Beyond EMV /
Why You Need Multi-Layered
Security
JULY 29, 2015
EMV Security /
A Key Component to a
Multi-layered Security Approach
JULY 29, 2015
2
EMV security / enhanced functionality in 3 key areas
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV secures the payment
transaction with enhanced
functionality in
3 key areas
1. Card Authentication / protecting against counterfeit
cards
2. Cardholder Verification / authenticating the cardholder
and protecting against lost and stolen cards
3. Transaction authorization / using issuer-defined rules to
authorize transactions
3
Card Authentication
• The card is authenticated during the payment transaction, protecting against counterfeit cards
• Online transactions contain a unique chip generated cryptogram, validated by the user
• Offline transactions are validated with the terminal using PKI DATA Authentication
Cardholder
Verification
• EMV supports four issuer defined and prioritized cardholder verification methods (CMV):
1. Offline PIN
2. Online PIN
3. Signature
4. No CVM*
*typically unattended kiosks
or small ticket transactions
Transaction
Authorization
• Online, transaction info is sent to the issuer, along with a unique cryptogram
• Offline, the card and terminal communicate and use issuer-defined risks parameters in the chip to make the authorization decision
• Offline transactions may be used when no online connectivity
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV security / enhanced functionality in 3 key areas
4
• EMV cards store payment information in a
secure chip rather than on magnetic strip
• The personalization of EMV cards is done
using issuer-specific keys
• Unlike a magnetic stripe card, it is virtually
impossible to successfully create a usable
counterfeit EMV card
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
EMV security / increased protection against fraud
5
EMV authenticates the
validity of the card
EMV authenticates the
validity of the cardholder
EMV DOES NOT secure
the data
Multi-layered security / why EMV alone is not
enough
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
6
• Encryption and tokenization are mechanisms to
protect sensitive cardholder data, but those
methods do not authenticate the data
• Without EMV, it is likely that you would be
protecting fraudulent data
• Without EMV, merchants bear the liability for
fraudulent transactions
o The extent of the liability varies, depending on card brand
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
Multi-layered security / why encryption and
tokenization alone are not enough
7
EMV offers a good start to enhancing
data security, with:
• Card authentication
• Cardholder verification
• Transaction authorization
But a multi-layered security approach
that includes encryption and tokenization
provides complete data protection,
safeguarding both merchants and their
customers.
Multi-layered security / complete data protection
Beyond Security – Why You Need Multi-Layered Security / EMV Security - 07/29/2015
Thank You
ALLEN FRIEDMAN, DIRECTOR OF PAYMENTS / INGENICO GROUP, NA
WWW.INGENICO.US
Beyond EMV /
Why P2PE is a Key Component
to Multi-layered Security
JULY 29, 2015
2
Multi-layered security / the solution to criminal
attacks
Merchants’ payments systems continue to be under
attack by criminals
• Malware – mainly memory scrapers – installed on merchants’
point of sale (POS) systems
• Roughly 100 Million cards captured from December 2013
through 2014
• Monetized through the selling of dumps on the dark web
• Track data dumps are worth more than PAN/Expiry
• PAN/Expiry still has value in CNP environment
The purpose of multi-layered security is to stop attacks
• Removes the monetization potential and encourages the
criminals to move on
• Reduces the value of captured data to zero
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
3
Point-to-point-encryption (P2PE) / attack points –
points to protect
Source: Hacking the Point of Sale, Slava Gomzin, 2014
EMV still sends card data in the
clear
To protect the POS: Merchant must
be successful 100% of the time
To attack the POS: Criminals only
need to be successful one time
The odds do not favor the merchant
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
4
Multi-layered security / the way to protect
Multi-layered security ensures card
data protection
• EMV for card authentication – protect
against fraudulent cards
• Point-to-point encryption (P2PE) – no
clear card data outside secure POI
• Tokenization – Protect card data at rest
Now a successful attack on the POS will yield
data that cannot be monetized
“I think the bigger [merchants]
could maybe put a fence around
this, such that it gets harder and
harder. But the little guys are
looking to just plug in the malware
once, and it doesn’t matter if you
have to get the big guys once to
get 50 million cards, or you have to
get 1,000 cards from 50,000
compromised merchants.”
