Learning Center
Plans & pricing Sign in
Sign Out

VeriFone Bluestar PCI Trng 3-20-2010Final

VIEWS: 241 PAGES: 42

									    PCI Essentials for
            March 20, 2010

      Michael Tyler
      Marketing Director
      Integrated Systems Division
      VeriFone, Inc.


    1. The Evolution of Security standards
    2. VeriFone is the Leader in Payment Security
       • Only Manufacturer on the PCI SSC Board of Advisors
    3. VeriFone’s PCI Approved Products
    4. End to End Encryption - Where PCI is Headed
    5. VeriFone Resources that May Help You

2                        VERIFONE COMPANY CONFIDENTIAL
             July 1, 2010
102 Days 14 Hours 27 Minutes
     TDES For ALL Debit Transactions
     Replace ALL Pre-VISA PED Devices
     ALL Applications PA-DSS Certified
PCI – What’s it all About?
    Global Security Standards (EMV) very effective at curtailing fraud globally

    Prior to 2005: in North America, each card brand had their own security
    • Difficult for payment device manufacturers to engineer security
    • Difficult for Merchants and Retailers to support data security initiatives
    • Broad adoption of security standards in the US was thwarted

    Payment Card Industry Security Standards Council
    • Established 2005
    • Sponsored by AMEX, Discover, JCB, MasterCard
      Worldwide, and Visa Int’l
    • Open global forum for the ongoing development and
      implementation of security standards for cardholder
      account data protection
    • VeriFone is the only manufacturer on the
      Global Board of Advisors

4                                   VERIFONE COMPANY CONFIDENTIAL
Payment Card Industry (PCI) Security Standards Council

      Covers PIN Entry       PA-DSS applies to software        PCI DSS applies to any
    Devices in the check-       vendors who develop             business that stores,
     out lane and at the     payment applications that      processes, and/or transmits
            pump             store, process, or transmit          cardholder data
                                  cardholder data

5                           VERIFONE COMPANY CONFIDENTIAL
Data Breach Report: Malicious Attacks Doubled in 2009

    Cost of a Data Breach
    continues to increase

    • NOW $204.00 per record

6                          VERIFONE COMPANY CONFIDENTIAL
RIS News Reports Retailers Prioritize PCI Projects at Top

    Source: RIS News
    January 2010

Payment Terminal Device Security Will Continue to Evolve

2004       2005       2006   2007   2008   2009    2010        2011     2012      2013   2014   2015    2016         2017

                   Unapproved Devices                     6/30/2010 Sunset Date

                                    Visa PED Devices                                             2014 Sunset Date?

                                              PCI PED 1.x Devices

                                                                PCI PED 2.x Devices

                                                                                  PCI PED 3.x Devices

                                                                                                PCI PED 4.x

                                                                         Liability Shifts to Retailer
     OK to Purchase
       OK to Use
                                               July 1, 2010

 8                                         VERIFONE COMPANY CONFIDENTIAL
Non-Approved PIN Entry Devices

           Remove Pre-Visa PED devices by June 30, 2010

    • These devices have never been tested in Security Laboratories

    • Manufacture’s could not sell these products after Dec 31st 2003

    • Retailer’s must remove from service by June 30, 2010

    • Penalty for non-compliance
       – Acquirers not covered in the event of a PIN compromise
         • Loss and card reissue costs likely to be passed to retailer
         • Liable for penalties per association operating regulations
         • Card associations could revoke merchant services agreement

9                           VERIFONE COMPANY CONFIDENTIAL
VISA PED Approved PIN Entry Devices

           Although Visa has not officially issued a Sunset date,
         expect Visa-PED devices to be replaced by year-end 2014

     • Many devices have been installed and used by retailers
     • Examples
        – Omni 3750, Omni 7000

     • Required for manufacturer’s to sell after January 1, 2004

     • Manufacturers could not sell after December 31, 2007

     • Visa has suggested year-end 2014 as date to remove from
       service but this is NOT final yet

