Upload
ngohanh
View
237
Download
4
Embed Size (px)
Citation preview
Payment HSM Overview
Transaction Processing
and Card Issuance
Hermann Bauer
Business Development
General Purpose/PKI HSMs
XML
PKCS#11
Microsoft CryptoAPI / CNG
Java JCA/JCE
OpenSSL
Customization Software Development Kit
International EFT/ Payment Processing (MKII)
Incl. Acquiring/Authorisation and Card Issuance
Incl. End-to-End Online Banking Security (OBM)
Australian Payment Processing (AMB/APCA)
CAPS (US POS System)
Hundreds of Customizations
ProtectServer line: Subset of Mark II Cmd Set as FM
Luna EFT
Luna SA, SP, IS
Payment/EFT Command Sets General Purpose Cryptographic APIs
SafeNet HSM Product Line Functionalities and Target Use
Protect Server Internal Express (PSIe)
ProtectServer External (PSE)
Payment/EFT HSMs
Luna G5 and HSM Backup Device
Luna PCI / PCI-X
Protect Server Internal Express (PSIe)
ProtectServer External (PSE)
Luna PED & PED Keys
Luna EFT – Payment HSM
EFT/EMV (TP and CI) HSM • SafeNet’s current dedicated Payment HSM
• Card Issuance and Transaction
Processing Security Functionality
• Positioned against Thales 8000/9000 series
Features/Characteristics • 1U rack-mount size/dimension
• Fast & high-assurance HSM card (common
platform with Luna HSM line)
• RoHS compliant
• FIPS 140-2 level 3 certification (#1524)
• PCI-HSM approved
• APCA & Amex certification
• PIN/Key Mailer on Laser Printer
• USB ports for SW upgrades/key backups and
PIN/Key Mailer Printing
Communications Interfaces • Low Speed
• Async
• High Speed
• (Raw) Ethernet, TCP/IP over Ethernet
Performance Levels • Low (60), Medium (140,280), High (1200, 1600)
• Visa PIN Verifies
Large Internal Key Store
HSM- and Host-stored Key Management
Different Command Sets • Mark II, AMB, CAPS, Custom
In-field Upgradeable • Performance, Connectivity, Command Sets
Integration with many Payment
products
Excellent price/performance proposition
Modern, up-to-date HSM architecture in 1U chassis
PCI-HSM and FIPS 140-2 level 3 certification
Flexible key management (HSM-stored key, host-stored keys or mix)
User-friendly & intuitive GUI-based administration and management
Large internal, configurable secure key storage (up to 9.999 slots per key type)
High performance throughput (up to 1600 tps)
In-field Upgradeability (functionalitly, performance, connectivity)
Combined Transaction Processing and Card Issuance/Personalisation support
Two NICs supporting fail-over and network redundancy (multi-pathing)
Smart Card based or Network-based Backup/Recovery of all (HSM-stored) Keys
Remote HSM administration
Multi-tenancy support (AES keys)
Device monitoring via SNMP v3
PCI-compliant auditing and logging
Comprehensive, Granular Load Sharing and Timeout/Error Handling (via host API)
No separate licenses, all included in standard package
Attractive pricing
Customization friendly
Great support and service
Luna EFT - Strengths
Luna EFT – Remote HSM Management
Remote HSM Management is provided in the form of a bootable image
The user authentication is done via SafeNet eToken 72K Pro • is a portable two-factor USB authentication token with advanced smart card technology.
