SlideShare uma empresa Scribd logo

Introduction to Token Service Provider (TSP) Certification

Transferir como PPTX, PDF
K
Kimberly Simon MBA

ControlCase will cover the following: • Description of "Token Service Provider" (TSP) • Eligibility and steps to become a TSP • Scope and implementation • Review of TSP Standard.

Tecnologia
1 de 22
Token Service Provider (TSP) An Introduction to Certification Biju John, PCI QSA, PA-QSA, PCI P2PE, PCI PA-QSA(P2PE), P2PE, 3DS VP ControlCase
Agenda 1  What is Tokenization?  What is a Token Service Provider or TSP?  Who can become a TSP  Benefits of being TSP  Business Flow for Payment tokens  Scope – Token Data Environment  TSP Requirements  Assessment and Certification
2 The process of replacing sensitive data (Card Data) with surrogate values that remove risk but preserve value to the business. What is Tokenization  The tokenization is an added layer of protection in payment processing ecosystem  Minimize the fraud exposure of data compromise  No changes to existing payment ecosystem
3 Different type of Tokens  Acquiring Tokens Acquiring tokens are created by the acquirer, merchant, or a merchant’s service provider after the cardholder presents their PAN and/or other payment credentials. It is not based on an industry-standard and cannot be used for new authorizations.  Issuer Tokens Issuer tokens, also known as virtual card numbers, are created by issuers and provide the means to reduce risk in specific use cases, including commercial card applications, as well as consumer-oriented services.  Payment Tokens Payment tokens are created by TSPs that are registered with EMVCo. Payment Tokens are issued to a cardholder in lieu of a PAN, and the cardholder presents the Payment Token to the merchant when making a purchase. During a Payment Token transaction, the merchant and acquirer do not receive or have access to the corresponding PAN.
4 Sample Payment Token 6203011150123456789  620301 - BIN  11 - Card identifier  5 - Token identifier (0 - production physical card identifier; 99 - test physical card identifier)  012345678 - random numbers  9 - Luhn digit Complies with PAN format supporting interoperability within the existing payment processes  13 – 19 Digits  Supports ISO 8583 message format
5 Any Service provider within the payments ecosystem that is able to provide token requestors for ‘Card Data’ with ‘Surrogate' PAN values… What is a Token Service Provider or TSP?  Generates and Manages Payment Token  A wholly independent party from the payment network or payment processor.  Can be integrated with a payment network or payment processor.
6 Token Payment Flow – High-level
7 Sample Steps - Registration
8 Who can become a TSP?  Generate and issue EMV ‘Payment Tokens’  Must be a valid PCI DSS certified entity  Must have registered with EMVCo as Token Service Provider Any Service provider within the payments ecosystem such as Issuers, Acquirers and Merchants that wish to offer mobile and/or digital payments to customers can become a TSP.
9 Enables them to reduce long term costs, maintain independence and increase flexibility to establish an edge over their competitors. Benefits of being a TSP – Self Assist  Provides full control over the tokenization process: creation, storage, issuance and management  Full control of digital payments by issuing tokens directly without third party intervention.  Reduce long term costs: no additional TSP fees from the payment schemes.  Save on transaction fees On-us transactions when you are the issuing as well as the acquiring bank.  Banks retain their privacy because data and roadmaps do not have to be shared with the schemes.  Keep track of customer payment behavior to gain valuable insight and be able to offer personalized services.
10 Comply with set of controls defined based on EMVCo Payment Tokenization Specification Technical Framework and are additional to those in PCI DSS. How to become a TSP  Defined as physical and logical security requirements and assessment procedures  Requirements developed by PCI SSC and managed by Payment brands  Any queries about validating compliance should be directed to the appropriate Payment Brand(s)  Not listed by PCI SSC
11 Scope: Token Data Environment (TDE) The TDE is a dedicated, secure area within the TSP, where one or more of the following services are performed: Token generation, issuing, and mapping processes (Eg: Token vault) Assignment of token usage parameters (Eg: APIs) Token lifecycle management (Eg: Token vault) Processes to map or re-map tokens, or perform de-tokenization (Eg: Token vault) Cryptographic processes to support tokenization functions (Eg: HSM) Maintenance of underlying token security and related processing controls, such as domain restrictions during transaction processing.