10                         VERIFONE COMPANY CONFIDENTIAL
PCI PED 1.3 Requirements Improved Security Dramatically
     Significant Security enhancements occurred between the Visa PED
                    standards and the PCI 1.x standards
     •   Tamper Protection designed into the product line
     •   Cryptographic control of On-screen Prompting
     •   Require Privacy Shields - Prevents PIN monitoring
     •   Logical Software Security against Tampering
     •   Digitally Signed Software Applications
     •   No unnecessary storage of sensitive data
     •   Encryption and Key Management Requirements
     •   Credit Card Reader Security
     •   Increased Security around Manufacturing
     •   Increased Security around Shipping

11                            VERIFONE COMPANY CONFIDENTIAL
The Difference Between PCI 1.3 and PCI 2.0

                New PCI Standards are Released every Three Years
     Facts you need to know about how equipment manufacturers submit
        their products for PCI certification

     • The Prevailing PCI standards are the ones that apply

     • PCI 1.3 devices are a VAST improvement over Visa PED devices
       –   Improved Tamper Prevention Requirements
       –   Improved Tamper Detection Requirements

     • PCI 2.0 adds incremental additional layers of security such as:
       –   Hardware -- Front and Rear Case attack prevention requirements
           •   This feature uses Case Switches to detect a tamper; thereby destroying encryption keys
       –   Software -- Three key elements:
           1. Unique, Pre-expired passwords; when the device is activated a password change is forced
           2. Authorization on Self Test – Visible indications that a self test has been conducted
           3. Duplicate Key Checking – prevents the loading of duplicate encryption keys

12                                      VERIFONE COMPANY CONFIDENTIAL
PCI PTS 3.0 Potential Changes
          The new PCI 3.0 Specifications document is in review. Final
            published requirements are expected by April 30, 2010

     • Changes go into effect April 30th 2011
     • Magnetic Stripe Reader head protection level will be increased
     • Daily Self test of software must now use Cryptographic methods
       to validate itself, not just checksums
     • Smart Card protection level bumped will be increased
        – Potential other increased smartcard requirements.
     • Raising the bar on keypad security – TBD
     • Optional requirement defining security requirements and key
       management for data encryption at the PIN Entry Device
     • Device Management:
        – Device Security Requirements During Manufacturing
        – Device Security Requirements between Manufacturer and Initial Key

13                              VERIFONE COMPANY CONFIDENTIAL
Payment Application Compliance Timeline
Visa has implemented a series of mandates to eliminate the use of
 non-secure payment applications from the Visa payment system

                         PABP                                  PA-DSS
                               Applies to Purchased Software Applications

           2008          2009                           2010                          2011
            Q3    Q4      Q1      Q2      Q3     Q4      Q1     Q2     Q3      Q4         Q1   Q2

      Remove all known vulnerable applications

                   Upgrade or remove non-compliant applications

                                         Only install PA-DSS applications for NEW sites

14                                     VERIFONE COMPANY CONFIDENTIAL

     1. The evolution of PCI standards
     2. VeriFone is the Leader in Payment Security
        • Only Manufacturer on the PCI SSC Board of Advisors
     3. VeriFone’s PCI Approved Products
     4. End to End Encryption - Where PCI is Headed
     5. VeriFone Resources to Help You

15                        VERIFONE COMPANY CONFIDENTIAL
VeriFone is the Global Electronic Payments Leader
      VeriFone is the world-wide leader in shipping PCI and EMV
                    compliant Payment Terminals.
Why VeriFone
• We are in the Secure Payments business, its all we do!
• We are the ONLY Equipment Manufacturer to sit on the Prestigious PCI
  Security Standards (PCI SSC) Council Board of Advisors
• More PCI certified products than any other Terminal Manufacturer
• Developed PIN Pad Security Best Practices
• Publish Weekly Payments
  Security Newsletter
• Host Annual Payments Security Conference
• VeriShield Protect
     – End to End Encryption

16                             VERIFONE COMPANY CONFIDENTIAL
PIN Pad Security Best Practices

Train managers and cashiers on PIN Pad
                                                     Install cameras to monitor PIN Pad activity

Weekly visual terminal inspections                   Encrypt data from the PIN Pad

Visual serial number validation                      Electronic serial number validation

Monitor PIN Pad payment problems                     Change default PIN Pad password

Secure terminal storage                              Authenticate applications

                                                     Maintain employee work schedules for
Terminal asset tracking

Do not allow unauthorized service calls              Purchase from authorized sources

