vantiv eprotect iframe technical assessment paper eprotect iframe technical assessment paper...

Vantiv eProtect iFrame Technical Assessment Paper

Prepared for:

October 13 , 2015

P a g e | 2

U n i t e d S t a t e s | C a n a d a | L A C | U n i t e d K i n g d o m | E u r o p e

3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Contents

EXECUTIVE SUMMARY ................................................................................................................................................3

OVERVIEW .................................................................................................................................................................................. 3

ABOUT VANTIV EPROTECT.............................................................................................................................................................. 4

OPERATIONAL FLOW ..................................................................................................................................................................... 5

TECHNICAL ASSESSMENT ...........................................................................................................................................6

AUDIENCE ................................................................................................................................................................................... 6

ASSESSMENT SCOPE ...................................................................................................................................................................... 6

MERCHANT PCI DSS COMPLIANCE APPLICABILITY .............................................................................................................................. 7

TECHNICAL SECURITY ASSESSMENT .................................................................................................................................................. 7

RECOMMENDED BEST PRACTICES ........................................................................................................................... 11

SUMMARY FINDINGS AND CONCLUSIONS .............................................................................................................. 13

P a g e | 3


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

E X E C U T I V E S U M M A R Y

Over v ie w

As of July 2015, all eligible merchants and service providers are required to be compliant with PCI DSS v3.1, which

defines new scoping guidelines for outsourced web payment capture solutions that are now considered part of

Cardholder Data Environment (CDE). As a result, merchants and service providers must define their

responsibilities in alignment with PCI DSS 3.1 when outsourcing their payment processing responsibilities to

validated third parties.

Merchants who outsource their payment processing responsibilities to PCI DSS-compliant third parties may still

have to validate applicable security controls of their ecommerce environment based on their specific

implementation approach. Payment brands allow Level 2 1 , Level 3, and Level 4 merchants who do not

electronically store, process, or transmit cardholder data on any of their systems or premises to validate their

compliance using SAQ A or SAQ A-EP. Level 1 merchants who outsource their payment processing must discuss

the validation requirements with their QSAs, acquirers, or payment brands to confirm which applicable controls

remain.

Vantiv engaged Coalfire Systems Inc., a respected Payment Card Industry (PCI) Qualified Security Assessor (QSA)

company, to conduct an independent technical review of Vantiv’s eProtect solution (formally known as Vantiv

PayPage). Vantiv eProtect provides card-not-present data security for merchants needing to reduce their risk by

completely eliminating the presence of cardholder data from their systems. Vantiv eProtect offers multiple

integration approaches, and this technical assessment specifically addresses the Vantiv eProtect iFrame

integration methodology.

Coalfire’s findings describe how the use of Vantiv eProtect iFrame, implemented in alignment with the eProtect

Integration Guide (v4.5/1.2), will significantly reduce the risk of account data compromise within a merchant’s

ecommerce environment, and how merchants will expect to receive applicable control reduction under PCI DSS

v3.1.

1 Level 2 merchants that choose to complete annual self-assessment questionnaire must ensure staff engaged in self-assessment attend

PCI SSC ISA Training and pass associated accreditation program annually in order to continue option of self-assessment for compliance

validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC-

approved Qualified Security Assessor (QSA) rather than complete an annual self-assessment questionnaire. – MasterCard.com

P a g e | 4


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

About Vant iv eP r ot ect

Vantiv eProtect is a comprehensive card-not-present data security solution that helps merchants solve initial data

capture and cardholder data storage challenges by eliminating cardholder data from their systems, significantly

reducing the threat of account data compromise and PCI applicable controls under PCI DSS v3.1. To eliminate

capture of cardholder data on their systems, merchants embed the iFrame URL on their web page hosted by

Vantiv’s servers. Rich customization of the style and layout of the checkout experience allows the merchant’s site

to look and feel like the merchant’s brand, while eliminating cardholder data from their systems. To eliminate

post-authorization cardholder data storage, Vantiv’s OmniToken solution replaces clear cardholder values with

tokens that can be used in place of payment data throughout merchant systems that virtually eliminate the risk

of data theft. The Vantiv eProtect environment is validated against PCI DSS (Vantiv ecommerce/Litle & Co.

Attestation of Compliance) until Dec. 19, 2015).

