1

P2PE AND OTHER PCI DSS CHANGES

OCTOBER 19, 2012

2

Agenda

• PCI Standards and Typical Card data flow• Data breaches, Threats and existing Mitigation efforts• P2PE overview and Concept• Benefits• Preparing for P2PE• ControlCase P2PE offerings

3

PCI Security &

Compliance

PCI Family of Standards

Protection of Cardholder Payment Data

Software Developers

PCI PA – DSSPayment Application

Vendors

Merchant & Processors

PCI DSSData

Security Standard

Manufacturers

PCI PTSPin Entry Devices

4

Typical Payment Method

CHD

CHD

CHD

Encrypted at Communication

Layer

Encrypted at Communication

Layer

Encrypted at Communication

Layer

Acquirer / PG

5

Typical Payment Method

CHD

May or may not be encrypted

Acquirer / PG

CHD

May or may not be encrypted

6

Data Breaches

7

Industry groups represented by percent of breaches

Source: 2012 data breach investigations report by Verizon

8

Top 10 Threat Action Types by number of breaches and records

Source: 2012 data breach investigations report by Verizon

9

Where should Mitigation efforts be focused?

Source: 2012 data breach investigations report by Verizon

10

Addition of member in PCI Family

Manufacturers

PCI PTSPin Entry Devices

Software Developers

PCI PA – DSS

Payment Application

Vendors

Acquires, Payment Gateways Software

Developers, KIFs

PCI P2PE

Merchant & Processors

PCI DSSData

Security Standard

11

What is PCI P2PE?

It is either a solution or Application. P2PE Solution

A point-to-point encryption solution consists of point-to-point encryption and decryption environments, the configuration and design thereof, and the P2PE Components that are incorporated into, a part of, or interact with such environment.

P2PE ApplicationA software application that is included in a P2PE Solution and assessed per P2PE Domain 2 Requirements, and is intended for use on a PCI-approved point-of-interaction (POI) device or otherwise by a merchant.

P2PE Components Any application or device that stores, processes, or transmits account data as part of payment authorization or settlement, or that performs cryptographic key management functions, and is incorporated into or a part of any P2PE Solution.

12

P2PE ConceptP2PE Concept

Encrypted CHD

Encrypted at POI

Acquirer / PG

POIEncrypts data

immediately after reading

Encr

ypte

d CHD

Encrypted at POI

Encrypted CHD

Encrypted at POI

HSMDecrypted by HSM at P2PE Solution

Provider

13

P2PE Concept cont..P2PE Concept cont..

Encrypted CHD

Encrypted at POI

Acquirer / PG

Encr

ypte

d CHD

Encrypted at POI

Encrypted CHD

Encrypted at POI

FIPS 140-2 Level 3 (or higher)

certified or PCI-approved

HSM

PTS devices with SRED (secure reading and exchange of data) listed as a “function provided”.

14

Benefits

Stakeholders in the payments value chain benefit from these requirements in a variety of ways, including but not limited to the following:

Customers may choose to implement Validated P2PE Solutions in order to reduce the scope of their PCI DSS assessments.

Listed P2PE Solutions have been validated as compliant with the P2PE Standard by P2PE Assessors.

Recognized by all Participating Payment Brands

15

Characteristics for Merchants Eligible for Reduced Scope for PCI DSS via P2PE Solutions

Use validated P2PE solution Never stores, processes, or transmits clear-text account

data within their P2PE environment outside of a PCI-approved POI device.

Physical environment controls for POI terminals, third-party agreements, and relevant merchant policies and procedures are in place.

Followed the P2PE Instruction Manual (PIM), provided to the merchant by the P2PE Solution Provider.

Adequately segmented (isolated) the P2PE environment from any non-P2PE payment channels or confirmed that no other channels exist.

Removed or isolated any legacy cardholder data, or systems that stored, processed, or transmitted cardholder data, from the P2PE environment.

16

P2PE – Key Points

It is OPTIONAL

P2PE scenarios (e.g. hardware-hardware)

Requires the use of SCDs for encryption and decryption of account data and

management of cryptographic keys.

POI devices must be PCI SSC approved PTS devices with SRED (secure

reading and exchange of data) listed as a “function provided.”

HSMs must be either FIPS 140-2 Level 3 (or higher) certified or PCI-

approved (listed on the PCI SSC website, with a valid SSC listing number, as

Approved PCI PTS Devices under the approval class “HSM”).

Applications with access to clear-text account data must undergo validation

per all P2PE Domain 2 Requirements

17

Relationship between P2PE and other PCI standards (PCI DSS, PA-DSS, PTS, and PIN)

POI devices must meet PIN Transaction Security (PTS) requirements validation.

Cryptographic-key operations for both encryption and decryption environments use key-management practices derived from the PTS PIN Security Standard.

Applications on POI devices meet requirements derived from the Payment Application Data Security Standard (PA-DSS).

The decryption environment is PCI DSS compliant.

P2PE standard does not supersede or replace any requirements in the PCI PIN Security Requirements

18

PA-DSS Applicability to P2PE

Applications used within P2PE Solutions may or may not be eligible for PA-DSS validation.

Both are distinct PCI SSC standards with different requirements

Validation against one of these standards does not guarantee or provide automatic validation against the other standard.

19

P2PE Domains

Domain 1Encryption Device

ManagementUse Approved devices

and protect devices from tampering

Domain 2Application SecuritySecure applications in the P2PE environment

Domain 3Encryption

EnvironmentSecure environments where POI devices are

present

Domain 4Transmission between

encryption and Decryption

EnvironmentsSecure operations between encryption and decryption

environments

Domain 5Decryption

Environment and Device Management

Secure decryption environments and decryption devices

Domain 6P2PE Cryptographic

Key OperationsUse strong cryptographic

keys and secure key-management functions

20

Domain 1

Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics P2PE validation Requirements

P2PE validation Responsibility

Domain 1: Encryption Device Management

Use secure encryption devices and protect devices from tampering.

• POI is a PCI-approved POI device.

• POI device managed by solution provider.

• Hardware encryption performed by device.

1A Build PCI-approved POI devices.

1B Securely manage equipment used to encrypt account data.

P2PE Solution Provider

21

Domain 2

Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics P2PE validation Requirements

P2PE validation Responsibility

Domain 2: Application Security

Secure applications in the P2PE environment.

• Application on a PCI-approved POI device.

• All applications are assessed as part of the validated P2PE solution.

2A Protect PAN and SAD.

2B Develop and maintain secure applications.

2C Implement secure application management processes.

Application Vendor

P2PE Solution Provider

22

Domain 3Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics P2PE validation Requirements

P2PE validation Responsibility

Domain 3: Encryption Environment

Secure applications in the P2PE environment.

• No storage of CHD after transaction processes are complete.

• Within the segmented P2PE environment, no CHD stored, processed, or transmitted through channels or methods external from an approved SCD.

• All device-administration and cryptographic operations are managed by solution provider.

• The P2PE Instruction Manual (PIM) for merchants, with instructions on how to implement and maintain POI devices

3A Secure POI devices throughout the device lifecycle.

3B Implement secure device management processes.

3C Maintain P2PE Instruction Manual for merchants.

P2PE Solution Provider

23

Domain 4

Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics P2PE validation Requirements

P2PE validation Responsibility

Domain 4: Segmentation between Encryption and Decryption Environments

Segregate duties and functions between encryption and decryption environments.

• All decryption operations managed by solution provider.

• Merchant has no access to the encryption environment (within POI device) or decryption environment.

• Merchant has no involvement in encryption or decryption operations.

Domain 4 has no applicable requirements for this hardware/hardware scenario.

24

Domain 5

Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics P2PE validation Requirements

P2PE validation Responsibility

Domain 5: Decryption Environment and Device Management

Secure decryption environments and decryption devices.

• Decryption environment implemented at and managed by solution provider.

• Merchant has no access to the decryption environment.

• Decryption environment must be PCI DSS compliant.

5A Use approved decryption devices.

5B Secure all decryption systems and devices.

5C Implement secure device management processes.

5D Maintain secure decryption environment.

P2PE Solution Provider

25

Domain 6Environments with Encryption, Decryption, and Key Management within Secure Cryptographic Devices

Domain Characteristics

P2PE validation Requirements

P2PE validation Responsibility

Domain 6: P2PE Cryptographic Key Operations

Use strong cryptographic keys and secure key-management functions.

• All key-management functions implemented and managed by solution provider

• Merchant has no involvement in key management operations

6A Use secure encryption methodologies.

6B Use secure key generation methodologies.

6C Distribute cryptographic keys in a secure manner.

6D Load cryptographic keys in a secure manner.

6E Ensure secure usage of cryptographic keys.

6F Ensure secure administration of cryptographic keys.

P2PE Solution Provider

26

At a Glance – Illustration of a typical P2PE Implementation and Associated Requirements

27

Developing and Validating a P2PE Solution

Note: Domain 4 is greyed out in the diagram below as there are no applicable requirements in this Domain for the current phase of P2PE.

28

Overview of P2PE Solution Validation Processes

Review of P-ROV and Application P-ROV (if applicable) by PCI SSC

The P2PE Assessor determines the scope and assesses key-injection facilities, Certification Authorities and others, Device, Applications

Preparation of P-ROV and P-ROV (if applicable) and submitting to PCI SSC for Review

The P2PE Solution Provider then provides access to the P2PE Solution to the P2PE Assessor

The P2PE Solution Provider selects a P2PE Assessor

29

How to Prepare for P2PE Assessment

Prepare following1. Be ready with approved POI Devices, HSM2. List of applications used3. Detailed cryptographic key matrix4. P2PE Instruction Manual5. Implementation Guides for applications

assessed against Domain 26. Key-management procedures and7. Change control documentation

30

Revalidation of P2PE

Yearly Interim Assessment (Healthcheck) Full Re-assessment after 2 years

31

ControlCase P2PE offerings

Guidance on designing P2PE Solutions Review of P2PE Solution design Guidance on preparing the P2PE Instruction

Manual Pre-assessment (“gap” analysis) services Guidance for bringing the P2PE Solution into

compliance with the P2PE Standard if gaps or areas of non-compliance are noted during the assessment.

Certifying P2PE solutions and Applications

32

Questions And Answers

33

Thank You