Mount PIN Pads securely to counter                   Use authorized repair centers

                                     VERIFONE COMPANY CONFIDENTIAL

1. The Evolution of Security standards
2. VeriFone is the Leader in Payment Security
     • Only Manufacturer on the PCI SSC Board of Advisors
3. VeriFone’s PCI Approved Products
4. End to End Encryption - Where PCI is Headed
5. VeriFone Resources that May Help You

VeriFone’s Portfolio of PCI Approved Devices

• MX 800 Series family of Products

       MX 830        MX 850              MX 860             MX 870
                                                                                            MX 800
                                                                         MX 880
                                                                                         Price Checker
• Vx Series Products

     Vx 510     Vx 570          Vx 610            Vx 670
                                                                Vx 810                   PP1000 SE
• Payment Software
     PAYware CRM              PAYware Gift Card            PAYware Merchant       PAYware PC
     PAYware Connect          PAYware Link                 PAYware Mobile         PAYware Transact

19                                   VERIFONE COMPANY CONFIDENTIAL

1. The evolution of PCI standards
2. VeriFone is the Leader in Payment Security
     • Only Manufacturer on the PCI SSC Board of Advisors
3. VeriFone’s PCI Approved Products
4. End to End Encryption - Where PCI is Headed
5. VeriFone Resources that May Help You

Beyond Compliance.
Securing Your Future.
Protecting consumer cardholder data
and prevent the impact of a breach

     Three Truths of Payment Card Security:

         1. PCI Compliance             ≠ Security
               2. 24x7 PCI Compliance                       NOT BE   Possible

                      3. Attack Vectors Are Evolving

21                          VERIFONE COMPANY CONFIDENTIAL
Stopping the Assault on the Payment Card System

     We have moved from ...

           Data        to
                                    Breach                  to
        Protection                Prevention                     Detection

     We need to move to ...

                      Data Elimination
         From the moment                        To a secure endpoint
          a card is swiped                       outside the retailer

22                          VERIFONE COMPANY CONFIDENTIAL
Data Elimination Options are Getting a lot of Mindshare

• Encryption
     1. Encrypt the card data at the POS, as close to the Magnetic
        stripe head as possible
     2. Move the encrypted card data through the retail payment
        infrastructure, from Merchants to Processors to Card Networks

• Tokenization
     1. Replace the PAN with a Proxy Number for storage
     2. Mapping of the PAN to Proxy number is maintained in a
        “secure” vault either in the Merchants Data Center or at a
        third party location

       –   Most commonly deployed in E-Commerce Applications

23                          VERIFONE COMPANY CONFIDENTIAL
Why So Much Attention Around E2E and Tokenization

 • They Support a “Layered” approach for Card Data Protection
     – Essentially De-Values the Actual Payment Card Data

 • They Provide Medium and Long Term Cost Reduction to

 • They are Technically Feasible to Implement TODAY

24                        VERIFONE COMPANY CONFIDENTIAL
VISA Data Field Encryption Best Practices (October 2009)
Security Goal                       Best Practice

Limit clear text availability of    1. Clear text cardholder and authentication data shall only be available at the point of encryption and decryption.
cardholder data and sensitive
authentication data to the point of 2. All cardholder data shall be encrypted using only approved encryption algorithms (e.g. AES, TDES).
encryption and the point of
decryption.                         3. All cardholder data and authentication data shall be encrypted except the first 6 and last 4 digits of the PAN.
                                   4. Sensitive authentication data must not be stored after authorization even if encrypted (per PCI DSS).
Use robust key management          5. Keys shall be managed per ANSI X9.24/ISO 11568 within Secure Cryptographic Devices such as a PED, HSM, etc.
solutions consistent with
international and/or regional      6. All keys and key components shall be generated using an approved random process such as NIST SP 800-22.
                                   7. Documentation describing key management solution must be made available upon request for evaluation purposes.

                                   8. a) Keys shall be conveyed in a secure manner such as the key X9/TR-34 Interoperable Method for Distribution Keys

                                   8 b) If remote key distribution is used, mutual authentication of the sending and receiving devices shall be performed.

