, merchants employing the FreedomPay P2PE solution may reduce their scope for PCI compliance, and can conduct their business with the confidence that no unencrypted cardholder data flows through their systems. This white paper will explore the merchant benefits of PCI-Validated P2PE, the process by which FreedomPay earned validation, and the value-added benefits of the FreedomPay Commerce Platform. Why P2PE Merchants today face an increasing number of challenges related to payments: ensuring security, maintaining compliance, managing costs, and keeping pace with an ever-changing payments technology landscape, to name just a few. Emerging standards, like the 2015 switch to EMV, and digital wallet products from Apple, Google, PayPal and even Starbucks have disrupted the payment landscape and sent merchants scrambling for solutions. $225,000+ Average cost of a PCI audit $5MM+ Average cost of a data breach Source: Ponemon Institute The stakes are high. For large merchants, a growing threat of cyber crime and malware has placed security at the top of the priority list. In today s retail environment, preventing a data breach and keeping customer data secure is a threat that cannot be ignored. By the PCI council declaring and publishing a standard against which to validate solutions, there is now a technology standard that can completely secure a merchant s payment infrastructure. With P2PE, transactions are entirely encrypted before they even enter the merchant s location, essentially removing cardholder data from the merchant s POS and network. FreedomPay s P2PE solution, which earned PCI validation in August 2014, offers merchants this unparalleled payments security and functionality, while also protecting that investment with EMV support, setting the pace for the entire payments industry. Even better, is that merchants who utilize this solution benefit from a reduced annual audit report just 19 controls versus the normal 284. 1

Buyer Beware Any P2PE solution that does not adhere to the stated PCI requirements and has not been listed by the PCI Security Council as validated P2PE will not take the merchant s POS and supporting network infrastructure out of scope of compliance. It is incumbent on merchants to work with their QSA on vetting fact from fiction. Only PCI-Validated P2PE solutions have been thoroughly audited and evaluated, and can deliver the merchant benefits of security assurance and true scope reduction. 2

PCI P2PE Standards In 2012 and 2013, the PCI Security Standards Council released the PCI P2PE Standard: a set of controls that aimed to provide some clarity and definition around point-to-point encryption. There are three core principles underlying PCI-Validated solutions: Hardware to hardware encryption and decryption with a POI (point-of-interaction) device that has SRED (Secure Reading and Exchange of Data) listed as a function and is enabled. Certified to have a validated secure distribution channel. This means that the entire chain of custody of the POI devices follow strict controls regarding shipping, receiving, tamper-evident packaging and installation. P2PE Instruction Manual (PIM) that guides the merchant on POI device use, storage, return for repairs and regular PCI reporting. Any solution provider can claim to offer point-to-point encryption, but not all P2PE solutions are the same. Only solutions that have been audited and validated to conform to the rigorous scrutiny of the PCI standards can offer merchants the peace of mind and transparency that customer data is truly secured. Merchants that implement PCI-Validated P2PE solutions gain another important benefit: a reduction in the scope of their PCI assessments. Only PCI-Validated P2PE solutions are recognized to have met the requirements that enable merchants to exclude their POS and network from the scope of their cardholder data environment. Maintaining compliance with the PCI Data Security Standard (PCI DSS) is a requirement for all merchants who accept credit cards, and failure may result in an array of non-compliance penalties. The PCI Data Security Standard includes requirements and protective measures that are designed to maintain a secure network, safeguard cardholder data, and ensure the maintenance of information security policies. As stated on the PCI Security Standards Council s listing of Validated Point-to-Point Encryption (P2PE) Solutions, When correctly implemented, these P2PE solutions may simplify merchants PCI compliance programs by eliminating clear-text cardholder data from their environment and reducing the scope of PCI DSS requirements. The PCI P2PE standard contains detailed security requirements and testing procedures for application vendors and providers of P2PE solutions to ensure that their solutions can meet the necessary requirements for the protection of payment card data. 3