Figure 1: Vantiv eProtect iFrame Data Flow

P a g e | 5


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Oper at iona l F low

1. When a customer is ready to enter their cardholder data into the merchant's web page, the merchant

web server delivers a form to the customer's web browser. The browser loads the iFrame hosted by the

eProtect server utilizing a third-party Content Delivery Network (CDN) provider to accelerate the

content delivery.

2. The customer enters their PAN, optional security code (card verification values), and optional expiration

date into the iFrame fields and clicks the submit button on the merchant's page calling the eProtect

server. Within the hosted iFrame, JavaScript encrypts cardholder data with a 24-hour public-private key

pair known only by Vantiv (RSA/ECB/PKCS1 Padding 2048 bits) and sends the encrypted message to the

eProtect server via HTTPS/TLS v1.2* (Geotrust Global CA, SHA-1 with RSA 2048 bit encryption) through a

third party CDN, using an HTTPS GET request. eProtect returns a non-sensitive, low-value token called a

Registration ID in place of the Primary Account Number (PAN).

3. The merchant page submits the Registration ID and non-cardholder data elements to their web server

for order processing.

4. Once the authorization request arrives at Vantiv, the Registration ID is converted to a high-value token

called an OmniToken and returned to the merchant with the authorization response.

No cardholder data is ever transmitted to the merchant’s servers, since the page never had access to the

payment information submitted via the Vantiv eProtect iFrame.

* eProtect supports TLS v1.0 and higher as it utilizes field-level encryption with a public-private key pair prior to transmission, and is not

limited by the TLS protocol version to meet applicable control reduction under PCI DSS v3.1.

P a g e | 6


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

T E C H N I C A L A S S E S S M E N T

As part of the technical assessment, Coalfire performed application and vulnerability testing, reviewed technical

documentation (including the eProtect Integration Guide, v4.5/1.2), and interviewed subject matter experts to

identify potential risks to cardholder data and reduction of applicable PCI DSS controls.

Audience

This technical assessment report has two relevant audiences.

I. Merchants, Developers, and Integrators: This audience will be able to clearly understand the reduction

of applicable PCI DSS controls under v3.1 they will receive from implementing this solution.

II. QSAs and the Internal Audit Community: This audience will be able to clearly identify the impact on PCI

DSS v3.1 validation on behalf of their merchants.

Assessment Sc o pe

The scope of Coalfire’s assessment focused on the critical elements that validate the security and effectiveness of

the Vantiv eProtect iFrame solution, the impact to the merchant’s PCI responsibility when implementing eProtect,

and remaining non-PCI required security best practices. Coalfire incorporated in-depth analysis of compliance

fundamentals that are essential for evaluation. Coalfire also utilized reviews and feedback obtained from

members of the PCI community. Vantiv’s eProtect iFrame was assessed by Coalfire between April 6-18, 2015.

Coalfire performed testing on the iFrame solution via the Vantiv provided test website:

(https://www.testlitle.com/iframe/index-coalfire.gsp).

The testing focused on packet captures, data contained in browser requests (GET and POST), and web application

testing to confirm that Vantiv iFrame is not vulnerable to attacks. Coalfire conducted technical remote lab testing

in Vantiv labs in Lowell, Mass., encompassing merchant web pages, integration, transaction testing, and

encryption in transmission.

https://www.testlitle.com/iframe/index-coalfire.gsp

P a g e | 7


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Mer chant PC I D S S Co mpl iance Ap pl i cab i l i t y

Based on analysis and testing, Coalfire recommends that merchant ecommerce environments that do not

electronically store, process, or transmit cardholder data on their systems, and provide an iFrame to a PCI DSS

compliant third-party processor for payment processing, will be eligible to validate compliance with an SAQ A

under PCI DSS v3.1.

Discussed below are two use-cases when Vantiv iFrame is deployed by merchants.

U s e C a s e I :

Level 21, Level 3, and Level 4 merchants defined by the payment brands that do not electronically store, process,

and transmit cardholder data in their ecommerce environment, and implement eProtect iFrame, will be eligible

for SAQ A in alignment with the PCI DSS 3.1 standard. Merchants are required to consult their acquirer(s) or

payment brands about individual PCI DSS validation requirements and their eligibility for submitting an SAQ.

U s e C a s e I I :

Level 1 merchants will achieve reduction of applicable PCI controls for their ecommerce environment where

cardholder data is not electronically stored, processed, or transmitted on systems when eProtect iFrame has been

implemented to handle all cardholder data responsibilities. Eligible merchant environments with Vantiv’s eProtect

iFrame can be validated against applicable controls to the SAQ A.

Technica l S ecur i t y Assessment

Coalfire evaluated and tested Vantiv’s eProtect iFrame solution to determine applicable controls for PCI DSS v3.1.

Verification of Vantiv eProtect iFrame:

o Coalfire simulated transactions that could occur on a merchant web page using known cardholder

data and found non-sensitive plain text-data on the web pages.

o Encrypted cardholder data was observed through the sampled web pages. eProtect utilizes HTTPS

TLS v1.2 as per PCI DSS 3.1 for all communications to and from the eProtect environment.

o Confirmed Vantiv eProtect environment is PCI DSS validated. (Vantiv ecommerce Attestation of

Compliance (AOC) valid until Dec. 19, 2015).

o Registration ID (a non-sensitive value as defined by the PCI DSS Tokenization Standard) in place of

the account number was returned from the Vantiv environment.

o eProtect iFrame entirely removes exposure and storage of cardholder data on merchant servers by

securely transmitting cardholder data directly from the customer’s web browser to the Vantiv

eProtect server, returning only tokenized data to the merchant environment.

P a g e | 8


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Performed web application penetration test using Burp Suite application scanning tool and confirmed

that no vulnerabilities related to ecommerce application exist; however, could be vulnerable to known

susceptibilities like clickjacking, if merchants do not handle their initiating web pages in a secure

manner.

Figure 2: Vantiv eProtect iFrame Browser Request from a Sample Transaction

GET Request to Vantiv eProtect from merchant environment shows those parameters containing PAN and

Sensitive Authentication Data (CVV/ CVV /CVV2) are encrypted using public private key pair implemented by

Vantiv.

Figure 3: Vantiv eProtect iFrame Request Parameters with Encrypted Data

Coalfire observed and analyzed traffic via Wireshark tool and confirmed that the transmission of data occurs over

TLS v1.2.

P a g e | 9


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Figure 4: Wireshark Transaction Capture

Assessment testing used transactions from Visa and Discover cards. No PAN or Sensitive Authentication Data

(CVC/CVV/CVV2) was found unencrypted over public networks. Cardholder data was captured and transmitted

on the Vantiv web pages, and no cardholder data was returned to the merchant test web pages. Data parameters

received on merchant pages included first six and last four digits of initiating primary account number, registration

ID, transaction ID, and other data elements essential for performing operations like returns, reversals, card

verifications, refunds, data analytics, and reporting.

P a g e | 10


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Figure 5: POST Request Data from Vantiv eProtect iFrame (No Full Credit Card Number or Sensitive

Authentication Data Exist)

P a g e | 11


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

R E C O M M E N D E D B E S T P R A C T I C E S

While merchants that implement Vantiv iFrame may not be required to validate applicable controls for systems

that do not touch cardholder data, it is recommended they review PCI DSS requirements for elements of their

ecommerce infrastructure since compromise of the merchant’s web pages could potentially result in a

compromise of the iFrame, and failure to implement the solution in alignment with the eProtect Integration Guide

could introduce risk to the environment, and merchants may no longer be eligible for control reduction.

To help mitigate such risks within the merchant environment, Coalfire and Vantiv recommend the following

additional security best practices for merchants that have implemented Vantiv iFrame solution:

Reviewing web pages periodically: Review the Vantiv eProtect source that is called from the merchant

environment to validate the following source has not changed. (Please note the below is URL from test

environment, merchants needs to ensure that the URL provided by Vantiv for production environment is

appropriately reviewed.)

<script type="text/javascript"

src=" https://request-prelive.np-secureeProtect-litle.com/LitleEProtect/js/payframe-client.min.jss">

</script>

Initiating new website and servers, including applicable PCI DSS requirements.

Having written agreements with Vantiv (third-party service provider in this case) and ensuring they

protect cardholder data on behalf of the merchant, in accordance with PCI DSS.

Securing the web page(s) containing the iFrame. iFrames could be hijacked by sending customers to

false payment pages where credit card data could be stolen. Coalfire recommends that merchants

deploy and maintain the web pages in a secure manner.

Ensuring transactions are received by acquirer on regular basis. Reconciliation of transactions can be

performed frequently to know that source on merchant website has not been altered.

Using TLS v1.2 or higher when transmitting cardholder data.

Consider implementing a web application firewall or other intrusion-detection technologies to ensure

web server’s initiating requests are protected against attacks.

Developing applications in alignment with PCI DSS compliance.

Regularly monitoring links (URLs, iFrames, APIs) from a merchant’s website to the payment processor to

ensure they have not been altered to redirect to unauthorized locations.

Perform periodic web application penetration testing for the hosted ecommerce website.

https://request-prelive.np-securepaypage-litle.com/LitlePayPage/js/payframe-client.min.jss

P a g e | 12


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

Requirement 9 and 12 of PCI DSS are covered under SAQ-A. SAQ A-EP focuses on the following additional

areas:

o Requirement 1: Install and maintain a firewall configuration to protect data (firewall and router

configurations hardening).

o Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

parameters (initiating web server configurations hardening).

o Requirement 3: Protect stored cardholder data (ensure card verification values or Personal

Identification Number (PIN) is not stored after authorization).

o Requirement 4: Encrypt transmission of cardholder data across open, public networks (ensure

cardholder data is transmitted only through Vantiv, and does not facilitate transmission via any

other means).

o Requirement 5: Protect all systems against malware and regularly update anti-virus software

programs.

o Requirement 6: Develop and maintain secure systems and applications (have process for identifying

security vulnerabilities, patching of systems, change control processes, develop applications based

on secure coding guidelines, and web application firewall).

o Requirement 7: Restrict access to cardholder data by business need to know (access to cardholder

data environment systems should be limited).

o Requirement 8: Identify and authenticate access to system components (assign unique IDs, enable

remote access only when needed, follow two-factor and password procedures).

o Requirement 10: Track and monitor all access to network resources and cardholder data (monitor

the security of the server and application ensuring that audit trails and alerts are in place - such as

detecting and alerting upon unauthorized changes to the payment page).

o Requirement 11: Regularly test security systems and processes (engage an Approved Scanning

Vendor [ASV] to perform quarterly external vulnerability scans, and perform the penetration testing

and have change detection mechanism deployed within the cardholder data environment, especially

initiating web server).

P a g e | 13


3 0 3 . 5 5 4 . 6 3 3 3 | w w w . c o a l f i r e . c o m

Coalfire v. 09-14

S U M M A R Y F I N D I N G S A N D C O N C L U S I O N S

Based upon interviews with Vantiv personnel and review of supported documentation, it is Coalfire’s opinion that

merchants who properly utilize Vantiv data security technologies will reduce their risk of account data

compromise and receive PCI DSS applicable control reduction. Merchant ecommerce environments that do not

touch cardholder data and implement Vantiv’s eProtect iFrame will be eligible for SAQ A. The remaining security

responsibilities of the merchant’s environment are not applicable to PCI DSS.

The following are important highlights of Coalfire’s technical evaluation. A properly designed and deployed Vantiv

iFrame solution can:

Reduce the risk of compromise of cardholder data for a merchant environment.

Reduce the attack surface and threat environment for a merchant.

Significantly reduce the number of applicable PCI DSS controls and validation requirements for

merchants.

Minimize the exposure of plain text cardholder data for the merchant when Vantiv eProtect is used.

While achieving risk and PCI applicable control reduction, implementing Vantiv eProtect does not fully

outsource the merchant’s payment responsibilities.

Vantiv eProtect iFrame should not lower a merchant’s sensitivity to the security of their ecommerce

environment, nor does it fully outsource all their PCI DSS compliance responsibilities.

L e g a l D i s c l a i m er

The opinions and findings within this evaluation are solely those of Coalfire and do not represent any assessment findings, or opinions,

from any other parties. Coalfire is solely responsible for the contents of this document as of the date of publication. The contents of this

document are subject to change at any time based on revisions to the applicable regulations and standards (HIPAA, PCI-DSS, et.al).

Consequently, any forward-looking statements are not predictions and are subject to change without notice. While Coalfire has endeavored

to ensure that the information contained in this document has been obtained from reliable sources, there may be regulatory, compliance,

or other reasons that prevent us from doing so. Consequently, Coalfire is not responsible for any errors or omissions, or for the results

obtained from the use of this information. Coalfire reserves the right to revise any or all of this document to reflect an accurate

representation of the content relative to the current technology landscape. In order to maintain contextual accuracy of this document, all

references to this document must explicitly reference the entirety of the document inclusive of the title and publication date; Neither party

will publish a press release referring to the other party or excerpting highlights from the document without prior written approval of the

other party. If you have questions with regard to any legal or compliance matters referenced herein, you should consult legal counsel, your

security advisor, and/or your relevant standard authority.

vantiv eprotect iframe technical assessment paper eprotect iframe technical assessment paper...

Documents