EMV Security / A Key Component to a Multi-layered Security Approach

Beyond EMV /

Why You Need Multi-Layered

Security

JULY 29, 2015

EMV Security /

A Key Component to a

Multi-layered Security Approach

JULY 29, 2015

2

EMV security / enhanced functionality in 3 key areas

Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015

EMV secures the payment

transaction with enhanced

functionality in

3 key areas

1. Card Authentication / protecting against counterfeit

cards

2. Cardholder Verification / authenticating the cardholder

and protecting against lost and stolen cards

3. Transaction authorization / using issuer-defined rules to

authorize transactions

3

Card Authentication

• The card is authenticated during the payment transaction, protecting against counterfeit cards

• Online transactions contain a unique chip generated cryptogram, validated by the user

• Offline transactions are validated with the terminal using PKI DATA Authentication

Cardholder

Verification

• EMV supports four issuer defined and prioritized cardholder verification methods (CMV):

1. Offline PIN

2. Online PIN

3. Signature

4. No CVM*

*typically unattended kiosks

or small ticket transactions

Transaction

Authorization

• Online, transaction info is sent to the issuer, along with a unique cryptogram

• Offline, the card and terminal communicate and use issuer-defined risks parameters in the chip to make the authorization decision

• Offline transactions may be used when no online connectivity


EMV security / enhanced functionality in 3 key areas

4

• EMV cards store payment information in a

secure chip rather than on magnetic strip

• The personalization of EMV cards is done

using issuer-specific keys

• Unlike a magnetic stripe card, it is virtually

impossible to successfully create a usable

counterfeit EMV card


EMV security / increased protection against fraud

5

EMV authenticates the

validity of the card

EMV authenticates the

validity of the cardholder

EMV DOES NOT secure

the data

Multi-layered security / why EMV alone is not

enough


6

• Encryption and tokenization are mechanisms to

protect sensitive cardholder data, but those

methods do not authenticate the data

• Without EMV, it is likely that you would be

protecting fraudulent data

• Without EMV, merchants bear the liability for

fraudulent transactions

o The extent of the liability varies, depending on card brand


Multi-layered security / why encryption and

tokenization alone are not enough

7

EMV offers a good start to enhancing

data security, with:

• Card authentication

• Cardholder verification

• Transaction authorization

But a multi-layered security approach

that includes encryption and tokenization

provides complete data protection,

safeguarding both merchants and their

customers.

Multi-layered security / complete data protection


Thank You

ALLEN FRIEDMAN, DIRECTOR OF PAYMENTS / INGENICO GROUP, NA

WWW.INGENICO.US

Beyond EMV /

Why P2PE is a Key Component

to Multi-layered Security

JULY 29, 2015

2

Multi-layered security / the solution to criminal

attacks

Merchants’ payments systems continue to be under

attack by criminals

• Malware – mainly memory scrapers – installed on merchants’

point of sale (POS) systems

• Roughly 100 Million cards captured from December 2013

through 2014

• Monetized through the selling of dumps on the dark web

• Track data dumps are worth more than PAN/Expiry

• PAN/Expiry still has value in CNP environment

The purpose of multi-layered security is to stop attacks

• Removes the monetization potential and encourages the

criminals to move on

• Reduces the value of captured data to zero

Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015

3

Point-to-point-encryption (P2PE) / attack points –

points to protect

Source: Hacking the Point of Sale, Slava Gomzin, 2014

EMV still sends card data in the

clear

To protect the POS: Merchant must

be successful 100% of the time

To attack the POS: Criminals only

need to be successful one time

The odds do not favor the merchant


4

Multi-layered security / the way to protect

Multi-layered security ensures card

data protection

• EMV for card authentication – protect

against fraudulent cards

• Point-to-point encryption (P2PE) – no

clear card data outside secure POI

• Tokenization – Protect card data at rest

Now a successful attack on the POS will yield

data that cannot be monetized

“I think the bigger [merchants]

could maybe put a fence around

this, such that it gets harder and

harder. But the little guys are

looking to just plug in the malware

once, and it doesn’t matter if you

have to get the big guys once to

get 50 million cards, or you have to

get 1,000 cards from 50,000

compromised merchants.”