Console operations • Key Processing operations
• Configuration operations
• Display information
Mark II – Payments Functionality
• EMV Scripting
• Visa Functions
• MasterCard Functions
• American Express Functions
• CEPS functions (electronic purse)
• 3D Secure Support
• Contactless (PayPass & PayWave)
• AS2805.6.3 Support Functions
• TR-31 Key Block
• ZKA functions (Germany)
• Italian ABI and debit support (Italy)
• APACS Support (UK)
• Online Banking Module
• HSM status functions
• Administrative functions
• KM change functions
• Transfer functions
• EFT terminal functions (incl. DUKPT)
• Remote ATM Initialization
• Interchange Functions
• PIN Management Functions
• MAC Management (3DES, HMAC-SHA2, AES)
• Data Ciphering Functions (3DES, AES, SEED, FPE)
• PIN Issuing Functions (incl. PIN mailer)
• EMV Card Issuance (Data Prep & Perso, e.g. GP)
• EMV Transaction Processing (incl. CAP & DPA)
One of multiple Payment command sets for Luna EFT
International Payment Transaction Processing & Card Issuance functionality
Mark II functionality covers approx. 200 commands
Constantly evolving
ProtectServer Internal Express EFT
ProtectServer External EFT
• Low-cost, low performance, entry-level EFT HSM
• Supported OS (all 32-bit and 64-bit)
• Windows, Linux, Solaris, AIX
• Performance Level
• 25 tps
• Key Entry through host or PIN/Key Entry Device
• Admin utilities
• Subset of Luna EFT Mark II facilities
• No customizations
Payment SW Vendors – HSM Integration Payment Software Vendor Product Name Business Region Served
ACI Base24-eps + TSS Global
ACI / EPS ASx EE
ACI / S1 Postilion Global
ACI / S2 Systems ON/2, OpeN/2 MEA
ACI / Distra e-switch Global
AJB Software RTS Americas
Arius Asoft EMEA
Banksoft BPS (Banksoft Pre-Personalisation System) EMEA
BPC (Banking Production Centre) SmartVista Global
Compass Plus Tranzware Online, Card Factory EMEA, APAC
CR2 BankWorld EMEA
CSFI u/SWITCHWARE Global
CubeIQ AlphaPIN EMEA
Distra e-switch APAC, EMEA
FIS / EFunds / Oasis Technology Connex, IST/Switch Global
HPS PowerCARD EMEA
Interblocks iSuite iSwitch APAC, MEA
Interpro Switch Americas
i-Sprint USO, AccessMatrix UAS MEA
IWI Net+1 APAC
N&TS ACFS EMEA
OMA Emirates EFT POS Application MEA
OpenWay Way4 EMV Issuance EMEA, APAC
Opus / ECS Electra EFT Switch APAC, EMEA
RS2 BankWorks EMEA
S2M SELECT EMEA
Silverlake SIBS APAC
SmartSoft/CardTek Ocean EMEA
Sparkassen IT Solution Payment Switch EMEA
Sungard CardPro Americas, APAC
Tallyho Online Switch Module Americas, APAC
TAS CARD EMEA
TECS TECS Payment System EMEA
TietoEnator TransMaster EMEA
TPS Iris (Phoenix), Access, Sentinel EMEA
TSYS CTL ONLINE, PRIME, NCRYPT Global
Collis EMV Host Toolkit, PVT Global
Barnes International CPT 3000 EMV PVT EMEA
Role of HSM in Card Issuance Environment
Bank
HSM Government
Issuer Card Application
Management System
Data Preparation System
Card Manufacturer
OS +
Card
Application
HSM
HSM
Card Production System
Personalisation System
Personalizer / Personalization Bureau
KEK
KEK
KMC
KMC
Chip Manufacturer
OS +
App
encrypted
file(s)
9
Card Issuance Vendors – HSM Integration
Smart Card Vendors
Card Management, Perso and Data Prep
Software Vendors
Personalisation Equipment
Vendors
Gemalto BellID / ACI OpenWay Datacard
G&D Cryptomathic TSYS CardTech NBS
Oberthur UbiQ BPC Mühlbauer
Safran Morpho (Sagem) Datacard / DCS Compass Plus Atlantic Zeiser / Böwe-CardTec
ST CardTek/SmartSoft Banksoft CIM
Nagra CardHall/Pronit Maurer Electronics
Trüb
AustriaCard
OTI
Data Preparation/Personalisation/Card Management Systems Integration with/Supplier to all Major Smart Card, Card Mgmt, Data Preparation Personalisation SW and Personalisation Equipment Vendors
via Luna EFT or PSIe or PSE + Card Issuing SW + PP Customisation SDK
Major SafeNet HSM Deployment Areas
Application Space HSM Product Customers & Partners
PKI & Authentication Luna SA
Luna PCI/PCI-E
Luna G5
Luna CA4
Symantec (VeriSign),
GlobalSign, Entrust, Microsoft,
RSA, SafeLayer, OpenTrust,
Kinectis, EJBCA/PrimeKey,
Nexus, …
Card Issuance
ProtectServer Internal Express
ProtectServer External
G&D, Gemalto, Oberthur,
Morpho, DataCard, Mühlbauer,
BellID, Cryptomathic, CardHall,
OpenWay, BPC, TSYS,
Compass Plus, …
Wholesale Payments Luna IS
Luna SA
Luna SP
SWIFT (ww)
SIX (Swiss Payment Systems),
…
Retail Payments Luna EFT Banks and Processors (ww)
ACI, FIS, OpenWay, TSYS
BPC, Compass Plus, HPS,…
Thank You