PCI Validation Process P2PE solutions listed on the PCI Security Standards Council website are compliant with a single, standardized set of security requirements, security assessment procedures and processes that have been validated by P2PE assessors. The P2PE standards define a common security assessment framework that is currently recognized by all participating PCI payment brands. To earn validation, P2PE solution providers have the responsibility for ensuring that their P2PE solutions satisfy all requirements of the P2PE standard. As a requirement for the P2PE solution assessment, the P2PE solution provider must provide the P2PE assessor with all required documentation, software, access to facilities and access to third-party service providers used in connection with the P2PE solution. The PCI P2PE standard encompasses close to a thousand individual controls governing encryption and decryption methodologies, software applications, device management and operations related to distribution and cryptographic key injection facilities. To summarize the onerous P2PE Assessment process, solutions must be able to account for: Encryption Device Management: Secure cryptographic devices (SCDs) provide tamper-resistance, detection, and response features to help prevent successful attacks involving penetration, monitoring, manipulation, modification, or substitution of the devices to recover protected data. Application Security: The application does not transmit or store clear-text PAN or SAD outside of the device, and only uses communications methods included in the scope of the PCI-approved POI device evaluation. Encryption Environment: The solution provider maintains inventory-control and monitoring procedures to accurately track POI devices in their possession, and provides related instructions to merchants (P2PE Instruction Manual). Decryption Environment Device Management: Documented procedures exist and are demonstrably in use to ensure the security and integrity of decryption devices placed into service, initialized, deployed, used, and decommissioned. P2PE Cryptographic Key Operations: Key management, cryptographic algorithms and cryptographickey lengths must be consistent with international and/or regional standards. Key components must be protected at all times during transmission, conveyance, or movement between locations. As the P2PE solution provider, FreedomPay has initially partnered with Ingenico Group and ScanSource to deliver all facets of the P2PE solution. Ingenico Group s best in class hardware and ScanSource s secure distribution and key injection capabilities have been fully vetted as part of the PCI P2PE assessment process. 4

PCI DSS Scope Reduction Employing a PCI-Validated P2PE solution offers merchants significant reductions in scope for PCI DSS compliance. Because all clear-text cardholder data is removed from the merchant s POS and network environment, that infrastructure is no longer subject to the PCI compliance documentation. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with PCI DSS. With 284 individual controls to document and maintain, and all of the associated costs, PCI DSS compliance requires that merchants make a significant investment in time and resources each year. Official PCI Validation for a P2PE solution means that merchants can significantly reduce their scope for PCI DSS validation and obtain thirdparty assurance that no cardholder data passes through their network environment in an unencrypted state Matt Getzelman, National PCI Practice Director, Coalfire Systems, Inc. For merchants employing a PCI-Validated P2PE solution, there is relief for the documentation required, as well as the underlying costs of maintaining a compliant environment. SAQ P2PE-HW is a substantially shorter compliance document, available only to merchants who process cardholder data only via approved payment terminals as part of a Council-listed P2PE solution. To be eligible for the SAQ P2PE-HW, merchants must confirm that they: Are using a PCI P2PE solution that is listed on the PCI SSC s List of Validated P2PE Solution. Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the Council-listed P2PE solution. Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems. Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider. With just 19 sections to complete, largely related to the proper maintenance and implementation of the P2PE payment terminal, the SAQ P2PE-HW removes the core elements of the merchant environment from scope: the POS, operating system and network. As an additional benefit, penetration tests and vulnerability scans are no longer required. This enables POS devices and operating systems that would otherwise fall out of compliance to remain in use because the P2PE payment terminal circumvents that infrastructure, and no cardholder data flows through legacy systems. 5

P2PE Payment Terminals Core to the PCI-Validated P2PE solution is the Secure Reading and Exchange of Data (SRED) module, designed to encrypt data at the Point-of-Interaction. The SRED module applies the security and cryptographic protection of PIN data to the reading of card data presented by magnetic stripe, EMV, contactless/nfc, and manual entry. In order for P2PE to be in the SRED module, the encryption key management and encryption of the cardholder data must be done in the device s security processor. This and other P2PE program aspects must be in firmware, as opposed to being in the application. The firmware is reviewed and certified as meeting the SRED requirements by a PCI approved laboratory. FreedomPay s P2PE solution leverages SREDenabled terminals from Ingencio Group that offer merchants in any industry the flexibility to roll out a variety of compliant devices. All of the Ingenico Group devices that FreedomPay provides support traditional magnetic stripe payments, and also alternative and emerging payment methodologies such as EMV and NFC. FreedomPay Payment Gateway The FreedomPay Commerce Platform functions as a secure switch that routes payment data from the point of sale system to the payment processor seamlessly with its validated P2PE solution. FreedomPay is broadly integrated with both POS systems and processors, ensuring merchants the flexibility and coverage to make changes to their POS platform and/or processing partner at any time. While already the most connected, lowest cost routing network in North America, FreedomPay is continually expanding its integration list with the goal of complete industry interconnectivity. In addition to these, the FreedomPay Commerce Platform can support gift cards, vouchers and stored value (closed-loop cashless) models that execute a declining balance from a prepaid card. 6