-Rich Stuppy, COO at Kount

http://krebsonsecurity.com/2015/04/pos-providers-

feel-brunt-of-poseidon-malware


5

P2PE / the process

How P2PE works

• Encrypt data at point of acceptance

• Encryption done in a secure terminal

• Decryption done in a gateway or at

the processor

• No systems in between will see

monetizable card data

Available in multiple flavors

• DUKPT – just like PIN encryption

• Public / Private key

• Format preserving encryption

ENCRYPT

Devices are

provisioned for

P2PE

PASS-THRU

POS system “sees”

only encrypted

transactions passing

them to back end

DECRYPT

Centralized

decryption and

tokenization

service

PROCESS

Transactions are

managed normally


6

PCI P2PE program / gold standard for P2PE


PCI P2PE program validates full solutions to meet top level security

standards

Merchants using validated P2PE solutions de-scope their POS and

other merchant systems

Move from SAQ-D (Merchant) to SAQ-P2PE

Reduces 300 questions to roughly 30

PCI P2PE requirements cover full solutions in six domains

Terminal and terminal application

Supply chain/custody controls before and after key injection

Key injection and key management

Decryption environment

Only 12 solutions worldwide (4 in US), validated in 3years of P2PE v1.x

Modularity for solutions added in version 2, released on June 30, 2015

Beyond EMV /

Major Retailer Takes

a Multi-Layered

Approach to Boost

Security

Case

Study

8

Major Retailer / multi-layered security success story

• One of America’s leading neighborhood / community apparel retailers

• 850+ specialty stores in small and mid - sized communities

• 10 – 50K employees

Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015

9

Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015

• Eliminated the tens of

millions of customer payment

card numbers that they had

been encrypting and

decrypting in their POS

systems each year

• P2PE provides them with

short-circuits, fully removing

the payment card data –

which helps eliminate

criminal breaches

• Phishing was reduced from a

70 percent fail rate to a less-

than 2 percent fail rate

The company’s IT leadership

devised a strategy to upgrade

and fortify the retailer’s

infrastructure:

• Implemented point-to-point

encryption (P2PE) - Ingenico

Group’s On-Guard solution

• Upgraded malware and virus

defenses

• Strengthened network

defenses

• Ethical hacking exercise to

identify potential weaknesses

• Employee education on

social engineering

• In 2014, several large

retailers were victims of

massive network breaches,

resulting in credit card

exposures for millions of

customers

• This major retailer wanted to

get all of its improved

defenses in place before the

2014 holiday shopping

season, which kicks off

around Thanksgiving

• History has shown that

criminal data breaches peak

during the holidays

Challenge /

OpportunitySolution Results

Major Retailer / multi-layered security success story

Beyond EMV /

HoneyBaked Ham

uses PCI & P2PE

Validated Solutions

Case

Study

11

HoneyBaked Ham /

PCI-validated P2PE success story

"Protecting your customers and your

corporate brand continue to be the

biggest challenges faced by IT

executives. To meet that challenge,

we've worked with a P2PE solution

provider to adopt a PCI-validated

P2PE payment solution across all

our stores in a simplified and cost-

effective way.”

