SlideShare a Scribd company logo

Point-to-Point Encryption Best Practices & PCI Compliance

Merchant Link
Merchant Link

This document summarizes a live webinar about point-to-point encryption best practices and PCI compliance updates. The webinar covered current security threats to payment card data, industry responses like EMV and PCI P2PE requirements, and examples of point-to-point encryption solutions and their implementation best practices. It also discussed internal threats, botnet attacks, combating threats with PCI and EMV standards, misconceptions about EMV, PCI domains and requirements for P2PE, types of P2PE solutions, considerations for P2PE solutions, and Merchant Link's P2PE product.

Technology
1 of 20
Download to read offline
09.26.2012 LIVE WEBINAR Point-to-Point Encryption: Best Practices & PCI Compliance Update
Introductions Ben Smyth Product Manager Merchant Link Beth Farris Manager, Marketing Merchant Link Misael Henriquez Director – Enterprise Security Merchant Link
Agenda • Current Threats • Industry Response – PCI Council – EMV • Point-to-Point Encryption – PCI P2PE-HW requirements – Solution types – Implementation best practices • Q&A
69% 81% 7% 5% 10% 1% 0% Leveraging malware/hacking... to steal data in transit 4.3% 28.0% 5.2% 62.5% malware hacking The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report in transit stored data hybrid data redirection Hackers’Preferred Method
Internal Threats 11% 17% 17% 22% 28% 28% 33% 50% Viruses, Malware, Worms, Trojans Criminal Insider Theft of Data-Bearing Devices SQL Injection Phishing Web-Based Attacks Social Engineering Other Types of malicious attacks The Ponemon 2011 Cost of a Data Breach Study Data-stealing malware
The Attack of the Bots In this diagram we have a typical network. The enterprise has two perimeter points of entry connecting to the Internet
The Attack of the Bots In this diagram, the Red Icon represents the BOT Master who will be controlling and receiving information through infected systems within the larger Internet macrostructure.
The Attack of the Bots The BOT Master has established two command and control centers (C&Cs) here for his "army" to check into to receive instructions. The BOT Master generally will interface to these C&Cs via open tools such as IRC.
The Attack of the Bots In this final picture, through various means (social, malware, etc.), BOTs have infiltrated the perimeter of an enterprise. These BOTs may appear totally harmless, using standard ports to transmit data to Command & Control Centers. Often, the only way to find them is to search from the perimeter for common destinations
How to Combat the Threat? • PCI Council Embraces P2PE – Recent releases from the Council with recommendations and requirements for implementing and providing P2PE solutions – QSA Certification, Training, and Validated P2PE solution publishing for solutions and providers – Requirements for Hybrid (Hardware to Hardware/Software) P2PE systems • Card Associations Adopt EMV Standard – Addressing the root of the problem by moving to a more secure payment vehicle – Extending the umbrella of security to authenticate the payment card to the cardholder and adding a measure of track data security to the POI
Protects Card-Present Protects Card-Not-Present Reduces PCI Scope EMV P2PE Misconceptions About EMV
VALIDATED AND LISTED SOLUTION PCI Domains and Requirements for P2PEPCI Domains and Requirements for P2PE DOMAIN 1: Encryption Device Management PTS Lab and Device Vendor QSA (P2PE) and Integrator/Solution Provider 1. Device is current and on PTS list. 2. Device is managed appropriately from key injection to pre-use including key management per Domain 6. PTS / SRED approval D4: Transmissions Between Encryption and Decryption Environments Merchant QSA (P2PE) and Solution Provider N/A – Device manages segregation between encryption and decryption zones N/A – Device manages segregation between encryption and decryption zones per Domain 1 1. Secure device management 2. Devices monitored for anomalous behavior 3. HSM use 4. Key Management per Domain 6 5. PCI DSS compliance QSA (P2PE) and Solution Provider DOMAIN 5: Decryption Environment/ Device Management DOMAIN 2: Application Security PA-QSA (P2PE) and Application Vendor QSA (P2PE) and Solution Provider Application is current on P2PE list or assessed as part of this P2PE solution. 1. Application developed per device vendor guidance, etc. 2. Application is assessed as part of P2PE solution. DOMAIN 3: Encryption Environment QSA (P2PE) and Solution Provider Merchant 1. Follows solution provider PIM for device inventory, tamper-checking, physical security. 2. Annual SAQ if required. 1. Solution provider’s PIM is complete. 2. Device/solution provider manages remote access, logical access, etc. Domain 6 requirements for key operations are applicable anywhere that cryptographic keys are handled, including the encryption device environment. QSA (P2PE) and Solution Provider DOMAIN 6: P2PE Cryptographic Key Operations
P2PE Solution Types Hardware/ Hardware Hybrid (hardware/ hardware- software) Hybrid (hardware/software)
For a merchant to qualify for PCI scope reduction for P2PE, the solution provider must be external to the enterprise
On the PCI Horizon... • The next version (v3.0) of the PCI Data Security Standards (PCI DSS and PA-DSS) will be released in October 2013 – No details yet • Recent focus on more specialized education for integrators, POS and device providers, individuals/professionals... (beyond QSAs) – P2PE Internal Security Assessor (ISA) program – Qualified Integrators and Resellers (QIR) program – Payment Card Industry Professional (PCIP) certification
Evaluate: Encryption industry-recognized standards and methods vs. proprietary The POI must be a PTS- certified hardware device Decryption hardware security modules (HSMs) how is key data transport handled? Devices, Applications The POI device must be SRED 2.x (or higher) enabled and active PA-DSS validated application Key Operations who holds the keys? who has access? key injection process?
Consider: Service / Support Fast access to data and ability to troubleshoot? Responsive, redundant support centers, 24x7x365? Network Uptime and Throughput Redundant data centers? Transactions per second? Stability Financial strength of company? Number of years experience? Flexibility Encryption via various POI devices? Single vs. multi-use tokens? Processor choice? POS vendor/device choice?
TransactionShield®: Our P2PE Solution • A flexible solution for the market today – Ability to support many point of interaction • card present, key-entered, e-commerce, virtual terminal – Designed to integrate with most major encrypting devices – Connectivity to all major processors • No processor lock-in: Ability to easily change acquirers without equipment changes, reprogramming or PIN re-injection • Option to connect to multiple processors simultaneously (AMEX, private label, gift cards, etc.) • Protects data as it travels through merchant IT environment – Encrypts cardholder data using industry-recognized standards and methods – Utilizes cloud-based decryption • C (QSA) validated
Conclusions • Data in-transit is under attack. – Hackers using a combination of techniques • To protect data, merchants much also use a combination of techniques (layers of security). – EMV is a good layer, but it’s not the answer • PCI has endorsed P2PE as an effective way to enhance security and reduce PCI scope. – Esp. hardware-based, third-party solutions • Requirements and threats continue to expand and change. Seek out a flexible, secure solution that can meet your needs now and into the future.
Contact us by email: sales@merchantlink.com Engage: www.merchantlink.com/blog Connect with us online:

Recommended

P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSSControlCase
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 

Recommended

P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSSControlCase
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pcimosyas
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapTripwire
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and ResponseDigital Transformation EXPO Event Series
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009ClubHack
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 
Network Security Offering by GSS America
Network Security Offering by GSS AmericaNetwork Security Offering by GSS America
Network Security Offering by GSS AmericaGss America
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Happiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies
 
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsHITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsMerchant Link
 
Getting Started with Merchant Link
Getting Started with Merchant LinkGetting Started with Merchant Link
Getting Started with Merchant LinkMerchant Link
 

More Related Content

What's hot

PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pcimosyas
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentationJoseph Schorr
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapTripwire
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009ClubHack
 
Network Security Offering by GSS America
Network Security Offering by GSS AmericaNetwork Security Offering by GSS America
Network Security Offering by GSS AmericaGss America
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Happiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies
 

What's hot (20)

PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
1 final secnet_pci
1 final secnet_pci1 final secnet_pci
1 final secnet_pci
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat Gap
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
Nikhil wagholikar _risk_based_penetration_testing - ClubHack2009
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Network Security Offering by GSS America
Network Security Offering by GSS AmericaNetwork Security Offering by GSS America
Network Security Offering by GSS America
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Happiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution OverviewHappiest Minds Technologies- ComplianceVigil Solution Overview
Happiest Minds Technologies- ComplianceVigil Solution Overview
 