Incentives Engine As a value-added platform provider, FreedomPay offers merchants a robust incentive engine that powers discounts, promotions and loyalty programs. The FreedomPay Commerce Platform evaluates each purchase in real-time and applies discounts or points based on particular SKUs, time of day, overall spend, location, product category and more. As an example, a foodservice provider might consider offering a point for each dollar spent in the café, and triple points for higher margin items or perishable items. In a business-to-business setting, FreedomPay can also help merchants, manufacturers and banks deliver financial terms incentives on large corporate purchases. FreedomPay s Incentive Manager allows a merchant to configure any number of promotions or loyalty point programs. Customers can view offers and loyalty point accruals through a web interface and/ or mobile app, and redeem incentives in real time at the POS. The platform is designed to provide marketers with the tools to validate their promotional activity at a SKU level, gaining valuable insight into what offers, discounts and loyalty rewards are most effective, and for which customer segments. Microsoft Partnership and Global Scalability As a platform for future growth and innovation, FreedomPay was named Microsoft s global payments partner. The FreedomPay Commerce Platform was chosen to support Enterprise Retail and Banking divisions globally. FreedomPay is working across multiple continents with Microsoft s banking team to deliver added value commerce products and services to key bank customers. FreedomPay s platform integrates seamlessly with bank infrastructure and is fully supported in the Azure Microsoft cloud for global scalability. Conclusion FreedomPay has reinvented its business according to the strict standard required by PCI for point-topoint encryption. The exacting process of achieving PCI validation for P2PE has resulted in FreedomPay building an industry-leading platform that delivers merchants immediate benefits around payment security and scope reduction, as well as ongoing opportunities to innovate and add value. As the payment landscape shifts to include EMV and NFC transactions, FreedomPay is helping merchants stay ahead of the game. As North America s first fully-functional PCI-Validated P2PE platform with EMV and NFC-ready terminals, FreedomPay is setting the standard for merchants to deliver a customer experience based on security, functionality and intelligence. It is here, at the intersection of payments and data, that FreedomPay is able to deliver on its promise to merchants: We make payments smarter, simpler and more secure. 7

About the Author Christopher R. Kronenthal, Chief Technology Officer and Alliance Executive Chris Kronenthal is the payment industry s preeminent security expert, bringing world-class experience to the software development processes and compliance solutions of FreedomPay. He led FreedomPay s effort to build the market s first PCI-validated, fully-functional point-to-point encryption (P2PE) payment technology as part of its cloud-based FreedomPay Commerce Platform. Leveraging more than a decade of international experience in diverse industries with a strong focus on compliance and infrastructure enables Chris to advance a security-focused perspective for any company s scalable needs. Chris joined FreedomPay in 2008 and is responsible for the company s technology solutions, as well as key alliances with strategic technology partners. Chris manages security compliance; production network infrastructure; development of new and existing software products; change and quality control initiatives; and technology partner strategy. Prior to joining FreedomPay, Chris held various technology management positions at the Coriell Institute for Medical Research, the world s oldest and largest bio-repository. There he led the development of Coriell s highly specialized and security-driven bio-repository system. Chris received his Bachelor s and Master s of Science degrees in Information Technology at the Rochester Institute of Technology. About FreedomPay FreedomPay is the engine inside the world s expanding and interconnected ecosystem of commerce. We make payments smarter, simpler and more secure. The FreedomPay Commerce Platform is a multipatented solution portfolio designed to enable companies to embrace current trends and accelerate innovation. The platform seamlessly bridges the gap across in-store, web and mobile by interconnecting POS systems, transaction processors, incentive engines and other disparate systems to a cutting edge payment gateway. The FreedomPay Commerce Platform P2PE solution provides merchants complete payment data security, including EMV and NFC compliance, in accordance with the coveted certification from the PCI Security Standards Council. www.freedompay.com Contributors 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information