pci p2pe 2 - conexxus · pci p2pe minimizes scope, safeguards cardholder data and protects the...
TRANSCRIPT
PCI P2PE 2.0
What Does it Mean for Merchants and Processors?
September 10, 2015
Agenda
• Housekeeping• Presenters• About Conexxus• Presentation• Q & A
2015 Conexxus Webinar Schedule*Month/Date Webinar Title Speaker Company
July Mobile Commerce Wesley BurressDon Friedman
ExxonMobilP97
September Point 2 Point Encryption – P2PE Rustin MilesBluefin PaymentSystems
September Asset Tracking in PCI 3.0 Olivia Rose Jenkins Control Scan
October NACS Show in Las Vegas No Webinar No Webinar
November Open TBD
December Conexxus – Year end review TBD
If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at [email protected].
* Update: September 9, 2015
Presenters• Carl Bayer ([email protected])
Program Manager Conexxus
• Mark Carl ([email protected])CEOEchoSat Communications Group, Inc.
• Rustin Miles ([email protected])Chief Information Officer, SVPPCI Professional (PCIP)Bluefin Payment Systems
2016 Conexxus Annual ConferenceMay 1 – 5, 2016
Loews Ventana Canyon ResortTucson, Arizona
The NACS ShowOctober 11-14, 2015
Las Vegas Convention CenterLas Vegas, Nevada
Future Events
About Conexxus• We are an independent, non-profit, member
driven technology organization• We set standards…
– Data exchange– Security– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
bluefin.com Confidential and Proprietary
September 10, 2015
PCI P2PE 2.0What Does it Mean for Merchants and Processors?
bluefin.com
Webinar Overview
8
• Introduction
• PCI P2PE Overview
• What’s New with PCI P2PE 2.0
• Implications for Merchants
• Implications for Processors
• Integration Model Overview
• PCI & P2PE: The Road Ahead
bluefin.com
Ruston Miles ‐ Bio
9
• Ruston Miles serves as Chief Innovation Officer of Bluefin Payment Systems. He has over 16 years of experience in payment processing, specializing in developing secure payment gateway technologies. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council Participating Organization (PO) Program.
bluefin.com
Bluefin Introduction
• Founded in 2002, payment and security technology expertise
• Inc. 500/5000 honoree since 2011,
• First P2PE Solution provider to be PCI‐validated in North America. March, 2014.
• Participating Organization (PO) of the PCI Security Standards Council (SSC)
• Bluefin P2PE – Silver Award for Best POS Innovation in the PYMNTS.com Innovation Awards
• Level 1 PCI Service Provider, fully redundant fault tolerant data centers in Atlanta and Tulsa.
10
bluefin.com
PCI P2PE OverviewPart 1
11
bluefin.com
The State of Payment Security – What Lies Beneath
12
bluefin.com
Layered Approach to Security
• P2PE – Protect Data in Motion– “P2PE Protects Transmission”
• Tokenization – Protect Data at Rest– “Tokenization Protects Storage”
• EMV – Counterfeit Card Fraud Prevention– “EMV Protects Plastic”
13
bluefin.com
What is the Problem? What is the Solution?
US‐CERT says the problem is Malware
14
PCI Security Standards Council says the solution is Point‐to‐Point Encryption
bluefin.com
PCI Malware Infographic
The PCI Security Standards Council released a Malware infographic in November 2014 addressing POS Malware.
To protect against malware, the infographic recommends:
Consider implementing a:
PCI‐approved point‐of‐interaction (POI) device with SRED functionality
PCI‐approved point‐to‐point encryption (P2PE) solution
bluefin.com
Won’t EMV Fix This?
The Short Answer: NoAfter EMV (chip & pin) implementation in the UK, card‐not‐present fraud spiked 79% and continues at an alarming rate 5 years later.
The complete 16 digit card number and 4 digit expiration date are transmitted in the clear in the EMV payload. Malware continues to steal the clear‐text data in the UK even with EMV. Fraudsters use this stolen data for
online fraud and purchases.
Sources: Aite Group and Financial Fraud Action UK
16
bluefin.com
PCI P2PE Minimizes Scope, Safeguards Cardholder Data and Protects the Brand
PCI Scope and Cost Reduction
17
No Business can Afford to Lose Cardholder Data in a Breach
$201 per lost credit card record
times millions of credit card records
$201 per lost credit card record
times millions of credit card records
0
50
100
150
200
250
300
350
Non P2PE Merchants
P2PE Merchants
326 Questions
To 26 Questions For P2PE merchants
Some breaches have cost major retailers more than $170 Million
bluefin.com
Why Choose a PCI‐Validated P2PE Solution?
• FAQ 1162
18
bluefin.com
PCI‐validated P2PE Solution
When you select a non‐validated P2PE solution• No chain of custody or dual control• No assurance of hardware key management• No assurance of device audit (PTS 3.x/4.x) or tamper resistance• No assurance that hardware encryption is used (SRED)• No assurance that the application/firmware has been PCI –audited for encryption• No assurance that all components of the solution have been integrated and configured
properly• No Objective Confidence. You must rely on vendor claims.
19
bluefin.com
P2PE Requirements – Chain of Custody
• Chain of Custody and Dual Control prevents substitution, theft and compromise
• Report on device custody required for annual PCI compliance assessment
20
bluefin.com
PCI P2PE Case Study ‐ Available Now
21
bluefin.com
What’s New with PCI P2PE 2.0?Part 2
22
bluefin.com
What’s New with PCI P2PE 2.0?