12 Token Data Environment (TDE) Example of TDE Implementation TDE as a subnet of CDE Combined CDE and TDE
13 TSP Requirements  8 Requirements spread across 12 PCI DSS Requirements  These are in addition to PCI Requirements TSP 1 – Document and validate PCI DSS scope TSP 2 – Secure TDE Systems and Network TSP 3 – Protect and manage cryptographic keys TSP 4 – Restrict access to TDE by business need to know TSP 5 – Identify and authenticate all access to TDE systems TSP 6 – Restrict physical access to the TDE TSP 7 – Monitor all access to TDE TSP 8 – Maintain an Information Security Policy
14 TSP – PCI Mapping PCI DSS Requirement Additional Applicability for TSPs 1. Install and maintain a firewall configurationto protect cardholder data  Firewall controls in PCI DSS Requirement 1 also apply to internal firewalls usedto separate TDE from non-TDE networks.  The current network and data flow diagrams (PCI DSS Requirements 11.2 and 1.1.3) must also include all connections between the TDE and other networks,and all flows of Payment Tokens across systems and networks in the TDE. 2. Do not use vendor-supplied defaults forsystem passwords and other security parameters  PCI DSS Requirement 2 applies to all system components in the TDE.  Wireless environments are not permitted to be connected to the TDE. 3. Protect stored cardholder data  Data retention and disposal policies, procedures and processes (PCI DSS Requirement 3.1) also apply to Payment Token Data.  Payment Tokens must also be masked when displayed such that only personnel with a legitimate business need can see the full Payment Token (PCI DSS Requirement 3.3), and rendered unreadable wherever they are stored (PCI DSS Requirement 3.4) in the TDE.  The key-management requirements in this document are in addition to thosein PCI DSS Requirements 3.5 – 3.6
15 TSP – PCI Mapping PCI DSS Requirement Additional Applicability for TSPs 4. Encrypt transmission of cardholder data across open, public networks  Wireless environments are not permitted to be connected to the TDE. 5. Protect all systems against malware and regularly update anti-virus software or programs  PCI DSS Requirement 5 applies to all system components in the TDE. 6. Develop and maintain secure systems and applications  PCI DSS Requirement 6 applies to all system components in the TDE.  All changes made to system components in the TDE must be in accordancewith PCI DSS Requirement 6.4.5. 7. Restrict access to cardholder data bybusiness need to know  Access to Payment Token Data in the TDE must also be restricted according to principles of need- to-know and least privilege. 8. Identify and authenticate access to system components  Strong authentication controls are required for all accounts used to access Payment Tokens or to access systems in the TDE. 9. Restrict physical access to cardholder data  Physical security controls also apply to secure access to Payment Token Datain the TDE. 10. Track and monitor all access to network resources and cardholder data  Audit log requirements include all individual user access to Payment Token Datain the TDE (PCI DSS Requirement 10.2.1). 11. Regularly test security systems and processes  Internal vulnerability scans, penetration tests (for example, to verifysegmentation controls), intrusion detection, and change detection apply to the TDE. 12. Maintain a policy that addresses information security for all personnel  PCI DSS Requirement 12 also applies to personnel with access to the TDE. TSP PCI TSP1 Scope TSP2 1, 2 TSP3 3 TSP4 7 TSP5 8 TSP6 9 TSP7 10 TSP8 12
16 TSP – Encryption  All Key-management process must be conducted within HSM which is FIPS 140-2 Level 3 certified or PCI PTS HSM approved  Approved algorithms
17 Assessment and Certification  Assessment must be performed by P2PE QSA  TDE must be PCI DSS certified  PCI DSS requirements not applied may be assessed along with TSP engagement and issue a partial ROC  All applicable TSP controls must be applied to TDE  Compensating controls can be considered if necessary  TSP ROC or T-ROC must be completed as per Reporting Template for PCI DSS v3  Submit T-ROC and T-AOC to brands  Client may do it directly with applicable payment brand
18 Why ControlCase?  Global Reach  Serving more than 400 clients in 40 countries and rapidly growing  Certified Resources  PCI DSS Qualified Security Assessor (QSA)  PA DSS (PA DSS)  QSA for Point-to-Point Encryption (QSA P2PE)  QSA for TSP  QSA for 3DS  Certified ASV vendor
www.controlcase.com + +1.703.483.6383 (US) +91.9820293399 (India) sales@controlcase.com 19 To Learn More About PCI TSP Compliance
Discussion forum 20 QA
Thank You for Your Time 21