Bill Bolton, VP,

Information Technology,

HoneyBaked Ham

• Honeybaked Ham is a privately

held retailer that sells ham, turkey

breast and other pre-cooked

entrées, side dishes and desserts

• 200+ franchise locations and

several corporate outlets

• 1001-5000 employees

Beyond Security – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015

12

Beyond EMV – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015

HoneyBaked Ham anticipates the

following results:

• Reduced PCI compliance

scope from implementing a

validated solution from the

332-question SAQ D to the 35-

question SAQ P2PE-HW

• Significant annual assessment

savings

The retailer upgraded their

security and chose to use:

• PCI-validated P2PE solution

provided by Bluefin

• Ingencio Group’s iPP350

smart terminal

Store rollout of the Bluefin

solution and the iPP350 device

began March 2015 and went live

in April

• HoneyBaked Ham realized a

need for a solution that

encrypts all credit card data

and reduce PCI compliance

• In late 2014, HoneyBaked

Ham began investigating

PCI-validated P2PE solutions

for their corporate outlets as

well as for all 200+ franchise

locations

HoneyBaked Ham /

PCI-validated P2PE success story

Challenge /

OpportunitySolution Results

Beyond EMV /

Agilysys Improves

Hospitality Merchants’

Security With a

Validated P2PE

Solution

Case

Study

14

Agilysys / hospitality vertical included

multi-layered security with a validated P2PE solution

• Agilysys is a leading hospitality provider

• They incorporated the FreedomPay PCI-validated P2PE solution in their rGuest Pay hospitality payments solution

• Solution uses multi-layer security through a validated P2PE solution and tokenization

• Cardholder data is removed in the hospitality environment

• Because the solution is validated, their merchants’ compliance cost is significantly reduced


Thank You

ROB MARTIN, VP OF SECURITY SOLUTIONS / INGENICO GROUP, NA

WWW.INGENICO.US

Information contained in this document is private and confidential. This document contains information sensitive to the strategic

positioning of Double Diamond Group, LLC and is considered a trade secret of Double Diamond Group, LLC.

Tokenization

Agenda

1. What it is

2. Who/how it helps

3. What to do

• What it is: Tokenization is the replacement of static card numbers with randomized numbers that cannot be used to complete payment transactions.

• How it’s different than encryption:

• Encryption uses an algorithm to mask payment data.

• Tokenization randomizes the data (requires a lookup table).

• Tokenization is therefore applied at different stages of payment processing.

Tokenization: What it Is

3

Tokenization: Who/How it Helps

Issuer

Merchant Services Providers (MSPs) offer tokenization to reduce data

security risks and costs for merchants.

1. The device encrypts card

data at the point of entry

(hardware-based encryption)

2. The gateway or processor

decrypts the data for the

network’s use (off of

merchant servers),

Storage

Accounting

Back-office

3. and stores the data

in tokenized form for

downstream use.

Static

number Gateway /

processor

P2PE

enabled device

Encrypted

number


Issuer Static

number

Encrypted

number

Gateway /

processor

Storage

Accounting

Back-office

Hosted

payments

page

The same model exists for e-commerce transactions, normally in the form of

a hosted payments page.

Buy Now


6

Payment networks offer tokenization to reduce data security risks and costs

for issuers and consumers.

IssuerTokenized

number

Encrypted,

tokenized

number

Gateway /

processor

Storage

Accounting

Back-office

Contactless

enabled device

• Separate the mobile device from

the credit card.

• Save money on card

replacement.

• Reduce/prevent issuer fraud

loss.

End to End Security

7

Issuer

Gateway /

processor

P2PE

enabled device

Encrypted

number

Storage

Accounting

Back-office

Tokenized

number

EMV and Issuer

tokenization

Static

number

P2PE

Tokenization

• For complete security, adopt or sell P2PE and tokenization as a package.

• EMV enhances issuer/consumer security and mitigates some chargeback risk. Evaluate based on consumer demand and cost/benefit analysis.

• Contactless also enhances issuer/consumer security but without impacting merchant chargeback exposure. Contactless adoption does provide some PCI audit relief. Evaluate based on consumer demand and cost/benefit analysis.

• Consider buying/selling in a bundle. When upgrading to P2PE and tokenization, contactless and EMV should be part of the package.

Recommendations

8

EMV Security / A Key Component to a Multi-layered Security Approach

Retail

Transcript of EMV Security / A Key Component to a Multi-layered Security Approach