Upload
robert-tarrant
View
153
Download
0
Embed Size (px)
Citation preview
12/16/2014
A comprehensive card data security solution combining three powerful technologies working in tandem to
provide merchants with the highest level of security available against card-present data fraud.
12/16/2014
Verizon 2014 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/2014/
285 Number of security breaches that occurred in American restaurants, hotels, grocery stores, gas stations and other brick-and-mortar outlets
>1,000 Vast majority breaches occurred against companies with fewer than 1,000 employees
148 POS intrusions accounted for 31 percent of the 148 retail breaches, with payment card skimmers accounting for another six percent
137 POS intrusions accounted for 75 percent of the 137 accommodation sector breaches.
Card Data is Not Secure
12/16/2014
Card Data in the Clear Standard Output of a Non-Encrypting MSR Wedge
“Clear-Text” Track 1
Card Number
“Clear-Text” Track 1
Cardholder Name
“Clear-Text” Track 1
Expiration Date
“Clear-Text” Track 1
Discretionary Data
“Clear-Text” Track 2 Card Number &
Expiration Date & Discretionary Data
%B 4012002000060016 ̂ VI TEST CREDIT ̂ 2512 10118039000000000396 ?;4012002000060016=25121011803939600000 ?+E?
12/16/2014
Introducing Heartland Secure… A Comprehensive Card Data Security Solution Combining Three Powerful Technologies
EMV proves that a consumer’s card is genuine and transaction authentic
Heartland’s E3™ end-to-end encryption technology immediately encrypts card data at inception to prevent monetization
Tokenization replaces card data with “tokens” used for returns and repeat purchases, unusable by criminals
12/16/2014
Facts About EMV There are over 15 million magnetic stripe POS devices, 609.8 million credit cards, and 520 million debit cards in circulation in the US.1 The cost estimated by Javelin Strategy and Research to implement EMV in the US is at least $8 billion for POS systems.2
1 The Nilson Report 2 Ben Woolsey and Matt Schulz, “Credit Card Statistics, Industry Facts, Debt Statistics
Standard governing interoperability of chip cards and payment devices 1
Global interoperability and improved card security are main reasons card brands are migrating the U.S. to EMV
EMV card acceptance is not a government or card brand mandate for merchants or card holders
All EMV cards distributed by U.S. issuers will include a magnetic stripe
12/16/2014
U.S. EMV Timelines
Oct-2012 PCI validation
relief1
Apr-2013 Processor support for chip processing
Oct-2015 POS liability shift,
non-AFDs Oct-2017 POS liability shift,
AFDs
Oct-2016 MC ATM
liability shift
Oct-2013 MC ADC relief takes
effect (50%)
2012 2013 2015 2017 2016 2014
1 Applies to Level 1 & Level 2 merchants where 75% of their transactions come from a dual interface, chip-enabled, terminal
Oct-2015 MC ADC
relief (100%)
Oct-2017 Visa ATM
liability shift April-2014 Visa unattended
liability shift
Oct-2016 Visa GCAR relief
12/16/2014
Understanding the Liability Shift Visa MasterCard
Today After liability shift Today After liability shift
Counterfeit Issuer is liable today
Liability shifts to the merchant if a counterfeit chip card is used at a mag stripe terminal
Issuer is liable today
Liability shifts to the merchant if a counterfeit chip card is used at a mag stripe terminal
Lost & Stolen Issuer is liable today
Liability remains with issuer Issuer is liable today
Liability remains with issuer if: A lost or stolen mag stripe
card is used at a chip terminal
A lost or stolen chip & signature (no PIN support) card is used at a chip & PIN supporting terminal
A lost or stolen chip & PIN card is used at a chip & PIN supporting merchant
12/16/2014
Card Authentication Authorization Request
Cryptogram verifies the card is authentic
Authorization Response Cryptogram verifies the issuer is authentic to the card
EMV Card and Security
Validating Card Use Transaction Certificate (TC) value that provides evidence to the issuer that the card was present and was used for payment
Combating Replays The Application Transaction Counter combat replay attacks
Validating the Cardholder Offline or online PIN validate the cardholder
12/16/2014
Where Does EMV Fall Short?
In the event that crimeware has found its way into the retailer’s POS system or network, the cardholder data will be stolen and used fraudulently.
Implementing a payment system using only the EMVco and Card Brand EMV specifications leaves a customer’s primary account number (PAN) and discretionary data exposed and in the clear.