• In a word: Simplification of P2PE Standard– P2PE’s founding purpose was to simplify PCI Programs through Cardholder Data
Environment (CDE) scope reduction. – Many major processors found the P2PE Standard to be rigid and in‐flexible and
could not get their “in‐market” encryption solutions through the P2PE audit.– P2PE 2.0 does not lower the requirement bar, but rather modularizes the standard
so that providers can outsource/partner for certain solution components.
• In a sentence: Simplification of PCI Program for providers and now also for merchants directly by modularizing the requirements into components and templatizing the PIM (P2PE Instruction Manual)
• Gamechanger: The PCI P2PE Program is now open to merchant‐managed solutions
23
bluefin.com
SolutionProvider
ApplicationVendor
DecryptionService Provider
POI DeviceManagement
Service Provider
KIFs/CA/RAService Provider
Domain 1:Encryption Domain 2:Applications Domain 3:
Solution Management Domain 4:
Merchant‐Managed Now Available!
Domain 5:Decryption Domain 6:
Key Management
Modularization: providers and merchants choose from a list of certified P2PE Components to create their P2PE Solutions
What’s New with PCI P2PE 2.0?
bluefin.com
What’s New with PCI P2PE 2.0?
• Clears up gray areas and potentially confusing overlaps
• Removes illogical logistical requirements that have been fleshed out through implementation
• Templatizing the PIM (P2PE Instruction Manual) simplifies and standardizes PIM creation so merchants know what to expect from providers.
• Check out “P2PE Summary of Changes v1.1 to v2.0” in PCI Documents Library online for a req‐by‐req comparison
25
bluefin.com
What’s New with P2PE 2.0?
• “You can do it!” ‐‐ Perhaps the most groundbreaking change is that “Merchant‐managed Solutions” are now allowed
• “Domain 4: Merchant‐managed Solutions” is no longer a placeholder in the standard. This section has been completed and is ready for prime‐time.
• The P2PE 2.0 Program Guide and component listing to be made available from PCI before the PCI Community Meeting in Vancouver at the end of September, 2015.
• Ruston is speaking at the PCI Community Meeting in Vancouver. Bluefin is a sponsor and will have a booth. See you there.
26
bluefin.com
Implications for MerchantsPart 3
27
bluefin.com
Implications for Merchants
• More PCI‐validated P2PE Solution providers will be listed due to simplification and modularization of the standard
• Merchants have more leverage to push their providers to become PCI P2PE validated.– E2EE is no longer “good enough”– PCI standards and validations give merchants a common standard to rely on
instead of relying on vendor claims and sales gymnastics– Threat of merchants creating/managing their own P2PE Solutions will entice
providers to validate
• Templatized PIM means merchants know what to expect from solution provider PIM’s
• Only Provider Solutions and Components will be listed at PCI’s website. Merchant‐managed Solutions will not be listed on the website.
28
bluefin.com
Implications for Merchants
• No processor lock‐in:many merchants want to manage their own P2PE Solution rather than tying themselves into their processor’s solution.
• Build vs. Buy: modularization means that merchants can outsource components of their P2PE Solution to P2PE‐listed component vendors instead of building it themselves.
29
bluefin.com
Implications for ProcessorsPart 4
30
bluefin.com
Implications for Processors
• Providers can P2PE‐enable their in‐market encryption solutions by selecting solution components from listed vendors.
• Faster time to market. Lower cost of entry in terms of dollars and technical resources which may currently be committed to EMV projects.
• Processors and gateways can still own the FEP (front‐end processing) and back‐end settlement but use decryption, key injection, chain of custody, and key management services from a listed component vendor.
• Templatization simplifies and accelerates the creation of the PIM.
• P2PE‐listed KIF’s and clarity on RKI (remote key injection) will simplify fulfillment and rollout logistics
• PCI P2PE 2.0 is built for adoption
31
bluefin.com
Integration Model OverviewPart 5
32
bluefin.com
Integration Model Overview
• Processor P2PE: for merchants who connect to their processor for all payment and security services
• Telcom Gateway P2PE: for merchants who want minimal impact to existing operations– No POS changes– No Terminal Application/software changes– Network Gateway sits in the middle of the processor and the device decrypting FPE
card data on its way to the processor• P2PE as a Service: for merchants who manage their own central office or
switch– Merchant use a virtual HSM to route card data in realtime for decryption over high‐
speed, private connectivity from the central office.• Merchant‐Managed P2PE: for merchants show want to manage everything
internally– Merchant builds out P2PE system and is audited by a PCI P2PE QSA. Certain
components can be provided by approved vendors
33
bluefin.com
PCI & P2PE: Then and NowPart 6
34
bluefin.com
PCI & P2PE: Then and Now
• Are there any petro customers with Bluefin today?– Rolled out validated P2PE to Tier 2, 3, and 4 customers throughout 2014 and 2015 to scale systems.– Joined Conexxus to work with the Data Security Committee and the P2PE Working Group in P2PE
standards for POS and AFD.
• EMV projects are taking much of the focus in 2015 for C‐store. P2PE is the focus for 2016 and beyond. Petro customers want to implement EMV and P2PE together before October 2017.
• PCI P2PE v1.0/1.1 gold standard – P2PE 2.0 is built for adoption
• P2PE Eliminates the pain points
• Visa’s commitment to PCI‐validated P2PE: Visa TIP, Visa DSP, Visa SAIP
• Let’s discuss
• www.bluefin.com
35