netmatrix tle terminal line encryption. spva certified, dukpt, 3des, des, aes, end-to-end encryption...

Agenda

PAYMENT & SECURITY TRENDS

Payments: The story so far…

“…“…Globally, the drive to increase (card) payments Globally, the drive to increase (card) payments efficiency and security is relentless…”efficiency and security is relentless…”

“…“…Globalisation is increasingly emphasising the need Globalisation is increasingly emphasising the need for widely accessible, seamless, & secure ways of for widely accessible, seamless, & secure ways of effecting non-cash payments to facilitate consumer effecting non-cash payments to facilitate consumer spending, and to reduce fraud and money spending, and to reduce fraud and money laundering.…”laundering.…”

“…“…More efficient, effective systems could also help More efficient, effective systems could also help lessen systemic risk & potentially provide a source of lessen systemic risk & potentially provide a source of additional retail revenue for banks.…”additional retail revenue for banks.…”

Vietnam embraces the electronic era

“…“…Vietnam is regarded by the global bankingVietnam is regarded by the global bankingindustry as one of the most fertile growthindustry as one of the most fertile growthhotspots in the world, particularly for cardshotspots in the world, particularly for cardsand electronic payments….”and electronic payments….”

VRL Financial News, VRL Financial News, October 2009October 2009

Security: The story so far…

“…“…increased incidences of ATM and card skimming.increased incidences of ATM and card skimming.…”…”

“…“…the need to reassure cardholders about the safety the need to reassure cardholders about the safety and security of card transactions.…”and security of card transactions.…”

““Statistics from 2007 show the level of payment Statistics from 2007 show the level of payment card fraud in Vietnam stood at 0.15 percent of total card fraud in Vietnam stood at 0.15 percent of total card payments, a much higher level than the globalcard payments, a much higher level than the globalaverage of 0.06 percent.”average of 0.06 percent.”

E2EE: What is it?

Computer Desktop EncyclopediaComputer Desktop Encyclopedia

“…“…is defined as the continuous protection of the is defined as the continuous protection of the confidentiality and integrity of transmitted confidentiality and integrity of transmitted information by encrypting it at the origin and information by encrypting it at the origin and decrypting at its destination.…”decrypting at its destination.…”

E2EE: The story so far…

Smart Card Alliance Smart Card Alliance Sept 2009Sept 2009

KEY CONCEPTS OF TLE

In cryptography, encryption, is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (Wikipedia)

en·cryp·tion /-'krip-sh&n/

MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted so only Sender/Receiver can form a real MAC and thus, allowing the receiver to authenticate & verify the message

Message Authentication

Code

THE MALAYSIAN EXPERIENCE

Real Tapping Threats

Wire tapping threats

A brief look at history…

The Line Encryption Working Group

Design Parameters

Key Key ConsiderationsConsiderations

MAC algorithmMAC algorithmENC algorithmENC algorithm

Key DifferentiationKey DifferentiationKey UsageKey Usage

Key StorageKey StorageENC Data elementsENC Data elements

22 22 44 22 4433

Highest Score: 2-2-4-2-3-4Highest Score: 2-2-4-2-3-4Lowest Score: 1-1-1-1-1-1Lowest Score: 1-1-1-1-1-1

Minimum Data Encryption Requirements

Encrypted Data Elements1. CVV2. CVV and PAN / Track2

Terminal Key Storage1. Outside secure module2. Within tamper reactive module

Key Usage Methodology1. Unique-key-per-terminal2. Unique-key-per-session-per-term3. Unique-key-per-transaction4. Derived Unique Key Per Txn (DUKPT)

Key Differentiation1. Same key for ENC & MAC2. Different key for ENC & MAC

Encryption Algorithm1. TEA – Tiny Encryption Algorithm2. DES – Data Encryption Standard3. 3DES/AES

MAC Algorithm1. No MAC2. CRC32 + MAC3. CRC32 + RMAC4. SHA-1 + RMAC, or SHA-1 + AES MAC

General Approaches

Host-basedHost-based

HostHSM

NAC

NAC-basedNAC-based

NAC

Host

SNAC

NAC

NAC

Interception-basedInterception-based

NAC

NACNAC

Host

Data Center HostNAC

Encrypt selected fields in transaction

1

Send to Host

4

Decrypt & validate transaction

2

Reform to original message

3

Response from Host

5Encrypt & MAC response

6

Decrypt & validate response message

7

TLE: Typical Transaction Flow

Terminal

THE RESULTS

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Source: Visa VPSS Payment Security Bulettin, 2006

The Results…

Payments: The story today…

Source: BNM, 2009 Financial Stability and Payment Systems Report 2008

Payments: The story today

“…“…(card fraud) losses continued to be insignificant, (card fraud) losses continued to be insignificant, accounting for less than 0.04% of total card accounting for less than 0.04% of total card transactions during the year.”transactions during the year.”

