Data Security: PCI DSS and P2PE

Data Security:
PCI DSS and P2PE
PCI DSS Increases Payment Systems Security
•
Common PCI DSS (Data Security Standard) program
•
•
PCI Security Standard Council
•
•
•
Created in Sep’06
By five major card brands
Data Security Standard evolutions
•
•
•
Created in Dec’04 by Visa and Mastercard
PCI DSS V2.0 applicable
PCI DSS V3.0 under definition
Applicability
•
•
Required by Major Brands since end ’07
Since ’08, PCI DSS mandate is being enforced to all acquirers, merchants &
service providers
Certification Steps for Merchants
1
2
Identify your merchant level with your acquirer
CISP Program
(US/APACS)
AIS program
(Europe)
3
SDP Program
(Site Data
Protection)
Data Security
Program
DSOP (Data
Security
Operating
Policy)
Provides compliance report/certificate to your acquirer
DISC (Discovery
Information
Security &
Compliance)
Renew annually
Validate compliance to PCI DSS
•Perform On site-audit (QSA) (level 1 & 2) or Self Assessment (Level4)
•Perform Vunerability Scans (performed by ASV)
P2PE: A strong value for retailers
reduces PCI DSS certification complexity & costs
PCI DSS
with P2PE
PCI DSS
without
P2PE
P2PE will become the standard way to achieve PCI DSS certification in retail
A simplified PCI DSS certification process
•
•
Merchant validates Cardholder Data Environment
Merchant verified that his P2PE Solution is reference by
PCI SSC
https://www.pcisecuritystandards.org/approved_companies_providers
/validated_p2pe_solutions.php
•
•
Merchant to apply the “P2PE Implementation Manual”
Merchant to fill in P2PE-HW Self Assessment
Questionnaire
On-Guard Solution Overview
PINPad
Encryption
POS
Back-office Server
Payment Server
Acquirer
Decryption
PTS
CardHolder Data
Env. for merchants
CardHolder Data
Env. for gateway
Benefits of P2PE
Key Management
Components of P2PE solutions
1. Encryption Module
2. Decryption Module
3. Key Management System
- Systems & networks between encryption and
decryption points are not holding sensitive data
- PCI DSS scope is reduced and certification can
easily be achieved
- Solution is easy to deploy on both ends, with
minimal impact on POS, and back-end applications
On-Guard Certification Status
PINPad
Encryption
POS
Back-office Server
Acquirer
Decryption
PTS
CardHolder Data
Env. for merchants
PCI PTS V3.0
SRED module
Payment Server
CardHolder Data
Env. for gateway
Key Management
PCI PIN
On-Guard PCI PA
DSS V2.0
Infrastructure
PCI DSS V2.0
Complies with ”P2PE Hardware Solution Requirements and Testing Procedures”, July ’13
On-Guard P2PE solution to be certified during Q2 2014
On-Guard Features
•
Supports all payment types
•
•
•
•
•
magnetic cards
chip card
contact-less cards
manual entry
Flexible encryption of data
•
Sensitive data always encrypted
•
•
Cardholder data optionally encrypted
•
•
Last 4 digits and BIN digits optionally in the clear
Selectable activation, through “white lists”
•
•
With the extensive encryption option, “Cardholder Name”, “Service Code”, “Expiry Date” can be
also be protected
Partial encryption of PAN digits
•
•
Full track data, PAN, CVV,…
Encryption not activated for cards with BINs registered in “white list” files
Non intrusive encryption
•
Encrypted data has same format as clear text data

Download Report