                                   9. Keys used in the data field encryption process must be unique per device

Use key-lengths and                10. Encryption keys shall have strength of at least 112 equivalent bit strength.
cryptographic algorithms
consistent with international      11. FPE must be evaluated by an independent security evaluation organization and subjected to a peer review.
and/or regional standards.
Protect devices used to perform    12. Devices used to perform cryptographic operations should undergo independent assessment to ensure that the
cryptographic operations against      hardware and software they are using is resilient to attack.
physical/logical compromises.
                                   13. Keys shall be protected against physical and logical compromise. Public keys shall be protected from substitution
                                      and their integrity and authenticity shall be ensured.
Use an alternate account or         14. If any cardholder data is needed after authorization, a transaction ID or token should be used instead.
transaction identifier for business
processes that requires the
primary account number to be
utilized after authorization,.

                                               VeriShield Protect Meets Visa Data Field Encryption Best Practices

25                                                      VERIFONE COMPANY CONFIDENTIAL
Visa Europe: Industry’s first DFE Specs. March 5, 2010
• Emerging Technologies Study Group
     – Industries First Guidance on:
        Data Field Encryption
     – Best Practice Guidelines

• Key Components:
- Cardholder data should only be available
at the points of encryption and decryption

- Encryption key management solutions should
follow international and/or regional standards

- Key lengths and cryptographic algorithms
should follow int’l and/or regional standards

- Devices used to perform cryptographic oper-
ations should be independently assessed to
ensure they are protected against compromise

- If cardholder data is needed after authorization
a transaction ID or token should be used instead
of the data itself

26                                        VERIFONE COMPANY CONFIDENTIAL
Other E2E Encryption Important Considerations

• Encrypt Card Data in HSM at the Source

               • Secure Key Management

                          • Monitor for Ongoing

27                       VERIFONE COMPANY CONFIDENTIAL
VeriFone’s Solution: VeriShield Protect

     VeriShield Protect is not a technology …
     It is a comprehensive cardholder data protection solution

• Encrypts data at the swipe               Payment     • Magnetic stripe credit & debit
• Transaction Monitoring                               • Contactless
                                                       • EMV/ Chip & PIN
• Compliance Reporting
• PCI Asset Tracking                       Payment     • Integrated terminals
                                                       • Stand-alone terminals
• Key Management                                       • iPhone Reader
• Remote Key Loading                                   • Keyboard wedge

• Annual Key Exchange                                  • Manual key entry device
                                                       • Unattended & fuel pumps
• Application Certification                            • Competitive payment terminals
• Follows PIN debit model                              • ATM’s
                                                       • POS terminals
• Supports International Payments

28                          VERIFONE COMPANY CONFIDENTIAL
VeriShield Protect: Service Components
 VeriShield Hidden Encryption™ (VHE)
                  Device level operating    Integrated within the O/S           VHE removes card data from the
                  system module             operating system within a TRSM      merchant’s systems in a totally
                                            on the MX, Vx or Encrypting         transparent way. What’s left on the
                                            Wedge device                        merchant’s system is useless to

 Decryption Service (DS)
                  Network hardware          Installed (ideally) at the          The DS manages thousands of keys
                  and applications that     merchant’s processor. Can also be   related to the VeriFone devices,
                  support the solution.     installed at the merchant’s host    decrypts messages real-time, and
                                            or at Semtek.                       updates VSDMS.

 Cipher Key Management (CKM)
                  Key Management &          Implemented as part of the          CKM provides for the distribution,
                  Distribution              Decryption Service                  management, synchronization and
                                                                                rotation of VeriShield Protect keys

 VeriShield Secure Device Management System (VSDMS)
                  Network-side security     Managed from Semtek data            VDMS provides a real time view of
                  service                   center.                             each transaction’s security status.
                                                                                VSDMS provides a continuous security

29                                        VERIFONE COMPANY CONFIDENTIAL
VeriShield Hidden Encryption: Format Preserving Encryption
PAN and discretionary data is encrypted at the mag-stripe, RFID reader or smart
card reader using strong AES 128-bit encryption. The algorithm reformats the data
in a manner that the POS system perceives as unencrypted data.