Viewers also liked

HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsHITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsMerchant Link
 
Getting Started with Merchant Link
Getting Started with Merchant LinkGetting Started with Merchant Link
Getting Started with Merchant LinkMerchant Link
 
Dets 12 globaalse majanduse kasv kiirenes ka detsembris
Dets 12 globaalse majanduse kasv kiirenes ka detsembrisDets 12 globaalse majanduse kasv kiirenes ka detsembris
Dets 12 globaalse majanduse kasv kiirenes ka detsembrisKristjan Eljand
 
CPITN survey at Solapur district
CPITN survey at Solapur districtCPITN survey at Solapur district
CPITN survey at Solapur districtombaghele
 
Gum disease: A silent killer
Gum disease: A silent killerGum disease: A silent killer
Gum disease: A silent killerombaghele
 
Ridge Augmentation for Ovate Pontics
Ridge Augmentation for Ovate PonticsRidge Augmentation for Ovate Pontics
Ridge Augmentation for Ovate Ponticsombaghele
 
Copyright and Fair Use
Copyright and Fair UseCopyright and Fair Use
Copyright and Fair Usedrfmashley
 
Amca winter 2012
Amca winter 2012Amca winter 2012
Amca winter 2012AMCABoard
 
CPITN survey at Kolhapur district
CPITN survey at Kolhapur districtCPITN survey at Kolhapur district
CPITN survey at Kolhapur districtombaghele
 
Riigieelarve ja euroopa võlakriis
Riigieelarve ja euroopa võlakriisRiigieelarve ja euroopa võlakriis
Riigieelarve ja euroopa võlakriisKristjan Eljand
 
AMCA Info 2014
AMCA Info 2014AMCA Info 2014
AMCA Info 2014AMCABoard
 
CPITN survey at Nagpur district
CPITN survey at Nagpur districtCPITN survey at Nagpur district
CPITN survey at Nagpur districtombaghele
 
Ridge Augmentation for Ovate Pontics- multiple surgeries
Ridge Augmentation for Ovate Pontics- multiple surgeriesRidge Augmentation for Ovate Pontics- multiple surgeries
Ridge Augmentation for Ovate Pontics- multiple surgeriesombaghele
 
Embriología faringe laringe
Embriología faringe laringeEmbriología faringe laringe
Embriología faringe laringeAdriana Furlong
 

Viewers also liked (14)

HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and FriendsHITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
HITEC 2012: Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends
 
Getting Started with Merchant Link
Getting Started with Merchant LinkGetting Started with Merchant Link
Getting Started with Merchant Link
 
Dets 12 globaalse majanduse kasv kiirenes ka detsembris
Dets 12 globaalse majanduse kasv kiirenes ka detsembrisDets 12 globaalse majanduse kasv kiirenes ka detsembris
Dets 12 globaalse majanduse kasv kiirenes ka detsembris
 
CPITN survey at Solapur district
CPITN survey at Solapur districtCPITN survey at Solapur district
CPITN survey at Solapur district
 
Gum disease: A silent killer
Gum disease: A silent killerGum disease: A silent killer
Gum disease: A silent killer
 
Ridge Augmentation for Ovate Pontics
Ridge Augmentation for Ovate PonticsRidge Augmentation for Ovate Pontics
Ridge Augmentation for Ovate Pontics
 
Copyright and Fair Use
Copyright and Fair UseCopyright and Fair Use
Copyright and Fair Use
 
Amca winter 2012
Amca winter 2012Amca winter 2012
Amca winter 2012
 
CPITN survey at Kolhapur district
CPITN survey at Kolhapur districtCPITN survey at Kolhapur district
CPITN survey at Kolhapur district
 
Riigieelarve ja euroopa võlakriis
Riigieelarve ja euroopa võlakriisRiigieelarve ja euroopa võlakriis
Riigieelarve ja euroopa võlakriis
 
AMCA Info 2014
AMCA Info 2014AMCA Info 2014
AMCA Info 2014
 
CPITN survey at Nagpur district
CPITN survey at Nagpur districtCPITN survey at Nagpur district
CPITN survey at Nagpur district
 
