Transaction Security Challenges & Solutions
|
|
- Posy Barber
- 5 years ago
- Views:
Transcription
1 Transaction Security Challenges & Solutions A REPORT FROM NEWNET COMMUNICATION TECHNOLOGIES, LLC Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL
2 Payment Transactions & Security Risk Payment transactions seek authorization of transactions based on card swipe or wallet taps at POS or POI devices or card data typed from computers, tablets or smartphone and presented at web pages, for a swift and secure approval from banking authorization servers. While swiftness has certainly improved over the last few decades with modem speed increasing from 300bps to high speed connections and even mobile and broadband IP networks taking this into near immediate responses, security may still be miles away from being any close to what the industry wants and customers prefer. With a major industry analysis reporting 47,000 reported security incidents and 621 confirmed data breaches in 2013 and with 2,500 data breaches and 1.1 billion compromised records in the last decade, security of transactions is a major issue that needs to be addressed from all parties in the payment ecosystem. It is relevant to consider whether this high volume of breaches indicate the lack of technology or if it is the result of the technology adoption being sub-par due to lack of awareness and understanding and in some extreme cases due to the perception that cost of security is far more than the cost of fraud or security breach itself. Reported security breaches forms a combination of physical tampering, brute force hacking, malware/spyware to capture stored data or read and decode memory area, social engineering attempts at network and database access with the intent to obtain sensitive card holder information and similar personal identity information which can be further abused for fraudulent activities including unauthorized payment and other transactions. These activities are targeted at each and every entity in the payment ecosystem including the retailers, service providers, acquirers, processors, financial institutions including banks and third party processors and providers who partake in the payment transaction processes. One of the most vulnerable areas in the payment process is the availability of card data in clear text format after the point of presentation at retail or merchant location with a POS/POI terminal or on public networks which is highly vulnerable for exposure and fraud etc, before it reaches the authorization servers. The fundamental requirement to avoid a payment fraud or data breach is to avoid sensitive data being available on devices handling card data or on public networks in clear text. Especially since this data need to traverse the public networks across multiple heterogeneous network types, it is imperative that the card data is transformed from clear text into suitable encrypted forms. Targeted devices for potential hacking and similar fraudulent activities in the payment transaction domain include ATM, POS terminal & controller, Database Server, PC based cash register, File server, Web application server and all devices which may have any role in handling payment transactions. Transaction Security Challenges & Technology Encryption is key to avoid data in clear text and this transformation of card information should happen at the very first point of card presentation. While encryption is crucial, it is also important to ensure that the encryption is done at the very first instance of presentment and with sufficient strength to avoid any brute force attacks. This will require the encryption to be based on the latest techniques to use the advanced encryption cyphers. Another key aspect of encryption is the determination of the entity that should decrypt the encrypted information and physical and network security of such devices so that those devices are not reachable for potential hackers and fraud perpetrators. The environment in which the card data encryption and decryption occurs need to be specifically verified and proven to be proof of external accesses and by default protected from any physical users in a normal scenario. This should have sufficient protection mechanisms to log any such user accesses and built in abilities to stop handling of transaction data, if any such compromise is suspected. Physical security is another key area of concern to ensure that the devices and environments dealing with card data are sufficiently protected from all unauthorized access and all authorized accesses are monitored, logged with specific assignment of responsibility and all related actions are to be handled by appropriate supervision and user authentication mechanisms.
