Ghl systems net matrix terminal line encryption 2009 2010
description
Transcript of Ghl systems net matrix terminal line encryption 2009 2010
Agenda
PAYMENT & SECURITY TRENDS
E2EE: What is it?
Computer Desktop Encyclopedia
“…is defined as the continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination.…”
E2EE: The story so far…
Smart Card Alliance Sept 2009
KEY CONCEPTS OF TLE
In cryptography, encryption, is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encryptedinformation (Wikipedia)
en·cryp·tion /-'krip-sh&n/
MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted so only Sender/Receiver can form a real MAC and thus, allowing the receiver to authenticate & verify the message
Message Authentication
Code
THE MALAYSIAN EXPERIENCE
Real Tapping Threats
Wire tapping threats
A brief look at history…
The Line Encryption Working Group
Design Parameters
Key Considerations
MAC algorithm
ENC algorithm
Key Differentiation
Key Usage
Key Storage
ENC Data elements
2 2 4 2 43
Highest Score: 2-2-4-2-3-4
Lowest Score: 1-1-1-1-1-1
Minimum Data Encryption Requirements
Encrypted Data Elements1. CVV2. CVV and PAN / Track2
Terminal Key Storage1. Outside secure module2. Within tamper reactive module
Key Usage Methodology1. Unique-key-per-terminal2. Unique-key-per-session-per-term3. Unique-key-per-transaction4. Derived Unique Key Per Txn (DUKPT)
Key Differentiation1. Same key for ENC & MAC2. Different key for ENC & MAC
Encryption Algorithm1. TEA – Tiny Encryption Algorithm2. DES – Data Encryption Standard3. 3DES/AES
MAC Algorithm1. No MAC2. CRC32 + MAC3. CRC32 + RMAC4. SHA-1 + RMAC, or SHA-1 + AES MAC
General Approaches
Host-based
HostHSM
NAC
NAC-based
NAC
Host
SNAC
NAC
NAC
Interception-based
NAC
NAC
NAC
Host
THE RESULTS
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Payments: The story today…
Source: BNM, 2009 Financial Stability and Payment Systems Report 2008
Payments: The story today
“…(card fraud) losses continued to be insignificant, accounting for less than 0.04% of total card transactions during the year.”
PAYMENT SECURITY MYTHS
Encryption Myths
Summary: Considerations for TLE
Addresses all threats
Addresses Implementation issues
Addresses Deployment Issues
Addresses Administration Issues
Multi-channel & multi-device Support
Remote Key Injection
Vendor Independence
Performance
Cost-Effective
Additional References
1. The Smart Card Alliance (http://www.smartcardalliance.org/)
2. PCI Security Standards Council
(https://www.pcisecuritystandards.org/)
3. Visa Best Practices, Data Field Encryption Version 1.0
(http://corporate.visa.com/_media/best-practices.pdf)
4. Secure POS Vendors Association
(http://www.spva.org/index.aspx)
5. GHL Systems (http://www.ghl.com/netMATRIX )
Net MATRIX Terminal Line Encryption
Acquiring Bank
EDC Terminals
Switching NAC
Remote NAC Remote NAC
Net MATRIX
Acquiring Host
160 Message
Credit Card Host NII: 160
“Typical” Transaction Flow
Issuing Bank Host
EDC Terminals
Switching NAC
Remote NAC Remote NAC
161 Enc Message
Credit Card Host NII: 160
NetMATRIX TLE NII: 161
160 Enc Message
Encrypted Transaction Flow
Issuing Bank Host
Net MATRIXAcquiring
Bank
Acquiring Host
Encrypted Transaction Flow II
Issuing Bank Host
EDC Terminals
Switching NAC
Remote NAC Remote NAC
161 Enc Message
Credit Card Host NII: 160
160 Enc Message
NetMATRIX TLE NII: 161
Net MATRIXAcquiring
Bank
Acquiring Host
Accolades & Accomplishments