pci point to point encryption (p2pe) an overview · controlcase annual conference –orlando,...
TRANSCRIPT
ControlCase Annual Conference – Orlando, Florida USA 2015
PCI Point To Point Encryption (P2PE)
An Overview
Moderator Name: Erik Winkler
Panelists Names: Sonjay Shepherd – HiTouch Business Services,Adam Sommer – MasterCard
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Account Data consists of cardholder data and/or sensitive authentication data
Definition of Account Data
Account Data
Cardholder Data includes: Sensitive Authentication Data includes:
Primary Account Number (PAN) Full Magnetic Stripe Data
Cardholder Name or Equivalent on a Chip
Expiration Date CAV2/CVC2/CVV2/CID
Service Code PINs/PIN block
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
What is P2PE?
• A point-to-point encryption (P2PE)
solution cryptographically protects
account data from the point where a
merchant accepts the payment card to
the secure point of decryption.
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Typical Payment Method
Account Data (Encrypted PIN)
Encrypted at Communication Layer
Encrypted at Communication Layer
Encrypted at Communication Layer
Account Data (Encrypted PIN)
Account Data(Encrypted PIN)
Acquirer/Authorization
PCI Scope AuthorizationMerchant
POS
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Payment Method in P2PE
Encrypted Account Data
Encrypted by POI
Encrypted by POI
Encrypted by POI
Encrypted Account Data
Encrypted Account Data
Authorization
POIEncrypts data
immediately after reading using SRED
function
Decryption Environment
HSM/HostDecrypted by HSM or
Hybrid at P2PE Solution Provider
Authorization
POS
PCI Scope
Merchant
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015 1
Who should consider P2PE?
This is intended for Merchants
Better Security
Easier Compliance
More options
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Typical data-flow:
P2PE Solution overview
Authorization
Merchant Environment
PTS approved POS with SRED
P2PE Solution Provider
Decryption Environment
Encrypted account data
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
PCI Security
& Compliance
PCI Family of Standards
P2PE
Software Developers
PCI PA – DSS
Payment Application Vendors
Merchant & Processors
PCI DSS
Data Security Standard
Manufacturers
PCI PTS
PIN Entry DevicesPCI Security
& Compliance
Ecosystem of payment devices, applications, infrastructure and users
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Offers a powerful, flexible solution for all
stakeholders
Makes account data unreadable by
unauthorized parties
Reduces fraud and theft
Protects customer data and client reputation
Simplifies compliance with PCI DSS
Recognized by all Participating Payment
Brands
Benefits of P2PE
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Description of P2PE
• It is either a solution or Application.
• P2PE Solution
A point-to-point encryption solution consists of point-to-point encryption and decryption
environments, the configuration and design thereof, and the P2PE Components that are
incorporated into, a part of, or interact with such environment.
• P2PE Application
A software application that is included in a P2PE Solution and assessed per P2PE Domain 2
Requirements, and is intended for use on a PCI-approved point-of-interaction (POI) device or
otherwise by a merchant.
• P2PE Components
Any application or device that stores, processes, or transmits account data as part of
payment authorization or settlement, or that performs cryptographic key management
functions, and is incorporated into or a part of any P2PE Solution.
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Manufacturers
PCI PTS
PIN Entry Devices
Component of P2PE
P2PE
Software Developers
PCI PA – DSS
Payment Application Vendors
Merchant & Processors
PCI DSS
Data Security Standard
PCI Security
& Compliance
Ecosystem of payment devices, applications, infrastructure and users
• POI approved by PCI PIN Transaction Security (PTS) POI• HSM for decryption approved by PCI PTS HSM• Key Operation derived from PCI PTS PIN standard• POI Application aligns with PA DSS• Decryption environment conforms with PCI DSS
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase P2PE offerings
• Guidance on designing P2PE Solutions
• Review of P2PE Solution design
• Guidance on preparing the P2PE Instruction Manual
• Pre-assessment (“gap” analysis) services
• Guidance for bringing the P2PE Solution into
compliance with the P2PE Standard if gaps or areas
of non-compliance are noted during the assessment.
• Certifying P2PE solutions and Applications
ControlCase Annual Conference – Orlando, Florida USA 2015
ControlCase Annual Conference – Orlando, Florida USA 2015
Q & A
ControlCase Annual Conference – Orlando, Florida USA 2015