         Standard Track                435688 760033 1588 = 08119212884426940234
                                          BIN      PAN     Last 4   Track Data Resident on Card

         Encrypted Data
         with format &                 435688 298101 1588 = 200117632108900331272
         routing preserved
                                            VHE Encrypted Data          VHE Encrypted Data

         Magnetic-Stripe, Contactless and Chip & PIN transactions are all protected

     Format-preserving encryption does not require payment application or POS changes

30                               VERIFONE COMPANY CONFIDENTIAL
Decryption Appliance Architecture
                                  Controller              Retail EFT
                                                           Switch          Processor
                   In-store LAN                   WAN



                                         VSDMS™                            Decryption

  VX Devices
                                            VSDMS Servers                 DS manages device keys
                                         monitors device status           & decrypts transactions
 SoftPay and
     Protect                                      San Diego & Phoenix Failover Data Centers

31                                        VERIFONE COMPANY CONFIDENTIAL
Decryption Appliance Architectures May Vary

• Retailer Hosted DA              VSDMS™                            Decryption

• Retailer Integrated into           VSDMS Servers                 DS manages device keys
  the VeriFone DA                 monitors device status           & decrypts transactions

                                           San Diego & Phoenix Failover Data Centers

• Retailer Network Interceptor Processing

• Processor Hosted DA

32                           VERIFONE COMPANY CONFIDENTIAL
VeriShield Secure Device Management System (VSDMS™)

                                                            A02   - POS Device Encryption Disabled
                      ALERTS                                A04   - Suspected Reply Attack
                                                            A06   - Suspected Physical Tampering
     • New alerts available in real-time whenever           A07
                                                                  - Unrecognized POS Device
                                                                  - POS Device Not Responding
       the POS device status has changed:                   A10   - CDMS Functionality Compromised
                                                            A11   - Unauthorized Command Card Attempt
       Encryption enabled and Device compromised            A12   - Device Suspended
                                                            A13   - Unrecognized MID
     • Risk Mitigation – No time elapses between a
       compromised device and notification. Alert
       is detected and available in real-time
     • Case Management - Ability to view, open or
       close alerts with user profile tracking

                                                      MERCHANT COMPLIANCE
                                                     • Real-time view of merchant compliance
                                                       portfolio: Encrypting vs. non-
                                                       encrypting devices
                                                     • Provides internal controls needed for
                                                       regulatory compliance (Rule 404)

33                                  VERIFONE COMPANY CONFIDENTIAL
VeriShield Protect: Market Validation

• Top 50 US retailer
• 1,000+ locations & 5,000+ lanes
• Implemented VeriShield Protect end-to-end encryption
• Completed a 90-day chain-wide roll out 9/5/09
• Processing ~1M transactions a day
• No impact on consumers or store personnel
• No POS changes required
• Less than 30ms impact on total transaction time
• Removed all un-encrypted cardholder data from their
• De-scoped POS and all store systems from PCI DSS
• Successfully submitted their ROC to the card associations

Impact of End-to-End Encryption on PCI Scope Reduction

     VeriShield Protect will
     reduce PCI DSS Scope

35                             VERIFONE COMPANY CONFIDENTIAL
End to End Encryption Cost Savings
     Three Tier 1 Merchant Scenarios: Potential PCI Compliance Cost Savings of E2EE

Each scenario looks at the possible PCI compliance cost savings of an
       E2EE deployment. Merchant scope reduction may vary
                        Scenario                              Cost                             Savings
       Scenario 1 - Low
       Annual Compliance Assessment by QSA             $          250,000              25% $        62,500
       Compliance Maintenance                          $        1,000,000              20% $       200,000
                                                                            Annual Savings $       262,500
       Scenario 2 - Moderate
       Annual Compliance Assessment by QSA             $        1,500,000              25% $       375,000
       Compliance Maintenance                          $        3,000,000              20% $       600,000
                                                                            Annual Savings $       975,000
       Scenario 3 - High
       Annual Compliance Assessment by QSA             $        3,000,000              25% $       750,000
       Compliance Maintenance                          $        5,000,000              20% $     1,000,000
                                                                            Annual Savings $     1,750,000
       Source: Mercator Advisory Group 2009