-Rich Stuppy, COO at Kount
http://krebsonsecurity.com/2015/04/pos-providers-
feel-brunt-of-poseidon-malware
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
5
P2PE / the process
How P2PE works
• Encrypt data at point of acceptance
• Encryption done in a secure terminal
• Decryption done in a gateway or at
the processor
• No systems in between will see
monetizable card data
Available in multiple flavors
• DUKPT – just like PIN encryption
• Public / Private key
• Format preserving encryption
ENCRYPT
Devices are
provisioned for
P2PE
PASS-THRU
POS system “sees”
only encrypted
transactions passing
them to back end
DECRYPT
Centralized
decryption and
tokenization
service
PROCESS
Transactions are
managed normally
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
6
PCI P2PE program / gold standard for P2PE
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
PCI P2PE program validates full solutions to meet top level security
standards
Merchants using validated P2PE solutions de-scope their POS and
other merchant systems
Move from SAQ-D (Merchant) to SAQ-P2PE
Reduces 300 questions to roughly 30
PCI P2PE requirements cover full solutions in six domains
Terminal and terminal application
Supply chain/custody controls before and after key injection
Key injection and key management
Decryption environment
Only 12 solutions worldwide (4 in US), validated in 3years of P2PE v1.x
Modularity for solutions added in version 2, released on June 30, 2015
Beyond EMV /
Major Retailer Takes
a Multi-Layered
Approach to Boost
Security
Case
Study
8
Major Retailer / multi-layered security success story
• One of America’s leading neighborhood / community apparel retailers
• 850+ specialty stores in small and mid - sized communities
• 10 – 50K employees
Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015
9
Beyond EMV – Why You Need Multi-Layered Security / Major Retailer Success Story – 8/7/2015
• Eliminated the tens of
millions of customer payment
card numbers that they had
been encrypting and
decrypting in their POS
systems each year
• P2PE provides them with
short-circuits, fully removing
the payment card data –
which helps eliminate
criminal breaches
• Phishing was reduced from a
70 percent fail rate to a less-
than 2 percent fail rate
The company’s IT leadership
devised a strategy to upgrade
and fortify the retailer’s
infrastructure:
• Implemented point-to-point
encryption (P2PE) - Ingenico
Group’s On-Guard solution
• Upgraded malware and virus
defenses
• Strengthened network
defenses
• Ethical hacking exercise to
identify potential weaknesses
• Employee education on
social engineering
• In 2014, several large
retailers were victims of
massive network breaches,
resulting in credit card
exposures for millions of
customers
• This major retailer wanted to
get all of its improved
defenses in place before the
2014 holiday shopping
season, which kicks off
around Thanksgiving
• History has shown that
criminal data breaches peak
during the holidays
Challenge /
OpportunitySolution Results
Major Retailer / multi-layered security success story
Beyond EMV /
HoneyBaked Ham
uses PCI & P2PE
Validated Solutions
Case
Study
11
HoneyBaked Ham /
PCI-validated P2PE success story
"Protecting your customers and your
corporate brand continue to be the
biggest challenges faced by IT
executives. To meet that challenge,
we've worked with a P2PE solution
provider to adopt a PCI-validated
P2PE payment solution across all
our stores in a simplified and cost-
effective way.”
