ghl systems net matrix terminal line encryption 2009 2010

Agenda

PAYMENT & SECURITY TRENDS

E2EE: What is it?

Computer Desktop Encyclopedia

“…is defined as the continuous protection of the confidentiality and integrity of transmitted information by encrypting it at the origin and decrypting at its destination.…”

E2EE: The story so far…

Smart Card Alliance Sept 2009

KEY CONCEPTS OF TLE

In cryptography, encryption, is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encryptedinformation (Wikipedia)

en·cryp·tion /-'krip-sh&n/

MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted so only Sender/Receiver can form a real MAC and thus, allowing the receiver to authenticate & verify the message

Message Authentication

Code

THE MALAYSIAN EXPERIENCE

Real Tapping Threats

Wire tapping threats

A brief look at history…

The Line Encryption Working Group

Design Parameters

Key Considerations

MAC algorithm

ENC algorithm

Key Differentiation

Key Usage

Key Storage

ENC Data elements

2 2 4 2 43

Highest Score: 2-2-4-2-3-4

Lowest Score: 1-1-1-1-1-1

Minimum Data Encryption Requirements

Encrypted Data Elements1. CVV2. CVV and PAN / Track2

Terminal Key Storage1. Outside secure module2. Within tamper reactive module

Key Usage Methodology1. Unique-key-per-terminal2. Unique-key-per-session-per-term3. Unique-key-per-transaction4. Derived Unique Key Per Txn (DUKPT)

Key Differentiation1. Same key for ENC & MAC2. Different key for ENC & MAC

Encryption Algorithm1. TEA – Tiny Encryption Algorithm2. DES – Data Encryption Standard3. 3DES/AES

MAC Algorithm1. No MAC2. CRC32 + MAC3. CRC32 + RMAC4. SHA-1 + RMAC, or SHA-1 + AES MAC

General Approaches

Host-based

HostHSM

NAC

NAC-based

NAC

Host

SNAC

NAC

NAC

Interception-based

NAC

NAC

NAC

Host

THE RESULTS

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Payments: The story today…

Source: BNM, 2009 Financial Stability and Payment Systems Report 2008

Payments: The story today

“…(card fraud) losses continued to be insignificant, accounting for less than 0.04% of total card transactions during the year.”

PAYMENT SECURITY MYTHS

Encryption Myths

Summary: Considerations for TLE

Addresses all threats

Addresses Implementation issues

Addresses Deployment Issues

Addresses Administration Issues

Multi-channel & multi-device Support

Remote Key Injection

Vendor Independence

Performance

Cost-Effective

Additional References

1. The Smart Card Alliance (http://www.smartcardalliance.org/)

2. PCI Security Standards Council

(https://www.pcisecuritystandards.org/)

3. Visa Best Practices, Data Field Encryption Version 1.0

(http://corporate.visa.com/_media/best-practices.pdf)

4. Secure POS Vendors Association

(http://www.spva.org/index.aspx)

5. GHL Systems (http://www.ghl.com/netMATRIX )

Net MATRIX Terminal Line Encryption

Acquiring Bank

EDC Terminals

Switching NAC

Remote NAC Remote NAC

Net MATRIX

Acquiring Host

160 Message

Credit Card Host NII: 160

“Typical” Transaction Flow

Issuing Bank Host

EDC Terminals

Switching NAC

Remote NAC Remote NAC

161 Enc Message

Credit Card Host NII: 160

NetMATRIX TLE NII: 161

160 Enc Message

Encrypted Transaction Flow

Issuing Bank Host

Net MATRIXAcquiring

Bank

Acquiring Host

Encrypted Transaction Flow II

Issuing Bank Host

EDC Terminals

Switching NAC

Remote NAC Remote NAC

161 Enc Message

Credit Card Host NII: 160

160 Enc Message

NetMATRIX TLE NII: 161

Net MATRIXAcquiring

Bank

Acquiring Host

Accolades & Accomplishments