Ridge Augmentation for Ovate Pontics- multiple surgeries
Ridge Augmentation for Ovate Pontics- multiple surgeriesRidge Augmentation for Ovate Pontics- multiple surgeries
Ridge Augmentation for Ovate Pontics- multiple surgeries
 
Embriología faringe laringe
Embriología faringe laringeEmbriología faringe laringe
Embriología faringe laringe
 

Similar to Point-to-Point Encryption Best Practices & PCI Compliance

Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 
Insight into IT Strategic Challenges
Insight into IT Strategic ChallengesInsight into IT Strategic Challenges
Insight into IT Strategic ChallengesJorge Sebastiao
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentat MicroFocus Italy ❖✔
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSSManish Mahapatra
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security modelMicro Focus
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2SafeNet
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementVISTA InfoSec
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
2015 Year to Date Security Trends
2015 Year to Date Security Trends2015 Year to Date Security Trends
2015 Year to Date Security TrendsTerra Verde
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsHoneywell
 
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudLisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudKnowledge Group
 

Similar to Point-to-Point Encryption Best Practices & PCI Compliance (20)

Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PE
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 
Insight into IT Strategic Challenges
Insight into IT Strategic ChallengesInsight into IT Strategic Challenges
Insight into IT Strategic Challenges
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessment
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
Mobile payments and PCI DSS
Mobile payments and PCI DSSMobile payments and PCI DSS
Mobile payments and PCI DSS
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model#MFSummit2016 Secure: Mind the gap strengthening the information security model
#MFSummit2016 Secure: Mind the gap strengthening the information security model
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Webinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key managementWebinar - PCI PIN, PCI cryptography & key management
Webinar - PCI PIN, PCI cryptography & key management
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
2015 Year to Date Security Trends
2015 Year to Date Security Trends2015 Year to Date Security Trends
2015 Year to Date Security Trends
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce FraudLisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
Lisa Shipley (Fraud & AML Stream)- Extending the PCI Boundary to Reduce Fraud
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Point-to-Point Encryption Best Practices & PCI Compliance