Recomendados

What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?Rambus Inc
 
Tokenisation 2.0
Tokenisation 2.0Tokenisation 2.0
Tokenisation 2.0Madhuka De Silva
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway worksIkajo International
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Communication in automatic teller machine (atm)
Communication in automatic teller machine (atm)Communication in automatic teller machine (atm)
Communication in automatic teller machine (atm)Ruksin Sangrugee
 

Recomendados

What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?Rambus Inc
 
Tokenisation 2.0
Tokenisation 2.0Tokenisation 2.0
Tokenisation 2.0Madhuka De Silva
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway worksIkajo International
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Communication in automatic teller machine (atm)
Communication in automatic teller machine (atm)Communication in automatic teller machine (atm)
Communication in automatic teller machine (atm)Ruksin Sangrugee
 
Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway Rohit Srivastav
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)Agnė Chomentauskaitė
 
Atm technology and operations
Atm technology and operationsAtm technology and operations
Atm technology and operationsAnil Chaurasiya
 
Tokenization
TokenizationTokenization
TokenizationPavel Kravchenko, PhD
 
Https
HttpsHttps
HttpsPooya Sagharchiha
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAsif Hussain
 
Bitcoin Final Year Seminar Report
Bitcoin Final Year Seminar ReportBitcoin Final Year Seminar Report
Bitcoin Final Year Seminar ReportShantanu Singh
 
Kerberos
KerberosKerberos
KerberosRafatSamreen
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
Tokenization v2
Tokenization v2Tokenization v2
Tokenization v2Pavel Kravchenko, PhD
 
Secure Electronic Transaction
Secure Electronic TransactionSecure Electronic Transaction
Secure Electronic TransactionUnited International University
 
Fraud in Ecommerce
Fraud in EcommerceFraud in Ecommerce
Fraud in EcommerceMartyn Sukys
 
HTTPS
HTTPSHTTPS
HTTPSJustin Denton
 
Iso8583
Iso8583Iso8583
Iso8583Duy Do Phan
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?Shashi Dhar Kumar
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 

Mais conteúdo relacionado

Mais procurados

Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to TokenizationNabeel Yoosuf
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)Omar Ghazi
 
Atm technology and operations
Atm technology and operationsAtm technology and operations
Atm technology and operationsAnil Chaurasiya
 
Bitcoin Final Year Seminar Report
Bitcoin Final Year Seminar ReportBitcoin Final Year Seminar Report
Bitcoin Final Year Seminar ReportShantanu Singh
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
Fraud in Ecommerce
Fraud in EcommerceFraud in Ecommerce
Fraud in EcommerceMartyn Sukys
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?Shashi Dhar Kumar
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 

Mais procurados (20)

Introduction to Tokenization
Introduction to TokenizationIntroduction to Tokenization
Introduction to Tokenization
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
 
Atm technology and operations
Atm technology and operationsAtm technology and operations
Atm technology and operations
 
Tokenization
TokenizationTokenization
Tokenization
 
Https
HttpsHttps
Https
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Bitcoin Final Year Seminar Report
Bitcoin Final Year Seminar ReportBitcoin Final Year Seminar Report
Bitcoin Final Year Seminar Report
 
Kerberos
KerberosKerberos
Kerberos
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAAS
 
Tokenization v2
Tokenization v2Tokenization v2
Tokenization v2
 
Secure Electronic Transaction
Secure Electronic TransactionSecure Electronic Transaction
Secure Electronic Transaction
 
Fraud in Ecommerce
Fraud in EcommerceFraud in Ecommerce
Fraud in Ecommerce
 
HTTPS
HTTPSHTTPS
HTTPS
 
Iso8583
Iso8583Iso8583
Iso8583
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway provider
 

Semelhante a Introduction to Token Service Provider (TSP) Certification

Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataCognia
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentat MicroFocus Italy ❖✔
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
IRJET- Decentralized Kyc System
IRJET- Decentralized Kyc SystemIRJET- Decentralized Kyc System
IRJET- Decentralized Kyc SystemIRJET Journal
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 

Semelhante a Introduction to Token Service Provider (TSP) Certification (20)

Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance services
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card Data
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessment
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
IRJET- Decentralized Kyc System
IRJET- Decentralized Kyc SystemIRJET- Decentralized Kyc System
IRJET- Decentralized Kyc System
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data2016_07_22_can_you_protect_my_cc_data
2016_07_22_can_you_protect_my_cc_data
 

Mais de Kimberly Simon MBA

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 

Mais de Kimberly Simon MBA (20)

