Transcript Document
Realizing Payments Security Through Encryption and Tokenization
Steven M. Elefant, Chief Information Officer July 7 th , 2010 - Zurich Heartland Confidential
Topics Reviewed
1.
What is Heartland Payment Systems’ Business?
2. The Bigger Picture 3. What Are We Doing Now?
4. Working Together Heartland Confidential 2
What Is Heartland Payment Systems’ Business?
– A Full Service Payments Processor
• • • • • • • Card Processing- (USA) • Credit/debit/prepaid cards: • Process 11 million transactions a day • • • • Process over 4.2 billion transactions annually Fund accepting merchants over $100 billion annually #4 Payment transaction acquirer by transaction volume 3,500 Employees Payroll processing Check 21 Processing (electronic depositing of scanned checks) Electronic Commerce and Online payment processing MicroPayments – Vending, Laundry, Campus Solutions Gift cards and loyalty processing Petroleum Processing Heartland Confidential 3
7 8 9 10 4 5 6 1 2 3 Heartland Confidential 4 Update: First Data and Bank of America announced merger of payment processing services in June 2009 Making Heartland #4.
The Bad Guys Wake Up Every Morning Trying to Find Ways to Destroy Us!!!
National Interest
Spy
Personal Gain
Thief Fastest growing segment Trespasser
Personal Fame Curiosity
Vandal Author
Script-kiddy Hobbyist Hacker Steve Riley, http://blogs.technet.com/steriley Heartland Confidential 5 Expert Specialist
The Bigger Picture
Knowledge of security threats should not be viewed as a competitive advantage
.
Heartland’s approach: Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security Advocate for Encryption and Tokenization standards NOW – while we wait for conversion to EMV.
Heartland Confidential 6
PPISC Overview
• Payments Processing Information Sharing Council (PPISC) Established under the Financial Services Information Sharing (FS-ISAC) umbrella Provides a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation in the payments industry http://www.ppisc.com/ • Heartland utilized the PPISC to distribute copies of the malware code discovered during its breach investigation to the members of the PPISC.
Heartland Confidential 7 7
Security Innovation Network = SINET
UNITED STATES GLOBAL ALLIES
In order to order to stay ahead of our adversaries, we must foster the advancement of innovation, promote awareness, rapid identification, and early adoption of “best of class” solutions and do so Globally… SINET enables small business and innovation
Holistic Approach Better than only EMV / Chip and Pin….
Layering of defenses in depth:
• Dynamic Data Authentication to protect consumers, issuers and the ecosystem against authorizing transactions from cloned / skimmed cards.
• End-To-End Encryption to protect card data in transmission.
• Back Office Tokenization to reduce the merchant’s need to store sensitive transaction data for disputes, charge backs, and other legitimate business uses.
-Single Use (unique transaction id) -Multi-Use (card number substitution) Heartland Confidential 9
What the Industry is Saying:
“End to End encryption recognized as the technology with greatest potential to reduce Merchant PCI DSS compliance scope.” PricewaterhouseCoopers review for the PCI Security Standards Council disclosed on 9/24/2009 • • •
PCI commissioned PWC to review technologies for reducing DSS scope. PWC interviewed 125 companies across 10 countries.
Conclusion: End-to-End encryption is the most effective technology for reducing PCI DSS scope.
Heartland Confidential 19
What the Industry is Saying:
"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach,"
said Eduardo Perez, global head of data security, Visa Inc.
"Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight."
he added.
VISA Releases Global Data Encryption Best Practices Press Release, San Francisco; October 5 2009 http://corporate.visa.com/media-center/press-releases/press941.jsp
Heartland Confidential 18
Challenges
Encryption Key Management Overhead Security “Tax” model Standardizing Encryption Mode and FPE Security Requirements Standardizing Tokenization Security Industry Inertia – Nothing Mandated yet!
X9-F6: X9.119 provides standards IF you choose Encryption or Tokenization SPVA: provides guidelines IF you choose Encryption VISA Data Encryption Best Practices: Best Practices Only PCI 3.0 SRED Module: Only applies IF you choose Encryption No standard definition for Tokenization or Security Requirements Heartland Confidential 12
Opportunities
Protect data in flight and at rest throughout the entire payment lifecycle vs. point-to-point Reduce cost of PCI compliance and audit for merchants End-to-End Encryption Complements other Technologies -Address the overlap between time EMV introduced and Magstripe completely removed -Protects data on its way to tokenization service.
Address Consumer Confidence Heartland Confidential 13
E3™ End-to-End Encryption
• • •
Heartland E3 Terminal
Commercially launched May 24, 2010.
Equipped with EMV reader.
• •
Heartland E3 Wedge
Commercially launching July, 2010 Heartland Confidential 14
Heartland E3™ End-to-End Encryption
Apply data encryption to remove sensitive data from the merchant’s environment.
-Employ AES 128 bit strong encryption to protect data.
- Encrypt data from Credit and Debit Card Swipes - Encrypt data from manual entry
Protect encryption keys, encryption operations, and clear text data in a TRSM.
-Physical protections to detect tampering -Logical protections to detect and respond to tampering
Simplify key management on encrypting devices.
-Each device creates and manages its own keys.
-Key change transparent to the operator.
No junk fees or security taxes.
-No charge related to key change.
-No encryption fees added to transaction processing costs. -E3 warranty at no extra cost Heartland Confidential 15
Heartland CEO says data breach was 'devastating'
Analysts say the company's response could make it model for others… Tom Wills got it right!
Tom Wills, a senior analyst at Javelin Strategy & Research, recently compared Carr's response to the crisis with that adopted by Israeli airline El Al in the wake of a series of hijackings in the 1970s.
"El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world's most secure airline“,
Wills wrote in an alert released in June 2009.
Heartland Confidential 22
Working Together
Foster technological innovation – apply pressure to the payments ecosystem to promote adoption of end-to-end encryption Uniform international laws about cybercrime Prosecute the bad guys – in our country or theirs Help us keep up with the bad guys Validate/Test/Penetration testing of new technologies Law enforcement share information with FS-ISAC Heartland Confidential 21
Thank You!
Questions ??
Steven Elefant Heartland Payment Systems Chief Information Officer [email protected] Heartland Confidential 23