eft transaction security april-2007
TRANSCRIPT
![Page 1: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/1.jpg)
EFT Transaction Security (EFTSec)A Secure Transaction Solution for EDC Transaction
![Page 2: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/2.jpg)
Introduction
• Recent trend in the electronic payment industry showed an increased level of credit card fraud sophistication:
– “Skimming”› Handheld readers› Embedded device in terminals
– “Wiretapping” : the illegal installation of monitoring devices on telephone lines to extract or view credit/debit card information from the terminals’ data traffic
![Page 3: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/3.jpg)
How does Skimming work ?
Skimming by Clerks at the Merchant Locations
Skimming During the Data Capture and Transmission Process
Handheld readers
Embedded device in terminals
![Page 4: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/4.jpg)
How does Wiretapping work ?
The method obtains Transaction information (e.g. Track 2, CVV) from one terminal
![Page 5: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/5.jpg)
How does Wiretapping work ?
The method obtains Transaction information (e.g. Track 2, CVV) from many terminal
![Page 6: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/6.jpg)
Payment transactions sent in the clear
Introduction
• Current payment transactions are sent in the clear, making it possible for technically-savvy criminals to easily intercept sensitive information in the middle of the transaction transport
Terminal
TelcoNetwork Service
NAC
HostProcessor
![Page 7: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/7.jpg)
Defense Against Skimming and Wiretapping
Hide the payment transaction information of terminal request transactions
Hide the payment transactions
Terminal
TelcoNetwork Service
NAC
HostProcessor
![Page 8: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/8.jpg)
Methods: Hide Transaction Data
•Scramble the data– Fix formula and key to scramble
transaction data– Easy to break and get the data
•Encrypt the data– Standard DES or Triple DES– Same logic as Debit Transaction– Encrypt specific Field or whole massage
![Page 9: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/9.jpg)
Encryption the transaction solution
Terminal
TelcoNetwork Service
NACHostProcessor
Encrypt transaction data Clear transaction data
![Page 10: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/10.jpg)
Encryption the transaction solution
Terminal
TelcoNetwork Service
NACHostProcessor
Encrypt transaction data
SecurityProcessor
Clear transaction data
![Page 11: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/11.jpg)
Hypercom Solutions:
Propose Two solutions
1. EFTSec® Network
–Encryption upto Network layer
2. EFTSec® Application
–Encryption upto Adaptive layer
![Page 12: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/12.jpg)
Hypercom EFTSec®
• A secure solution to prevent “wiretapping” fraud– Allow all or a portion of the transaction data from a terminal
request message to be encrypted
• Design to be secure and less intrusive for implementation in an existing operating environment– No Host or host application changes required
• Support mix of EFTsec and non-EFTsec transactions– DES and 3DES encryption used
![Page 13: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/13.jpg)
Hypercom EFTSec®
• Support multiple encryption keys with unique addressability for each acquirer
• Open standard solution available to other terminal vendors
![Page 14: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/14.jpg)
EFTSec® Network Solution
![Page 15: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/15.jpg)
EFTSec® Network Solution
A key index number (KIN) is used to associate mutltiple encryption keys with each acquirer
A key index number (KIN) is used to associate mutltiple encryption keys with each acquirer
Enhanced TPDU + encrypted transaction
Standard response in the ‘clear’
Standard transaction request
Standard transaction response
Dial port decryptstransaction using key
identified in theenhanced TPDU
TelcoNetwork Service
![Page 16: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/16.jpg)
EFTSec® Network Components
1. Dial access port with encryption/decryption capability
2. HypercomView EFTsec Key Management System
3. Terminal application to support data encryption– Terminal SW development required
4. Terminal key management and key load system– Hypercom terminal uses the
Hypercom Key Loading and Management (HKLM)
![Page 17: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/17.jpg)
• Proofed technology for secure dial access solution• Faster transaction processing time• No bottle-neck and Scalable• Support mix of non-EFTSec and EFTSec transaction• Open standard available for other terminal vendors
Summary: EFTSec® Network
![Page 18: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/18.jpg)
EFTSec® Application Solution
![Page 19: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/19.jpg)
EFTSec® Application
• A secure solution to prevent “wiretapping” fraud• Design to be secure and less intrusive for
implementation in an existing operating environment– No host & host application changes required– No Network changes required
• Support unique encryption key:– Unique key for each acquirer– Unique key for each terminal
• Available for terminal key management and key load• Open standard solution available for
other terminal vendors
![Page 20: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/20.jpg)
EFTSec® Application Features
• Transaction encryption– Specific field encryption– Whole message encryption