PAYMENT SECURITY MYTHS

Encryption Myths

Summary: Considerations for TLE

Addresses all threats

Addresses Implementation issues

Addresses Deployment Issues

Addresses Administration Issues

Multi-channel & multi-device Support

Remote Key Injection

Vendor Independence

Performance

Cost-Effective

Additional References

1. The Smart Card Alliance (http://www.smartcardalliance.org/)

2. PCI Security Standards Council

(https://www.pcisecuritystandards.org/)

3. Visa Best Practices, Data Field Encryption Version 1.0

(http://corporate.visa.com/_media/best-practices.pdf)

4. Secure POS Vendors Association

(http://www.spva.org/index.aspx)

5. GHL Systems (http://www.ghl.com/netMATRIX )

WHAT IS NETMATRIX TLE?

NetMATRIX TLE (Terminal Line Encryption) is a plug-and-play solution for banks who wish to introduce terminal line encryption into their POS network

infrastructure

Net MATRIX Terminal Line Encryption

NetMATRIX TLE: Approach

Host-basedHost-based

HostHSM

NAC

NAC-basedNAC-based

NAC

Host

SNAC

NAC

NAC

Interception-basedInterception-based

NAC

NAC

NAC

Host

Key Key ConsideratioConsideratio

nsns

Key Features

Key Features

NETMATRIX ARCHITECTURE

Acquiring Bank

EDC Terminals

Switching NAC

Remote NAC Remote NAC

Net MATRIX

Acquiring Host

160 Message

Credit Card Host NII: 160

“Typical” Transaction Flow

Issuing Bank Host

EDC Terminals

Switching NAC

Remote NAC Remote NAC

161 Enc Message

Credit Card Host NII: 160

NetMATRIX TLE NII: 161

160 Enc Message

Encrypted Transaction Flow

Issuing Bank Host

Net MATRIXAcquiring

Bank

Acquiring Host

Encrypted Transaction Flow II

Issuing Bank Host

EDC Terminals

Switching NAC

Remote NAC Remote NAC

161 Enc Message

Credit Card Host NII: 160

160 Enc Message

NetMATRIX TLE NII: 161

Net MATRIXAcquiring

Bank

Acquiring Host

Data Center

HostNAC

Encrypt selected fields in transaction

1

Send to Host

4

Decrypt & validate transaction

2

Reform to original message

3

Response from Host

5Encrypt & MAC response

6

Decrypt & validate response message

7

NetMATRIX: How it Works

Terminal

HostNAC

TCP/IP Cluster

Efficiency: Clustering & Load-Balancing

Load

Bala

ncin

g

Business Continuity: Auto-Failover

TCP/IP Cluster

TC

P/I

P F

ailover

HostNAC

GHL SYSTEMS

Our Mission

To be the leading

end-to-end

payment services

enabler

in the Asia-Pacific region,

deploying world-class

payment infrastructure,

technology and services

Products & Services offerings

World-class payment infrastructure, services and technology:

Transaction routers & concentrators

Terminal Line Encryption technologies

Loyalty & Online Payment solutions

Smartcard technologies

24x7 Managed Network Services

Consulting Services

Terminal Management Solutions

Contactless Payments

Complete Payment Network Integration

Addressing Strategic Needs

GHL Systems Regional Presence

Country Offices:• Bangkok • Beijing • Hong Kong • Kuala Lumpur• Manila• Singapore• Hanoi• Ho Chi Minh

City• Wuhan

Products Deployed:• Australia• Bangladesh• Bhutan• Brazil• Brunei• Cambodia• China• Guam • Hong Kong• KSA• India• Indonesia

Future Expansion:• Australia/NZ• Brazil• India• Qatar• Romania• UAE• United

Kingdom• USA

• New Zealand• Pakistan• Philippines• Qatar• Romania• Sri Lanka • Seychelles• Taiwan• Thailand • Vietnam• United

Kingdom

Accolades & Accomplishments

• MSC APICTA Asia/Pacific ICT Awards 2009: Security & Communications

• MSC APICTA Asia/Pacific ICT Awards 2008: Financial Applications & Communications

• MasterCard Worldwide PayPass Best Product Solutions Partner 2008

• Largest Third-Party Debit Acquirer in Malaysia 2008 - CardPay

• VeriFone’s VIP (distributor) in Malaysia since 1999

• Verifone President’s Club Award 2000, 2002, 2003, 2004, 2005 Award for outstanding performance in Asia-Pacific

• VeriFone Innovation Award 2001, 2002, 2003 & 2007

• Ingenico / Sagem-Monetel OEM Partner 2006, 2007, 2008 & 2009

• Sagem-Monetel Partner Value Added Reseller for Malaysia/South East Asia 2006-2007

• Sagem Defense Securite SHARK Club Member 2006

• D’ucoty Awards Market Leadership Malaysia 2005

• D’ucoty Awards Banking – Product Innovation Southeast Asia Gold Award 2006

• Frost & Sullivan Industrial Technologies Award - Vertical Market Penetration Leadership: Smart Cards Financial Application Market (Malaysia) 2006

• VISA VPSS-Certified Post Equipment Vendor 2006

Malaysia

Singapore

Indonesia

Vietnam

Brunei

Customer References

Philippines

China / Hong Kong

Middle East

Romania

Asia/Pacific

Australia / New Zealand

Thailand

Customer References

Thank you

Alex TanVice President – International SalesAlex.tan@ghl.com