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Introduction to Token Service Provider (TSP) Certification

  • 1. Token Service Provider (TSP) An Introduction to Certification Biju John, PCI QSA, PA-QSA, PCI P2PE, PCI PA-QSA(P2PE), P2PE, 3DS VP ControlCase
  • 2. Agenda 1  What is Tokenization?  What is a Token Service Provider or TSP?  Who can become a TSP  Benefits of being TSP  Business Flow for Payment tokens  Scope – Token Data Environment  TSP Requirements  Assessment and Certification
  • 3. 2 The process of replacing sensitive data (Card Data) with surrogate values that remove risk but preserve value to the business. What is Tokenization  The tokenization is an added layer of protection in payment processing ecosystem  Minimize the fraud exposure of data compromise  No changes to existing payment ecosystem
  • 4. 3 Different type of Tokens  Acquiring Tokens Acquiring tokens are created by the acquirer, merchant, or a merchant’s service provider after the cardholder presents their PAN and/or other payment credentials. It is not based on an industry-standard and cannot be used for new authorizations.  Issuer Tokens Issuer tokens, also known as virtual card numbers, are created by issuers and provide the means to reduce risk in specific use cases, including commercial card applications, as well as consumer-oriented services.  Payment Tokens Payment tokens are created by TSPs that are registered with EMVCo. Payment Tokens are issued to a cardholder in lieu of a PAN, and the cardholder presents the Payment Token to the merchant when making a purchase. During a Payment Token transaction, the merchant and acquirer do not receive or have access to the corresponding PAN.
  • 5. 4 Sample Payment Token 6203011150123456789  620301 - BIN  11 - Card identifier  5 - Token identifier (0 - production physical card identifier; 99 - test physical card identifier)  012345678 - random numbers  9 - Luhn digit Complies with PAN format supporting interoperability within the existing payment processes  13 – 19 Digits  Supports ISO 8583 message format
  • 6. 5 Any Service provider within the payments ecosystem that is able to provide token requestors for ‘Card Data’ with ‘Surrogate' PAN values… What is a Token Service Provider or TSP?  Generates and Manages Payment Token  A wholly independent party from the payment network or payment processor.  Can be integrated with a payment network or payment processor.
  • 7. 6 Token Payment Flow – High-level
  • 8. 7 Sample Steps - Registration
  • 9. 8 Who can become a TSP?  Generate and issue EMV ‘Payment Tokens’  Must be a valid PCI DSS certified entity  Must have registered with EMVCo as Token Service Provider Any Service provider within the payments ecosystem such as Issuers, Acquirers and Merchants that wish to offer mobile and/or digital payments to customers can become a TSP.
  • 10. 9 Enables them to reduce long term costs, maintain independence and increase flexibility to establish an edge over their competitors. Benefits of being a TSP – Self Assist  Provides full control over the tokenization process: creation, storage, issuance and management  Full control of digital payments by issuing tokens directly without third party intervention.  Reduce long term costs: no additional TSP fees from the payment schemes.  Save on transaction fees On-us transactions when you are the issuing as well as the acquiring bank.  Banks retain their privacy because data and roadmaps do not have to be shared with the schemes.  Keep track of customer payment behavior to gain valuable insight and be able to offer personalized services.
  • 11. 10 Comply with set of controls defined based on EMVCo Payment Tokenization Specification Technical Framework and are additional to those in PCI DSS. How to become a TSP  Defined as physical and logical security requirements and assessment procedures  Requirements developed by PCI SSC and managed by Payment brands  Any queries about validating compliance should be directed to the appropriate Payment Brand(s)  Not listed by PCI SSC
  • 12. 11 Scope: Token Data Environment (TDE) The TDE is a dedicated, secure area within the TSP, where one or more of the following services are performed: Token generation, issuing, and mapping processes (Eg: Token vault) Assignment of token usage parameters (Eg: APIs) Token lifecycle management (Eg: Token vault) Processes to map or re-map tokens, or perform de-tokenization (Eg: Token vault) Cryptographic processes to support tokenization functions (Eg: HSM) Maintenance of underlying token security and related processing controls, such as domain restrictions during transaction processing.
  • 13. 12 Token Data Environment (TDE) Example of TDE Implementation TDE as a subnet of CDE Combined CDE and TDE
  • 14. 13 TSP Requirements  8 Requirements spread across 12 PCI DSS Requirements  These are in addition to PCI Requirements TSP 1 – Document and validate PCI DSS scope TSP 2 – Secure TDE Systems and Network TSP 3 – Protect and manage cryptographic keys TSP 4 – Restrict access to TDE by business need to know TSP 5 – Identify and authenticate all access to TDE systems TSP 6 – Restrict physical access to the TDE TSP 7 – Monitor all access to TDE TSP 8 – Maintain an Information Security Policy
  • 15. 14 TSP – PCI Mapping PCI DSS Requirement Additional Applicability for TSPs 1. Install and maintain a firewall configurationto protect cardholder data  Firewall controls in PCI DSS Requirement 1 also apply to internal firewalls usedto separate TDE from non-TDE networks.  The current network and data flow diagrams (PCI DSS Requirements 11.2 and 1.1.3) must also include all connections between the TDE and other networks,and all flows of Payment Tokens across systems and networks in the TDE. 2. Do not use vendor-supplied defaults forsystem passwords and other security parameters  PCI DSS Requirement 2 applies to all system components in the TDE.  Wireless environments are not permitted to be connected to the TDE. 3. Protect stored cardholder data  Data retention and disposal policies, procedures and processes (PCI DSS Requirement 3.1) also apply to Payment Token Data.  Payment Tokens must also be masked when displayed such that only personnel with a legitimate business need can see the full Payment Token (PCI DSS Requirement 3.3), and rendered unreadable wherever they are stored (PCI DSS Requirement 3.4) in the TDE.  The key-management requirements in this document are in addition to thosein PCI DSS Requirements 3.5 – 3.6
  • 16. 15 TSP – PCI Mapping PCI DSS Requirement Additional Applicability for TSPs 4. Encrypt transmission of cardholder data across open, public networks  Wireless environments are not permitted to be connected to the TDE. 5. Protect all systems against malware and regularly update anti-virus software or programs  PCI DSS Requirement 5 applies to all system components in the TDE. 6. Develop and maintain secure systems and applications  PCI DSS Requirement 6 applies to all system components in the TDE.  All changes made to system components in the TDE must be in accordancewith PCI DSS Requirement 6.4.5. 7. Restrict access to cardholder data bybusiness need to know  Access to Payment Token Data in the TDE must also be restricted according to principles of need- to-know and least privilege. 8. Identify and authenticate access to system components  Strong authentication controls are required for all accounts used to access Payment Tokens or to access systems in the TDE. 9. Restrict physical access to cardholder data  Physical security controls also apply to secure access to Payment Token Datain the TDE. 10. Track and monitor all access to network resources and cardholder data  Audit log requirements include all individual user access to Payment Token Datain the TDE (PCI DSS Requirement 10.2.1). 11. Regularly test security systems and processes  Internal vulnerability scans, penetration tests (for example, to verifysegmentation controls), intrusion detection, and change detection apply to the TDE. 12. Maintain a policy that addresses information security for all personnel  PCI DSS Requirement 12 also applies to personnel with access to the TDE. TSP PCI TSP1 Scope TSP2 1, 2 TSP3 3 TSP4 7 TSP5 8 TSP6 9 TSP7 10 TSP8 12
  • 17. 16 TSP – Encryption  All Key-management process must be conducted within HSM which is FIPS 140-2 Level 3 certified or PCI PTS HSM approved  Approved algorithms
  • 18. 17 Assessment and Certification  Assessment must be performed by P2PE QSA  TDE must be PCI DSS certified  PCI DSS requirements not applied may be assessed along with TSP engagement and issue a partial ROC  All applicable TSP controls must be applied to TDE  Compensating controls can be considered if necessary  TSP ROC or T-ROC must be completed as per Reporting Template for PCI DSS v3  Submit T-ROC and T-AOC to brands  Client may do it directly with applicable payment brand
  • 19. 18 Why ControlCase?  Global Reach  Serving more than 400 clients in 40 countries and rapidly growing  Certified Resources  PCI DSS Qualified Security Assessor (QSA)  PA DSS (PA DSS)  QSA for Point-to-Point Encryption (QSA P2PE)  QSA for TSP  QSA for 3DS  Certified ASV vendor
  • 20. www.controlcase.com + +1.703.483.6383 (US) +91.9820293399 (India) sales@controlcase.com 19 To Learn More About PCI TSP Compliance
  • 22. Thank You for Your Time 21

Notas do Editor

  1. Many banks and service providers are choosing to take control by becoming their own TSP.