36                                            VERIFONE COMPANY CONFIDENTIAL
Independent QSA Evaluation of VeriShield Protect
Coalfire laboratories independently evaluated VeriShield Protect and concluded
•     Meets all VISA Data Field Encryption Best Practices         • Integrates securely with PC based POS or cash registers
      and standards for cryptographic algorithms and              without exposing card data
      key strength.                                               •The format preserving VeriShield Hidden Encryption provided
•     significant risk mitigation of data compromise and          successful integration with all payment application, POS and
      may be one of the most effective controls available         back-office servers tested.
      to merchants today.                                         •The integration with tested payment applications and POS
•     The VeriFone terminal should be the only point in a         systems was quick, required very little customization and
      merchant environment that captures card data                worked effectively with all post authorization, sales audit and
•     A deployment architecture that has all card data            refund transactions tested
      captured in a VeriShield Protect TRSM and
      communicates directly to a PCI compliant processer
      who manages all decryption services for the                 SECURE KEY MANAGEMENT
      merchant provides the greatest security and                 •VeriShield Protect key mgmt solution removes most of the
      compliance risk mitigation.
                                                                  challenges of key management for the merchant that are found
                                                                  in many previous end point encryption solutions
    REDUCES PCI SCOPE                                             • A merchant should have ownership rights to the decryption
    •clear and dramatic reduction of PCI compliance scope         keys but not have access or possession of keys to achieve the
    •can reduce the cost of PCI compliance assessment and         greatest PCI scope reduction.
    •A payment application or POS that is not PABP/PA-DSS
    validated can be taken out of PCI scope
    • A merchant can remove PCI compliance scope for the
                                                                  REAL TIME MONITORING
                                                                  •The VSDMS provides effective compliance and security auditing
    majority of their retail environment if all electronic card
                                                                  for the merchant and QSA. Store validation sampling of
    data is captured in a VeriShield Protect TRSM and no
                                                                  compliance is simplified with this tool set. Compliance reporting
    decryption appliances or decryption keys exist in their
                                                                  over time is easily evidenced for auditors using the VSDMS.

37                                               VERIFONE COMPANY CONFIDENTIAL
Processor / Network Support for VSP

 TNS and Semtek Partnership Provides Managed
 End-to-End Encryption for Merchants and Acquirers
 - Apr. 20, 2009
                      First Merchant Live 11/09

 VeriFone Extends End-to-End Encryption
 Across Product Lines
 – Apr. 21, 2009
                 Multiple Merchants Live Q1 ’10

 RBS WorldPay and VeriFone Announce
 End-to-End Card Encryption Solution
 - Aug. 11, 2009
          Contracting Merchants for 2010 installs
 Chase Paymentech, VeriFone and Semtek
 Join Forces to Offer End-to-End Encryption
 Solution – Oct. 27, 2009
               Major Promotion to base Q1 2010

38                         VERIFONE COMPANY CONFIDENTIAL

1. The Evolution of Security standards
2. VeriFone is the Leader in Payment Security
     • Only Manufacturer on the PCI SSC Board of Advisors
3. VeriFone’s PCI Approved Products
4. End to End Encryption - Where PCI is Headed
5. VeriFone Resources that May Help You

VeriFone: Industry Leader in Payment Security Education

• Online Resource for News:

• Weekly Security Newsletter
     – Sign-up, receive alerts

• Annual Retail Payments
     – Security Conference

• VeriFone Partner Portal
     – NEW – Industry Resource

• VeriShield Protect Boot Camp & Webinars

40                               VERIFONE COMPANY CONFIDENTIAL
Summary & Follow-up
• Key Take-Aways
     1. VeriFone is leading the charge on payment security
     2. PCI Standards have deadlines and consequences
         •   PCI Website:
         •   3DES Deadline (Fines that may be assessed)
     3. VeriShield Protect is a Game Changer
         •   End-to-End Encryption reduces PCI Scope
     4. VeriFone Gateway Service benefits POS software providers and their merchants.

• Follow-up Activities:
     –   Visit Secure Retail Payments website (
     –   Register for email alerts
     –   Register for VeriFone Partner website – Retail Connection
     –   Attend Technical VeriShield Protect Boot Camps or Webinars

• IDEAs?
     –   Joint Hosting of training webinars for Bluestar clients
     –   Industry Specific PCI Solution sets?

41                                   VERIFONE COMPANY CONFIDENTIAL
     PCI Essentials for


       Michael Tyler
       Marketing Director
       Integrated Systems Division
       VeriFone, Inc.


To top