3 Security remains a major concern for all legacy and emerging payment services, increasingly because many of these are employing innovative ways of doing transactions and involves newer levels of security requirements to handle the fraud associated with these new services. Industry standard security procedures for data encryption, network security with access restrictions, enhanced user authentication procedures, advanced standards based encrypted data exchanges and avoidance of sensitive data transfers over the public networks are the several possible ways to ensure the security for the new services. While offering the convenience of the new services it is absolutely essential to ensure that these services are not threatening to weaken any of the security barriers which the industry standards has envisaged on public IP or Dial based networks. Securing the sensitive data in secure locations including physical storage; encrypting sensitive data when subjected to transport over public networks and systems using point to point encryption(p2pe) mechanisms; secure session usages and secure transport of transaction data over public networks with no hop without security (TLS/SSL/IPsec/ HTTPS); tokenization mechanisms to involve card data surrogacy rendering transmitted payment data information useless for subsequent usages with one time tokens and avoiding card data retention; device, user, network and system authentication using Certificate authorization process(x.509); employing strong encryption technologies which can withstand brute force attacks; avoiding sensitive data storage in clear text in any systems or devices including any transient storage in memory; event tracking logs on devices for memory and data access attempts; usage of alternative one time codes or 2D codes to substitute sensitive card data with all payment transactions with Issuers private servers to host the card information for reverse lookup and approval; avoidance of card data from being transported across networks and devices represents the major mechanisms practical and applicable in the current day context to ensure the security of present day transactions and also for the emerging futuristic payment options. Along with the implementation of security practices, equally important is the routine verifications of each of the entry and exit points of the networks, perimeters of the networks, every system and device in the environment dealing with the payment traffic, database servers that hold the sensitive data and user accesses to these systems and activities performed from each of these systems and servers. NewNet Transaction Security Solutions NewNet payment transaction solutions specifically addressing security of transactions are listed below: P2PE (Point To Point Encryption) NewNet s TransKrypt security server system offers the P2PE solution for Acquirers/Processors and Service Providers working in conjunction with approved point of interaction devices that are certified for usage in a P2PE environment. The P2PE solution supported by NewNet s TransKrypt Security Server is based on ANSI X9.24 standards specified DUKPT mechanisms. The NewNet TransKrypt Security Server utilizes FIPS Level 2 HSM solution to store sensitive data like encryption keys securely and provide encryption and decryption capabilities. TransKrypt solution provides P2PE capability for Terminal Line Encryption using Derived Unique Key Per Transaction (DUKPT); working in conjunction with the NewNet AccessGuard and Total Control STG systems which aggregates, switches and routes transaction from POS devices.
4 Tokenization NewNet s secure transaction solutions provide an integrated cost-effective solution for tokenization of sensitive data. Tokenization is a process by which the primary account number (PAN) or other sensitive data is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value. The tokenizer application provides an interface for tokenizing the input data string into desired length. Similarly the token can be converted back to the original data if required. NewNet s Tokenization application is an optional part of the Security Server provided by NewNet for its customers in order to enable them to tokenize sensitive data. The application can be installed as part of the Security Server platform which complies with the security requirements. Tokenization solution uses HSM module which is a tamper proof device to store keys used for the tokenization. The HSM module ensures that the encryption keys reside on a secure device and cannot be accessed or tampered with without destroying the module. The tokenization solution need to be installed in a secure location and will talk with other authorized systems using TLS/SSL with valid certificates. Merchants can use the tokenization solution to reduce the PCI-DSS scope by storing transaction data with a token instead of the PAN, as recommended by PCI. Secure POS/POI Sessions(TLS/SSL) NewNet s AccessGuard 1000 solution can aggregate thousands of persistent and non-persistent TLS/SSL/IPSec connections and transactions. TLS/SSL cryptographic protocol provides secure communications over the Internet. The protocol allows client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery. TLS/SSL involves a number of basic phases including peer negotiation for algorithm support; public key encryption-based key exchange and certificate-based authentication; symmetric cipher-based traffic encryption. The NewNet AccessGuard 1000 solution uses next generation hardware acceleration encryption engines to achieve the performance required for the financial market. This implies that with AccessGuard 1000 TLS/SSL offloader the back end systems or additional network devices are not necessary for processing any portion of the TLS/SSL traffic. By processing the entire TLS/SSL transaction, AccessGuard 1000 uses a model of receiving encrypted data from POS, decrypting transaction data, routing the transactions data based on specific transaction protocols securely over TLS/SSL/IPsec sessions towards the host system. Secure Server Sessions (IPsec/TLS/SSL) IPsec is offered for secure connection between AccessGuard 1000 / Total Control STG (AG1K/TC STG) and peer Servers or Host Servers. This includes secure connections from AG1K/TC STG systems to Authorization Host servers, Network nodes, VPN servers etc or among AG1K system. IPsec is also employed between TC STG and AG1K systems in a secure IP connection model based network architecture that connects them from a remote site to central site with TC STG or AG1K in a remote site and AG1K in a central site. Similar to TLS/SSL usage with client POS/POI devices, TLS/SSL may be used with Host servers as well. While for permanent connections with Host servers, typically IPsec is preferred. IPsec (Internet Protocol Security) comprises of a suite of protocols that provides security to Internet communications at the IP layer. The most common current use of IPsec is to provide security between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway); it can also provide end-to-end, or host-to-host, security.
5 Client/Server Certificate Authorization NewNet s Certificate Authorization system is an optional application package provided for customers in order to enable them to create and verify client certificates for their POS devices and other payment processing devices in conjunction with TLS/SSL. The package is used on industry grade Server system with secure storage capabilities. Certificate Authorization system is intended to be used as special purpose certificate authority (CA) server for acquirers, processors and service providers. This is expected to be used within a payment processor organization to ensure that devices that talk to each other via secure connections (TLS/SSL, SSH etc) are authenticated via valid certificates and thus prevent man-in-the-middle (MITM) attacks. This server application consists of CRL distribution servers as well to track the certificate validity of client devices and servers. Strong Encryptions AES (Advanced Encryption Standard) is an advanced specification for the encryption that supports key size of 192, 256 and 512 bits.3des (Triple DES) is a version of DES that en crypts a message three times using the DES 56-bit key, which is effectively 168-bit key encryption. Couple with stronger encryption mechanisms, using larger key lengths for Certificates up to 2048 bits further increases the security of the sessions. Considering the computationally intensive operations of these strong encryption methods, NewNet systems uses next generation hardware acceleration encryption processor engines to achieve the high performance and rapid transaction handling required for the financial market. About NewNet Communication Technologies NewNet Communication Technologies, LLC is a global provider of innovative solutions for next generation mobile technology. For over 25 years, NewNet has enabled global operators and equipment manufacturers to rapidly develop and deploy cutting edge, revenue generating solutions needed to build, grow and improve global communications. NewNet specializes in Mobile Messaging, Secure Transaction Transport, Interactive Voice Response, Real Time Charging and Rating, Wireless Broadband and Network Optimization solutions that have reached millions of end users in over 90 countries. Contact Us traxcominfo@newnet.com Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL
TransKrypt Security Server
TransKrypt Security Server Overview Security of transactions is critical as the volume of payments are growing at a faster pace from new generation mobile and broadband based IP payment terminals and devices.
More information6 Vulnerabilities of the Retail Payment Ecosystem
6 Vulnerabilities of the Retail Payment Ecosystem FINANCIAL INSTITUTION PAYMENT GATEWAY DATABASES POINT OF SALE POINT OF INTERACTION SOFTWARE VENDOR Table of Contents 4 7 8 11 12 14 16 18 Intercepting
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationNEWNET COMMUNICATION TECHNOLOGIES PRODUCT BRIEF
STGd - THE MARKET LEADING SECURE HIGH SPEED DIAL PAYMENT TRANSACTION TRANS- PORT SYSTEM FOR CARRIER CLASS TRANSACTION NETWORKS Overview The Total Control Secure Transaction Gateway-Dial version 3.0d (STGd)
More informationTotal Control STG Secure high speed dial payment transaction transport system for carrier class transaction networks
Secure high speed dial payment transaction transport system for carrier class transaction networks OVERVIEW The Total Control Secure Transaction Gateway-Dial version 3.0d (STGd) system is the next generation,
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationSegmentation, Compensating Controls and P2PE Summary
Segmentation, Compensating Controls and P2PE Summary ControlCase Annual Conference New Orleans, Louisiana USA 2016 Segmentation Reducing PCI Scope ControlCase Annual Conference New Orleans, Louisiana USA
More informationAmerican Express Online PIN & PIN Security Requirements
Frequently Asked Questions American Express Online PIN & PIN Security Requirements Contents Participants not yet Online PIN Enabled... 2 Participants planning to meet new PCI PIN Security Standards...
More informationAbout MagTek. PIN Entry & Management
About MagTek Since 1972, MagTek has been a leading manufacturer of electronic devices and systems for the reliable issuance, reading, transmission and security of cards, checks, PINs and other identification
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationValidated P2PE for Reduced Compliance Scope, More Peace-of-Mind
Validated P2PE for Reduced Compliance Scope, More Peace-of-Mind Customers believe companies are 70% responsible for guarding their information. 1 Whether you re prepared or not, data breaches happen. There
More informationPKI Credentialing Handbook
PKI Credentialing Handbook Contents Introduction...3 Dissecting PKI...4 Components of PKI...6 Digital certificates... 6 Public and private keys... 7 Smart cards... 8 Certificate Authority (CA)... 10 Key
More informationEvolution of Cyber Attacks
Update from the PCI Security Standards Council Troy Leach, CTO, PCI Security Standards Council Evolution of Cyber Attacks Viruses Worms Trojan Horses Custom Malware Advanced Persistent Threats 1 Modern
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationMobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.
Mobile Payment Application Security Security steps to take while developing Mobile Application s About SISA Payment Security Specialists PCI Certification Body (PCI Qualified Security Assessor) Payment
More informationPCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90
PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90 Revision history Revision Date Author Comments 0.1 2013-10-04 Robert Hansson Created 1.0 2014-01-14 Robert Hansson Review
More informationAchieving End-to-End Security in the Internet of Things (IoT)
Achieving End-to-End Security in the Internet of Things (IoT) Optimize Your IoT Services with Carrier-Grade Cellular IoT June 2016 Achieving End-to-End Security in the Internet of Things (IoT) Table of
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationPayment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.
Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.0 May 2012 Document Changes Date Version Author Description April 2009
More informationAdvanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase
Advanced Certifications PA-DSS and P2PE Erik Winkler, VP, ControlCase ControlCase Annual Conference Miami, Florida USA 2017 PCI Family of Standards Ecosystem of payment devices, applications, infrastructure
More informationSecurity Update PCI Compliance
Security Update PCI Compliance (Payment Card Industry) Jeff Uehling IBM i Security Development uehling@us.ibm.com 2012 IBM Corporation PCI Requirements An Information only Presentation NOTE: These Slides
More informationDigital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans
Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October 2014 Frazier D. Evans Evans_Frazier@bah.com There are four key areas that need to be investigated when talking
More informationSECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them
BROTHER SECURITY WHITE PAPER NOVEMBER 2017 SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them The last decade has seen many exciting advances in connectivity
More informationAN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP
AN IPSWITCH WHITEPAPER The Definitive Guide to Secure FTP The Importance of File Transfer Are you concerned with the security of file transfer processes in your company? According to a survey of IT pros
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationPIN Entry & Management
PIN Entry & Management From PIN selection to PIN verification Card issuers and merchants know they can put their trust in MagTek. Whether meeting the growing need for instant, in-branch card and PIN issuance
More informationApplication of Cryptographic Systems. Securing Networks. Chapter 3 Part 4 of 4 CA M S Mehta, FCA
Application of Cryptographic Systems Securing Networks Chapter 3 Part 4 of 4 CA M S Mehta, FCA 1 Application of Cryptographic Systems Learning Objectives Task Statements 1.3 Recognise function of Telecommunications
More informationINNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY
INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY Verisec is a Swedish IT-security company specialized in digital identity and information security solutions for the banking and payments industry.
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationPayment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationPayment Card Industry (PCI) Point-to-Point Encryption
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Version 2.0 (Revision 1.1) July 2015 Document Changes Date Version Revision Description 14 September 2011 1.0 Initial release
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationPIN Security Requirements
Payment Card Industry (PCI) PIN Security Requirements PCI SSC Modifications Summary of Significant Changes from v2.0 to v3.0 August 2018 PCI SSC Modifications to PCI PIN Security Requirements In the table
More informationSymmetric Key Services Markup Language Use Cases
Symmetric Key Services Markup Language Use Cases Document Version 1.1 - February 28, 2007 The OASIS Symmetric Key Services Markup Language (SKSML) is the proposed language/protocol that defines how a client
More informationDonor Credit Card Security Policy
Donor Credit Card Security Policy INTRODUCTION This document explains the Community Foundation of Northeast Alabama s credit card security requirements for donors as required by the Payment Card Industry
More informationVerizon Software Defined Perimeter (SDP).
Verizon Software Defined Perimeter (). 1 Introduction. For the past decade, perimeter security was built on a foundation of Firewall, network access control (NAC) and virtual private network (VPN) appliances.
More informationWHITE PAPER 2019 AUTHENTICATOR WHITE PAPER
WHITE PAPER 2019 AUTHENTICATOR WHITE PAPER 1 The Background to the WIZZIT Authenticator THE EVOLUTION OF AUTHENTICATION At its most basic level, bank grade authentication is built around a simple concept
More informationComplying with RBI Guidelines for Wi-Fi Vulnerabilities
A Whitepaper by AirTight Networks, Inc. 339 N. Bernardo Avenue, Mountain View, CA 94043 www.airtightnetworks.com 2013 AirTight Networks, Inc. All rights reserved. Reserve Bank of India (RBI) guidelines
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationOpting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.
Opting Out Avoid Becoming the Next Breach Statistic Panelists and Agenda Cliff Gray, Principal, Gray Consulting Panel Moderator Ruston Miles, Chief of Innovation, Bluefin P2PE and Tokenization Troy Leach,
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationThe Interactive Guide to Protecting Your Election Website
The Interactive Guide to Protecting Your Election Website 1 INTRODUCTION Cloudflare is on a mission to help build a better Internet. Cloudflare is one of the world s largest networks. Today, businesses,
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No
More informationMobile Security / Mobile Payments
Mobile Security / Mobile Payments Leslie K. Lambert CISSP, CISM, CISA, CRISC, CIPP/US, CIPP/G VP, Chief Information Security Officer Juniper Networks Professional Techniques - Session T23 MOBILE SECURITY
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationProtecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com
Protecting Your Data in the Cloud Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com Ulf Mattsson 20 years with IBM Development & Global Services Inventor of 22 patents Encryption and
More informationPayment Card Industry (PCI) PIN Security. Requirements and Testing Procedures. Version 2.0. December 2014
Payment Card Industry (PCI) PIN Security Requirements and Version 2.0 December 2014 Document Changes Date Version Description October 2011 1.0 Initial release of PCI December 2014 2.0 Initial release of
More informationCOMPLETING THE PAYMENT SECURITY PUZZLE
COMPLETING THE PAYMENT SECURITY PUZZLE An NCR white paper INTRODUCTION With the threat of credit card breaches and the overwhelming options of new payment technology, finding the right payment gateway
More informationTokenisation for PCI-DSS Compliance
Tokenisation for PCI-DSS Compliance Silver Bullet, Hype or somewhere in between? Peter Nikitser, Senior Security Architect, CSC pnikitser@csc.com 1 The Challenge with PCI-DSS Compliance Many organisations
More informationGUIDE TO STAYING OUT OF PCI SCOPE
GUIDE TO STAYING OUT OF PCI SCOPE FIND ANSWERS TO... - What does PCI Compliance Mean? - How to Follow Sensitive Data Guidelines - What Does In Scope Mean? - How Can Noncompliance Damage a Business? - How
More informationPCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90
PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90 Revision history Revision Date Author Comments 0.1 2013-10-04 Robert Hansson Created 1.0 2014-01-14 Robert Hansson Review and
More informationQuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017
QuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017 Revision Date Name Description # 1 11/08/07 CP Added sections 13 and
More informationMeeting FFIEC Meeting Regulations for Online and Mobile Banking
Meeting FFIEC Meeting Regulations for Online and Mobile Banking The benefits of a smart card based authentication that utilizes Public Key Infrastructure and additional mechanisms for authentication and
More informationIs Your Payment Card Data Secure Enough?
January 2018 Is Your Payment Card Data Secure Enough? 2018 KUBRA Is Your Payment Card Data Secure Enough? Payment Security Matters In 2007, TJX Companies (which includes TJ Maxx, HomeSense, and Marshalls)
More informationkey distribution requirements for public key algorithms asymmetric (or public) key algorithms
topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems
More informationPCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide
PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.
More informationNetwork Security and Cryptography. 2 September Marking Scheme
Network Security and Cryptography 2 September 2015 Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers to the questions,
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance Merchants using Hardware Payment Terminals in a PCI SSC-Listed P2PE Solution Only No
More informationPCI PA DSS. PBMUECR Implementation Guide
Point Transaction Systems SIA PCI PA DSS PBMUECR 02.21.002 Implementation Guide Author: Filename: D01_PBMUECR_Implementation_Guide_v1_3.docx Version: 1.3 Date: 2014-07-17 Circulation: Edited : 2014-07-17
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationSchool of Computer Sciences Universiti Sains Malaysia Pulau Pinang
School of Computer Sciences Universiti Sains Malaysia Pulau Pinang Information Security & Assurance Assignment 2 White Paper Virtual Private Network (VPN) By Lim Teck Boon (107593) Page 1 Table of Content
More informationPrinciples of Information Security, Fourth Edition. Chapter 8 Cryptography
Principles of Information Security, Fourth Edition Chapter 8 Cryptography Learning Objectives Upon completion of this material, you should be able to: Chronicle the most significant events and discoveries
More informationISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview
ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview February 10, 2011 Quick Overview RSM McGladrey, Inc. Greg Schu, Managing Director/Partner Kelly Hughes, Director When considered with
More informationPCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing
PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing 1 WhiteHat Security Application Security Company Leader in the Gartner Magic Quadrant Headquartered in Santa Clara, CA 320+
More informationWebinar Tokenization 101
Webinar Tokenization 101 René M. Pelegero Retail Payments Global Consulting Group L.L.C December 15 th, 2014 Webinar Overview A description of tokenization and how the technology is being employed in the
More informationDesigning Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)
Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS) January 2009 1 January 2009 Polycom White Paper: Complying with PCI-DSS Page 2 1.
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationUsing InterSystems IRIS Data Platform for Securely Storing Credit Card Data. Solution Guide
Using InterSystems IRIS Data Platform for Securely Storing Credit Card Data Solution Guide Introduction An ever-increasing number of purchases and payments are being made by credit card. Although merchants
More informationSecure Card Reading and PIN Solutions
Secure Card Reading and PIN Solutions When it comes to Card Reader security and reliability MagneSafe Secure Card Readers & PIN Pads Merchants and retailers both online and in-store rely on MagTek. MagTek
More informationTopics. Ensuring Security on Mobile Devices
Ensuring Security on Mobile Devices It is possible right? Topics About viaforensics Why mobile security matters Types of security breaches and fraud Anticipated evolution of attacks Common mistakes that
More informationWireless LAN Security. Gabriel Clothier
Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group
More informationSecurity issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.
Security issues: Threats Methods of attack Encryption algorithms Secret-key Public-key Hybrid protocols Lecture 15 Page 2 1965-75 1975-89 1990-99 Current Platforms Multi-user timesharing computers Distributed
More informationEnforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security
More informationPCI PA DSS. MultiPOINT Implementation Guide
PCI PA DSS MultiPOINT 02.20.071 Implementation Guide Author: Sergejs Melnikovs Filename: D01_MultiPOINT_Implementation_Guide_v1_9_1.docx Version: 1.9.1 (ORIGINAL) Date: 2015-02-20 Circulation: Restricted
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationSecure Card Reader Authenticators
Secure Card Reader Authenticators When it comes to card reading security and reliability Merchants, retailers and financial institutions rely on MagTek. Secure card reader authenticators (SCRAs) capture
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationHARDWARE SECURITY MODULES (HSMs)
HARDWARE SECURITY MODULES (HSMs) Cryptography: The basics Protection of data by using keys based on complex, randomly-generated, unique numbers Data is processed by using standard algorithms (mathematical
More informationPulseway Security White Paper
Pulseway Security White Paper Table of Contents 1. Introduction 2. Encryption 2.1 Transport Encryption 2.2 Message Encryption 3. Brute-Force Protection 4. DigiCert Code Signing Certificate 5. Datacenter
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationGIFTePay XML. SecurePay. Installation & Configuration Guide. Version Part Number: (ML) (SL)
GIFTePay XML Installation & Configuration Guide SecurePay Version 4.00 Part Number: 8662.82 (ML) 8662.83 (SL) GIFTePay XML Installation & Configuration Guide Copyright 2009 Datacap Systems Inc. All rights
More informationIT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager
IT Audit and Risk Trends for Credit Union Internal Auditors Blair Bautista, Director Bob Grill, Manager David Dyk, Manager 1 AGENDA Internet Banking Authentication ATM Security and PIN Compliance Social
More information(2½ hours) Total Marks: 75
(2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationCard Issuance/Encoding & PIN Pads
Card Issuance/Encoding & PIN Pads From Card Issuance to Card Security Card Issuance/Encoding & PIN Pads Card issuers know they can put their trust in Mag- Tek. Whether meeting the growing need for instant,
More informationEvaluating Tokenization Systems
White Paper Security Evaluating Tokenization Systems Table of Contents page Abstract: Evaluating Tokenization Systems... 1 The Tokenization Model... 1 Risks and Attacks... 2 Attack 1: Guess Secret Data...
More informationCard Signature Payment Use Case (DRAFT)
Card Use Case (DRAFT) The Card Use Case maps out the lifecycle of a Card to establish a common understanding of the payment journey and serve as an educational reference guide to payment/security practitioners.
More informationCreating Trust in a Highly Mobile World
Creating Trust in a Highly Mobile World Technical White Paper Oct, 2014 MobileCrypt with Hardware Strength Security MobileCrypt s solution leverages an Android based mobile application and a Hardware Security
More informationProcessing Payments Securely in the Digital World
Processing Payments Securely in the Digital World Frank J. Leone, SVP, CTP Treasury Management Capital One Bank Mark Kemen Senior Business Analyst & Project Manager Cincinnati Bell William Cohn Head of
More informationAlcatel OmniAccess 200 Series
Alcatel OmniAccess Alcatel OmniAccess 200 Series Security Appliance The corporate enterprise s most valued asset is mission critical data whether it is accessed by only a few or many thousands of employees.
More informationThe Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels
The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 1 PCI DSS: What? PCI DSS = Payment Card Industry Data Security Standard Payment card
More informationPayment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 3.
Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 3.1 September 2011 Document Changes Date Version Description April
More informationDynaPro Go. Secure PIN Entry Device PCI PTS POI Security Policy. September Document Number: D REGISTERED TO ISO 9001:2008
DynaPro Go Secure PIN Entry Device PCI PTS POI Security Policy September 2017 Document Number: D998200217-11 REGISTERED TO ISO 9001:2008 MagTek I 1710 Apollo Court I Seal Beach, CA 90740 I Phone: (562)
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More information