• Highly Scalable and support Load sharing– Reduce bottleneck problem– Increase reliability, not to rely on single processor
• Support all access network and media– Dial up and Leased line– IP and GPRS
• Proven high performance:– Benchmarked at 100 TPS/processor
![Page 21: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/21.jpg)
Terminal
TelcoNetwork Service
NACHostProcessor
Encrypted transaction data EFTSecSecurity
Processor
Clear transaction data
Standard transaction request
Clear transaction data
Standard transaction response
Architecture of EFTSec® Solution
![Page 22: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/22.jpg)
Bank Host
Transaction fromExisting EDC Network
Non Secure
Transaction
SwitchingNAC
EFTSec® Network Configuration
EFTSec Secure Processor
TCP/IP
HSM HSM
Encrypted
Transaction
Normal
Transaction
Bank Host
Non Secure
Transaction
SwitchingNAC
![Page 23: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/23.jpg)
EFTSec® Network Configuration
Existing EDC Network
Application 1(Credit Host)
Credit Debit Other
Secure Terminal
Application 2(Debit Host)
ExistingSwitchingNAC
EFTSec Secure Processor
Ethernet LAN TCP/IP
HSMKMSTLES
HSMKMSTLES
Concentration NAC
Encrypted
Transaction
Normal
Transaction
1
2
Application 3(e.g. Fleet, MCC, EPP)
Secure Acquire
3
4
TMKTWK
![Page 24: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/24.jpg)
EFTSec® System Applications
EFTSec System: consists of the following components:
• Key Management System• Terminal Line Encryption system• Hardware Security• POS Terminal
![Page 25: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/25.jpg)
Key Management Module
•Function of the Key Management Module – Key Generation– Encrypting Key and Store– Support Hardware Security Module (HSM) to
encrypt and store Local Master Key (LMK)– Support encryption keys export/import
operations.– POS terminal encryption key download
![Page 26: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/26.jpg)
Terminal Line Encryption Module
• Terminal Line Encryption Module– Message validation and decryption– Message regeneration and routing for Host authorization
processing– Support Multiple encryption algorithms, DES, 3DES, AES.– Support MAC message authentication
• Field encryptedo Field 2, Primary Account Number (PAN)o Field 14 , Card Expiration Dateo Field 35 , Track II data
![Page 27: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/27.jpg)
Terminal Line Encryption Module
• HSM (Hardware Security Module) Secure and store Local Master KeyG enerate all other master key and working key Support Decrypt/Encrypt message data
• POS Terminal Support Key downloading and storing keys. Support sensitive data fields encryption/decryption Support MAC generation & validation processing. - Support multiple secure and non secure acquirer function,
![Page 28: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/28.jpg)
Key Components
•Key Encryption Key (KEK)– Individual key generated by Acquire, Vender.– Use for TMK Downloading during the terminal
installation process.
•Terminal Master Key (TMK)– Protected online Terminal Working Key– Stored in the terminal
![Page 29: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/29.jpg)
Key Components
•Terminal Working Key (TWK)– TWK consists of Two working keys:
›Data Encryption Key (DEK)›MAC Authentication Key (MAK)
– Protected online transaction data
![Page 30: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/30.jpg)
KEK Key Generation
KMS
Acquirer &Vendor
Info
KEK SIM CardCard Info HSM
SIMCardSIM
CardSIMCard
SIMCardSIM
CardSIMCard
Vendor A.Vendor A.
Vendor B.Vendor B.
![Page 31: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/31.jpg)
Key Download Flow
EFTSec Secure Processor
TCP/IP
HSM HSM
Terminal Master Key (TMK) Initialization
TMK Generated Individual byIndividual terminalKEKe(TMK) response to Terminal
Terminal Working Key (TWK) Logon
TWK Generated Individual by individual terminalTMKe(TWK) response to Terminal
SIMCard
![Page 32: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/32.jpg)
Key Download
Bank Host
Switching Transaction From Existing EDC Network
HSMKMSTLES
Host Acquire 1
EFTSecBank Host
HSMKMSTLES
Host Acquire 3
EFTSecBank Host
Host Acquire 2
Secure TerminalACQ1 ACQ2 ACQ3
SIMCard
SIMCard
xxxx NOT xxxxIMPLEMENT
Line Encryption
TMKTWK
TMKTWK
1
2
4
5
3 6
![Page 33: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/33.jpg)
Encryption & MAC Algorithms support
• Encryption algorithms support– DES (single key length, 64 bits)– 3DEC (double key length, 128 bits)– AES (double key length, 128 bits)
• MAC algorithms support – ANSI X9.19 MAC using SHA-1 hashing– ANSI X9.9 MAC
• Encryption Method selection by transaction
![Page 34: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/34.jpg)
![Page 35: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/35.jpg)
System Platform & Performance
Platform Windows Platform
Hardware Dual-Intel CPU
Operating System Windows2000
Database Oracle
Peak Load > 100 TPS
Remark: Hardware specification will depend on the requirement & traffic which will be discussed.Remark: Hardware specification will depend on the requirement & traffic which will be discussed.
![Page 36: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/36.jpg)
• Highly Trusted Security Solution• High performance with Load sharing• No single point of failure• Support mix of non-EFTSec and EFTSec transaction• Open standard available for other terminal vendors• Protect investment
Summary: EFTSec® Application
![Page 37: EFT Transaction Security April-2007](https://reader035.vdocuments.us/reader035/viewer/2022081415/552194e7497959ac608b45ec/html5/thumbnails/37.jpg)
Thank you