12/16/2014
E3 Safeguards EMV Transactions!
E3 encrypts the EMV transaction in the same way it encrypts a magnetic stripe transaction, protecting the cardholder information.
This end-to-end protection keeps the cardholder’s data safe and prevents criminals from monetizing it
12/16/2014
E3 Encrypted Data E3 Encrypting MSR Wedge Output
<E1047311%B 4012001000000016 ̂VI TEST CREDIT ̂2512 00000000000000000000 ?|Juo1ja9sowQX5yOlrQwd68LAO7TJUvWzR8
CAoFGAgEH1AINShV78RZwb3NAc2VjdXJlZXhjaGFuZ2UubmV009rwLCTKtT+v01IzT3gobnixA3TxjqiuXxfOieON5TNSUxmbYEbzoW6OE1dTAMc6NE7W9KVmu9etcQ/Fe2MctBtL9BW1iel24ReH/CzOMosyzby9rtoo+6Mz6U6dQYn8M3AKnf+MHD/RF5QIvPKPP8+Ul zx0M1JGPEkS4lgidS0ATmpEfb+WiEs+t6QchtVXrSa+p2tf+sstd5kPiYgLPtN0jzTZ
GRyDpugJBbZ47FNgZzqOlOA|11;4012001000000016=25120000000000000000? |9nOnxGjxBnaL9slmqUGfA5wsNFn|00||/wECAQE
Obfuscated Track 1 Card Number; 1st 6 & last 4 Left in clear for
BIN routing and receipt printing
z “Clear-Text” Track 1 Cardholder Name for receipt printing
Obfuscated Track 1
Discretionary Data
Encryption Block sent in transmission.
12/16/2014
Over 70,000 Merchants in the United States Benefit from E3’s Encryption Security and Our Warranty!
1 https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf 2 Heartland Payment Systems E3™ MSR Wedge Technical Assessment White Paper, Coalfire, January 4, 2011
E3 removes consumer card data from the merchant’s environment by encryption the cardholder’s primary account number (PAN) and discretionary data
E3 eliminates the risk of hackers monetizing stolen card data. Hackers cannot profit from encrypted card information
E3 is a strong response to “all organizations should assume they’ve been hacked,” as written by the authors of the Cisco 2014 Annual Security report 1
E3 reduced a merchant’s PCI scope as documented in a paper written Coalfire 2
12/16/2014
Tokenization Removes Card Data
Tokenization and E3 work together to make an EMV transaction safe
Tokenization removes any direct reference to the card number by substituting the consumer’s card number with a token
As a reference number with the retailer needs to preform a post-sale transaction such as a void or refund
As a representative of the card for future transactions such as card of file, recurring payments or customer analysis
12/16/2014
Magnetic Stripe, E3 and Tokenization
Magstripe data decrypted in Heartland PCI compliant
data center for authorization
Transaction wrapped in SSL encryption
Magstripe card is swiped at E3 wedge and encrypted
Single use token returned to POS (reference number)
E3 encrypts cardholder information at the earliest point of the transaction – at card swipe, key entry, tap or insertion
Tokens eliminate reuse of the card data
12/16/2014
EMV, E3 and Tokenization
E3 offers an additional layer of security for EMV transactions
As the EMVco specifications are presently written, when an EMV transaction is processed at the point of sale the transaction is sent in the clear to the acquirer or processor for authorization
E3 encrypts the EMV transaction in the same way it encrypts magnetic stripe transaction, thus protecting the cardholder information
Tokens eliminate the need to reuse card data
Cardholder data decrypted in Heartland PCI compliant
data center for authorization
Transaction wrapped in SSL encryption
EMV card is inserted in The terminal and encrypted
Single use token returned to POS (reference number)
12/16/2014
Heartland Secure Comprehensive Card Present Security
Cisco 2014 Annual Security report https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf
Heartland Payment Systems E3™ MSR Wedge Technical Assessment White Paper, Coalfire, January 4, 2011
EMV and E3 remove ability to skim and monetize card data through combinations of verification and encryption
EMV and E3 eliminate “man-in-the-middle” attacks
E3 and tokenization remove card data from the merchant’s environment
E3 eliminates the risk of monetizing stolen card data
E3 and tokenization are a definitive response to “all organizations should assume they’ve been hacked”
E3 and tokenization reduce a merchant’s PCI scope as per Coalfire’s study