  • 2. Introductions Ben Smyth Product Manager Merchant Link Beth Farris Manager, Marketing Merchant Link Misael Henriquez Director – Enterprise Security Merchant Link
  • 3. Agenda • Current Threats • Industry Response – PCI Council – EMV • Point-to-Point Encryption – PCI P2PE-HW requirements – Solution types – Implementation best practices • Q&A
  • 4. 69% 81% 7% 5% 10% 1% 0% Leveraging malware/hacking... to steal data in transit 4.3% 28.0% 5.2% 62.5% malware hacking The Verizon 2012 Data Breach Investigations Report The Trustwave 2012 Global Security Report in transit stored data hybrid data redirection Hackers’Preferred Method
  • 5. Internal Threats 11% 17% 17% 22% 28% 28% 33% 50% Viruses, Malware, Worms, Trojans Criminal Insider Theft of Data-Bearing Devices SQL Injection Phishing Web-Based Attacks Social Engineering Other Types of malicious attacks The Ponemon 2011 Cost of a Data Breach Study Data-stealing malware
  • 6. The Attack of the Bots In this diagram we have a typical network. The enterprise has two perimeter points of entry connecting to the Internet
  • 7. The Attack of the Bots In this diagram, the Red Icon represents the BOT Master who will be controlling and receiving information through infected systems within the larger Internet macrostructure.
  • 8. The Attack of the Bots The BOT Master has established two command and control centers (C&Cs) here for his "army" to check into to receive instructions. The BOT Master generally will interface to these C&Cs via open tools such as IRC.
  • 9. The Attack of the Bots In this final picture, through various means (social, malware, etc.), BOTs have infiltrated the perimeter of an enterprise. These BOTs may appear totally harmless, using standard ports to transmit data to Command & Control Centers. Often, the only way to find them is to search from the perimeter for common destinations
  • 10. How to Combat the Threat? • PCI Council Embraces P2PE – Recent releases from the Council with recommendations and requirements for implementing and providing P2PE solutions – QSA Certification, Training, and Validated P2PE solution publishing for solutions and providers – Requirements for Hybrid (Hardware to Hardware/Software) P2PE systems • Card Associations Adopt EMV Standard – Addressing the root of the problem by moving to a more secure payment vehicle – Extending the umbrella of security to authenticate the payment card to the cardholder and adding a measure of track data security to the POI
  • 12. VALIDATED AND LISTED SOLUTION PCI Domains and Requirements for P2PEPCI Domains and Requirements for P2PE DOMAIN 1: Encryption Device Management PTS Lab and Device Vendor QSA (P2PE) and Integrator/Solution Provider 1. Device is current and on PTS list. 2. Device is managed appropriately from key injection to pre-use including key management per Domain 6. PTS / SRED approval D4: Transmissions Between Encryption and Decryption Environments Merchant QSA (P2PE) and Solution Provider N/A – Device manages segregation between encryption and decryption zones N/A – Device manages segregation between encryption and decryption zones per Domain 1 1. Secure device management 2. Devices monitored for anomalous behavior 3. HSM use 4. Key Management per Domain 6 5. PCI DSS compliance QSA (P2PE) and Solution Provider DOMAIN 5: Decryption Environment/ Device Management DOMAIN 2: Application Security PA-QSA (P2PE) and Application Vendor QSA (P2PE) and Solution Provider Application is current on P2PE list or assessed as part of this P2PE solution. 1. Application developed per device vendor guidance, etc. 2. Application is assessed as part of P2PE solution. DOMAIN 3: Encryption Environment QSA (P2PE) and Solution Provider Merchant 1. Follows solution provider PIM for device inventory, tamper-checking, physical security. 2. Annual SAQ if required. 1. Solution provider’s PIM is complete. 2. Device/solution provider manages remote access, logical access, etc. Domain 6 requirements for key operations are applicable anywhere that cryptographic keys are handled, including the encryption device environment. QSA (P2PE) and Solution Provider DOMAIN 6: P2PE Cryptographic Key Operations
  • 14. For a merchant to qualify for PCI scope reduction for P2PE, the solution provider must be external to the enterprise
  • 15. On the PCI Horizon... • The next version (v3.0) of the PCI Data Security Standards (PCI DSS and PA-DSS) will be released in October 2013 – No details yet • Recent focus on more specialized education for integrators, POS and device providers, individuals/professionals... (beyond QSAs) – P2PE Internal Security Assessor (ISA) program – Qualified Integrators and Resellers (QIR) program – Payment Card Industry Professional (PCIP) certification
  • 16. Evaluate: Encryption industry-recognized standards and methods vs. proprietary The POI must be a PTS- certified hardware device Decryption hardware security modules (HSMs) how is key data transport handled? Devices, Applications The POI device must be SRED 2.x (or higher) enabled and active PA-DSS validated application Key Operations who holds the keys? who has access? key injection process?
  • 17. Consider: Service / Support Fast access to data and ability to troubleshoot? Responsive, redundant support centers, 24x7x365? Network Uptime and Throughput Redundant data centers? Transactions per second? Stability Financial strength of company? Number of years experience? Flexibility Encryption via various POI devices? Single vs. multi-use tokens? Processor choice? POS vendor/device choice?
  • 18. TransactionShield®: Our P2PE Solution • A flexible solution for the market today – Ability to support many point of interaction • card present, key-entered, e-commerce, virtual terminal – Designed to integrate with most major encrypting devices – Connectivity to all major processors • No processor lock-in: Ability to easily change acquirers without equipment changes, reprogramming or PIN re-injection • Option to connect to multiple processors simultaneously (AMEX, private label, gift cards, etc.) • Protects data as it travels through merchant IT environment – Encrypts cardholder data using industry-recognized standards and methods – Utilizes cloud-based decryption • C (QSA) validated
  • 19. Conclusions • Data in-transit is under attack. – Hackers using a combination of techniques • To protect data, merchants much also use a combination of techniques (layers of security). – EMV is a good layer, but it’s not the answer • PCI has endorsed P2PE as an effective way to enhance security and reduce PCI scope. – Esp. hardware-based, third-party solutions • Requirements and threats continue to expand and change. Seek out a flexible, secure solution that can meet your needs now and into the future.
  • 20. Contact us by email: sales@merchantlink.com Engage: www.merchantlink.com/blog Connect with us online: