View
1.786
Download
0
Category
Tags:
Preview:
DESCRIPTION
P2PE and other PCI DSS changes
Citation preview
1
P2PE AND OTHER PCI DSS CHANGES
OCTOBER 19, 2012
2
Agenda
• PCI Standards and Typical Card data flow• Data breaches, Threats and existing Mitigation efforts• P2PE overview and Concept• Benefits• Preparing for P2PE• ControlCase P2PE offerings
3
PCI Security &
Compliance
PCI Family of Standards
Protection of Cardholder Payment Data
Software Developers
PCI PA – DSSPayment Application
Vendors
Merchant & Processors
PCI DSSData
Security Standard
Manufacturers
PCI PTSPin Entry Devices
4
Typical Payment Method
CHD
CHD
CHD
Encrypted at Communication
Layer
Encrypted at Communication
Layer
Encrypted at Communication
Layer
Acquirer / PG
5
Typical Payment Method
CHD
May or may not be encrypted
Acquirer / PG
CHD
May or may not be encrypted
6
Data Breaches
7
Industry groups represented by percent of breaches
Source: 2012 data breach investigations report by Verizon
8
Top 10 Threat Action Types by number of breaches and records
Source: 2012 data breach investigations report by Verizon
9
Where should Mitigation efforts be focused?
Source: 2012 data breach investigations report by Verizon
10
Addition of member in PCI Family
Manufacturers
PCI PTSPin Entry Devices
Software Developers
PCI PA – DSS
Payment Application
Vendors
Acquires, Payment Gateways Software
Developers, KIFs
PCI P2PE
Merchant & Processors
PCI DSSData
Security Standard
11
What is PCI P2PE?
It is either a solution or Application. P2PE Solution
A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.
P2PE ApplicationA software application that is included in a P2PE Solution and assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of-interaction (POI) device or otherwise by a merchant.
P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution.
12
P2PE ConceptP2PE Concept
Encrypted CHD
Encrypted at POI
Acquirer / PG
POIEncrypts data
immediately after reading
Encr
ypte
d CHD
Encrypted at POI
Encrypted CHD
Encrypted at POI
HSMDecrypted by HSM at P2PE Solution
Provider
13
P2PE Concept cont..P2PE Concept cont..
Encrypted CHD
Encrypted at POI
Acquirer / PG
Encr
ypte
d CHD
Encrypted at POI
Encrypted CHD
Encrypted at POI
FIPS 140-2 Level 3 (or higher)
certified or PCI-approved
HSM
PTS devices with SRED (secure reading and exchange of data) listed as a “function provided”.
14
Benefits
Stakeholders in the payments value chain benefit from these requirements in a variety of ways, including but not limited to the following:
Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments.
Listed P2PE Solutions have been validated as compliant with the P2PE Standard by P2PE Assessors.
Recognized by all Participating Payment Brands
15
Characteristics for Merchants Eligible for Reduced Scope for PCI DSS via P2PE Solutions
Use validated P2PE solution Never stores, processes, or transmits clear-text account
data within their P2PE environment outside of a PCI-approved POI device.
Physical environment controls for POI terminals, third-party agreements, and relevant merchant policies and procedures are in place.
Followed the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.
Adequately segmented (isolated) the P2PE environment from any non-P2PE payment channels or confirmed that no other channels exist.
Removed or isolated any legacy cardholder data, or systems that stored, processed, or transmitted cardholder data, from the P2PE environment.
16
P2PE – Key Points
It is OPTIONAL
P2PE scenarios (e.g. hardware-hardware)
Requires the use of SCDs for encryption and decryption of account data and
management of cryptographic keys.
POI devices must be PCI SSC approved PTS devices with SRED (secure
reading and exchange of data) listed as a “function provided.”
HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-
approved (listed on the PCI SSC website, with a valid SSC listing number, as
Approved PCI PTS Devices under the approval class “HSM”).
Applications with access to clear-text account data must undergo validation
per all P2PE Domain 2 Requirements
17
Relationship between P2PE and other PCI standards (PCI DSS, PA-DSS, PTS, and PIN)
POI devices must meet PIN Transaction Security (PTS) requirements validation.
Cryptographic-key operations for both encryption and decryption environments use key-management practices derived from the PTS PIN Security Standard.
Applications on POI devices meet requirements derived from the Payment Application Data Security Standard (PA-DSS).
The decryption environment is PCI DSS compliant.
P2PE standard does not supersede or replace any requirements in the PCI PIN Security Requirements
18
PA-DSS Applicability to P2PE
Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation.
Both are distinct PCI SSC standards with different requirements
Validation against one of these standards does not guarantee or provide automatic validation against the other standard.
19
P2PE Domains
Domain 1Encryption Device
ManagementUse Approved devices
and protect devices from tampering
Domain 2Application SecuritySecure applications in the P2PE environment
Domain 3Encryption
EnvironmentSecure environments where POI devices are
present
Domain 4Transmission between
encryption and Decryption
EnvironmentsSecure operations between encryption and decryption
environments
Domain 5Decryption
Environment and Device Management
Secure decryption environments and decryption devices
Domain 6P2PE Cryptographic
Key OperationsUse strong cryptographic
keys and secure key-management functions
20
Domain 1
Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics P2PE validation Requirements
P2PE validation Responsibility
Domain 1: Encryption Device Management
Use secure encryption devices and protect devices from tampering.
• POI is a PCI-approved POI device.
• POI device managed by solution provider.
• Hardware encryption performed by device.
1A Build PCI-approved POI devices.
1B Securely manage equipment used to encrypt account data.
P2PE Solution Provider
21
Domain 2
Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics P2PE validation Requirements
P2PE validation Responsibility
Domain 2: Application Security
Secure applications in the P2PE environment.
• Application on a PCI-approved POI device.
• All applications are assessed as part of the validated P2PE solution.
2A Protect PAN and SAD.
2B Develop and maintain secure applications.
2C Implement secure application management processes.
Application Vendor
P2PE Solution Provider
22
Domain 3Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics P2PE validation Requirements
P2PE validation Responsibility
Domain 3: Encryption Environment
Secure applications in the P2PE environment.
• No storage of CHD after transaction processes are complete.
• Within the segmented P2PE environment, no CHD stored, processed, or transmitted through channels or methods external from an approved SCD.
• All device-administration and cryptographic operations are managed by solution provider.
• The P2PE Instruction Manual (PIM) for merchants, with instructions on how to implement and maintain POI devices
3A Secure POI devices throughout the device lifecycle.
3B Implement secure device management processes.
3C Maintain P2PE Instruction Manual for merchants.
P2PE Solution Provider
23
Domain 4
Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics P2PE validation Requirements
P2PE validation Responsibility
Domain 4: Segmentation between Encryption and Decryption Environments
Segregate duties and functions between encryption and decryption environments.
• All decryption operations managed by solution provider.
• Merchant has no access to the encryption environment (within POI device) or decryption environment.
• Merchant has no involvement in encryption or decryption operations.
Domain 4 has no applicable requirements for this hardware/hardware scenario.
24
Domain 5
Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics P2PE validation Requirements
P2PE validation Responsibility
Domain 5: Decryption Environment and Device Management
Secure decryption environments and decryption devices.
• Decryption environment implemented at and managed by solution provider.
• Merchant has no access to the decryption environment.
• Decryption environment must be PCI DSS compliant.
5A Use approved decryption devices.
5B Secure all decryption systems and devices.
5C Implement secure device management processes.
5D Maintain secure decryption environment.
P2PE Solution Provider
25
Domain 6Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices
Domain Characteristics
P2PE validation Requirements
P2PE validation Responsibility
Domain 6: P2PE Cryptographic Key Operations
Use strong cryptographic keys and secure key-management functions.
• All key-management functions implemented and managed by solution provider
• Merchant has no involvement in key management operations
6A Use secure encryption methodologies.
6B Use secure key generation methodologies.
6C Distribute cryptographic keys in a secure manner.
6D Load cryptographic keys in a secure manner.
6E Ensure secure usage of cryptographic keys.
6F Ensure secure administration of cryptographic keys.
P2PE Solution Provider
26
At a Glance – Illustration of a typical P2PE Implementation and Associated Requirements
27
Developing and Validating a P2PE Solution
Note: Domain 4 is greyed out in the diagram below as there are no applicable requirements in this Domain for the current phase of P2PE.
28
Overview of P2PE Solution Validation Processes
Review of P-ROV and Application P-ROV (if applicable) by PCI SSC
The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities and others, Device, Applications
Preparation of P-ROV and P-ROV (if applicable) and submitting to PCI SSC for Review
The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor
The P2PE Solution Provider selects a P2PE Assessor
29
How to Prepare for P2PE Assessment
Prepare following1. Be ready with approved POI Devices, HSM2. List of applications used3. Detailed cryptographic key matrix4. P2PE Instruction Manual5. Implementation Guides for applications
assessed against Domain 26. Key-management procedures and7. Change control documentation
30
Revalidation of P2PE
Yearly Interim Assessment (Healthcheck) Full Re-assessment after 2 years
31
ControlCase P2PE offerings
Guidance on designing P2PE Solutions Review of P2PE Solution design Guidance on preparing the P2PE Instruction
Manual Pre-assessment (“gap” analysis) services Guidance for bringing the P2PE Solution into
compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment.
Certifying P2PE solutions and Applications
32
Questions And Answers
33
Thank You
Recommended