Bill Bolton, VP,
Information Technology,
HoneyBaked Ham
• Honeybaked Ham is a privately
held retailer that sells ham, turkey
breast and other pre-cooked
entrées, side dishes and desserts
• 200+ franchise locations and
several corporate outlets
• 1001-5000 employees
Beyond Security – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015
12
Beyond EMV – Why You Need Multi-Layered Security / HoneyBaked Ham Success Story – 8/7/2015
HoneyBaked Ham anticipates the
following results:
• Reduced PCI compliance
scope from implementing a
validated solution from the
332-question SAQ D to the 35-
question SAQ P2PE-HW
• Significant annual assessment
savings
The retailer upgraded their
security and chose to use:
• PCI-validated P2PE solution
provided by Bluefin
• Ingencio Group’s iPP350
smart terminal
Store rollout of the Bluefin
solution and the iPP350 device
began March 2015 and went live
in April
• HoneyBaked Ham realized a
need for a solution that
encrypts all credit card data
and reduce PCI compliance
• In late 2014, HoneyBaked
Ham began investigating
PCI-validated P2PE solutions
for their corporate outlets as
well as for all 200+ franchise
locations
HoneyBaked Ham /
PCI-validated P2PE success story
Challenge /
OpportunitySolution Results
Beyond EMV /
Agilysys Improves
Hospitality Merchants’
Security With a
Validated P2PE
Solution
Case
Study
14
Agilysys / hospitality vertical included
multi-layered security with a validated P2PE solution
• Agilysys is a leading hospitality provider
• They incorporated the FreedomPay PCI-validated P2PE solution in their rGuest Pay hospitality payments solution
• Solution uses multi-layer security through a validated P2PE solution and tokenization
• Cardholder data is removed in the hospitality environment
• Because the solution is validated, their merchants’ compliance cost is significantly reduced
Beyond Security – Why You Need Multi-Layered Security / P2PE - 07/29/2015
Thank You
ROB MARTIN, VP OF SECURITY SOLUTIONS / INGENICO GROUP, NA
WWW.INGENICO.US
Information contained in this document is private and confidential. This document contains information sensitive to the strategic
positioning of Double Diamond Group, LLC and is considered a trade secret of Double Diamond Group, LLC.
Tokenization
Agenda
1. What it is
2. Who/how it helps
3. What to do
• What it is: Tokenization is the replacement of static card numbers with randomized numbers that cannot be used to complete payment transactions.
• How it’s different than encryption:
• Encryption uses an algorithm to mask payment data.
• Tokenization randomizes the data (requires a lookup table).
• Tokenization is therefore applied at different stages of payment processing.
Tokenization: What it Is
3
Tokenization: Who/How it Helps
Issuer
Merchant Services Providers (MSPs) offer tokenization to reduce data
security risks and costs for merchants.
1. The device encrypts card
data at the point of entry
(hardware-based encryption)
2. The gateway or processor
decrypts the data for the
network’s use (off of
merchant servers),
Storage
Accounting
Back-office
3. and stores the data
in tokenized form for
downstream use.
Static
number Gateway /
processor
P2PE
enabled device
Encrypted
number
Tokenization: Who/How it Helps
Issuer Static
number
Encrypted
number
Gateway /
processor
Storage
Accounting
Back-office
Hosted
payments
page
The same model exists for e-commerce transactions, normally in the form of
a hosted payments page.
Buy Now
Tokenization: Who/How it Helps
6
Payment networks offer tokenization to reduce data security risks and costs
for issuers and consumers.
IssuerTokenized
number
Encrypted,
tokenized
number
Gateway /
processor
Storage
Accounting
Back-office
Contactless
enabled device
• Separate the mobile device from
the credit card.
• Save money on card
replacement.
• Reduce/prevent issuer fraud
loss.
End to End Security
7
Issuer
Gateway /
processor
P2PE
enabled device
Encrypted
number
Storage
Accounting
Back-office
Tokenized
number
EMV and Issuer
tokenization
Static
number
P2PE
Tokenization
• For complete security, adopt or sell P2PE and tokenization as a package.
• EMV enhances issuer/consumer security and mitigates some chargeback risk. Evaluate based on consumer demand and cost/benefit analysis.
• Contactless also enhances issuer/consumer security but without impacting merchant chargeback exposure. Contactless adoption does provide some PCI audit relief. Evaluate based on consumer demand and cost/benefit analysis.
• Consider buying/selling in a bundle. When upgrading to P2PE and tokenization, contactless and EMV should be part of the package.
Recommendations
8