FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY:

Transcription

1 FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY: PA-DSS VS P2PE ForenSecure 17 April 27, 2017

2 SPEAKER Joel Dubin, PCI QSA, PA-QSA, CISSP Senior Consultant, Application Validation -Eight years as a PA-QSA and QSA and five years in PCI for a global bank -Reviewed payment vendors from small mom-and-pop to major global companies -Conducted PA-DSS assessments in U.S., Latin America, Europe and Middle East -Scoped architectures for PCI, PA-DSS applications and P2PE

3 OVERVIEW Payment application architectures The payment application ecosystem Who is the PCI SSC? What is PA-DSS and P2PE? Current Issues with PA-DSS Growth and challenge of P2PE Advantages and Drawbacks of PA-DSS and P2PE The future of PA-DSS and payment application security

4 PAYMENT APP (POS) ARCHITECTURE I

5 PAYMENT APP (POS) ARCHITECTURE II

6 PAYMENT APP (POS) ARCHITECTURE III (P2PE)

7 WHO IS THE PCI SSC? Payment Card Industry Security Standards Council Visa MasterCard American Express Discover JCB One standard for merchants and service providers One standard for payment applications One standard for P2PE solution providers PCI PA-DSS P2PE

8 SUITE OF PCI STANDARDS Hierarchy of PCI Standards PTS è PIN-pad Level PA-DSS è Application Level PCI è Network Level P2PE è ALL OF THE ABOVE

9 WHAT IS PA-DSS? Payment Application Data Security Standard (PA-DSS) Card industry standard for payment applications

10 WHAT IS P2PE? P2PE stands for Point-to-Point Encryption Encryption of card data at the merchant point of acceptance Most frequently at the point of swipe or dip at the payment terminal Complete end-to-end encryption of card number From merchant location Through merchant network Over a public (i.e., Internet) or private network Ending at P2PE solution provider, may be a P2PE-certified acquirer

11 THE PROMISE OF P2PE The Holy Grail of P2PE in three words: PCI SCOPE REDUCTION

12 THE SIX DOMAINS OF P2PE

13 PARTS OF A P2PE SOLUTION Encryption of card data at point of swipe or dip PTS compliant PIN-pad with SRED functionality Domain 1 Key injection by P2PE solution provider or their third-party Encrypted card data flows untouched all the way out to the processor or acquirer No management of keys by merchant Key management and decryption handled by P2PE solution provider Domain 5 Decryption Domain 6 Key management

14 P2PE HIGH-LEVEL RECAP Card data is encrypted at point of swipe or dip... flows untouched through merchant environment... is never stored by the merchant at any point... encryption keys never handled by merchant... is only decrypted outside merchant at solution provider P2PE components PTS PIN-pad with SRED PIN-pads with pre-loaded keys by solution provider or their third party P2PE approved solution provider with decryption environment

15 THREE FLAVORS OF P2PE 1) All-in-one solution provider 2) Solution provider using P2PE components Outsourced PIN-pads Outsourced key injection Outsourced decryption Outsourced payment apps Domain 2 P2PE PA-DSS 3) Merchant provided solutions Segregated P2PE environment within PCI CDE Also called Hybrid P2PE solutions

16 GEOGRAPHIC SPREAD OF P2PE Europe Early adopters with regional or country-based processors Latin America One or two big processors dominate each country United States Large number of processors and acquirers, so slower to catch on Not as standardized as smaller countries but gaining traction

17 CURRENT ISSUES WITH PA-DSS Complicated and expensive assessments with PA-DSS 3.x Document and testing requirements difficult for smaller vendors Requirements for PA-QSA certification are more difficult Shrinking pool of qualified PA-QSAs and fewer SSC classes Changes in technology have removed some apps from scope Growth of P2PE and other end-to-end encryption technologies Vendors deliberately reducing releases to avoid assessments Vendors consolidating code base to reduce assessments

18 GROWTH AND CHALLENGE OF P2PE Rapidly gaining ground around the world Vendors moving toward implementing P2PE features in apps Merchants attracted to possible reduction of PCI scope But scope reduction isn t always as big as promised P2PE club is an exclusive elite but still growing Moves PCI headache from merchant to processor Moves management of payment apps from merchant to processor

19 PA-DSS VS P2PE PA-DSS P2PE Time Frame 2 to 3 months 6 months to a year Overhead 1-2 PA-QSAs Teams, sometimes multinational Reporting (ROV) About 200 pages Can be 600+ pages Implementation Assessor Training No change to merchant environment Must be QSA in good standing Must have pen test experience Must have been developer Must be CISSP Must have done two PCI ROCs >4 years experience Must pass SSC exam/requal New PIN-pads from solution provider May have to rip out plumbing Must be QSA/PA-QSA Must know encryption Must know PTS hardware Must have dev and pen testing Must have done two PCI ROCs >2 years experience in above Must pass SSC exam/requal Only about 60 P2PE QSAs

20 PA-DSS VS P2PE FAQ Will PA-DSS completely disappear as P2PE technologies advance? No. First, the SSC has a commitment to keeping PA-DSS alive and adapting it to new technologies. Second, P2PE requires significant overhead and, until now, has been a preserve of larger merchants and larger acquirers. In that case, since P2PE is so much more involved, will it buckle under and go back to PA-DSS? Not necessarily. The SSC has been streamlining the standard since it came out in 2013, and we re seeing smaller entities, other than just large acquirers entering the game. In fact, with the mix and match approach of assembling P2PE components from diverse thirdparties, it s getting easier for players to get on board.

21 PA-DSS VS P2PE FAQ (CONT D) Is P2PE the wave of the future? Yes and no. It s the current hot technology of today. But there are competitors with various types of tokenization, creative new encryption technologies and even cloud solutions challenging the traditional P2PE space. P2PE is here to stay, but it might be very different in a few years than what we re seeing today. Is there a shortage of P2PE QSAs? Absolutely, and the demand is outstripping the supply. The barriers to entry for P2PE QSAs are high and not coming down.

22 NESA P2PE AND E2E Non-Listed Encryption Solutions SSC work around for end-to-end encryption solutions that aren t fully P2PE compliant Can avoid overhead of full P2PE assessment, if applicable Must still be compliant with Domains 5 and 6 of P2PE NESA released in November 2016 by SSC Response to growth of E2E solutions resembling P2PE 1) Encryption and keys not handled by merchant 2) No card data storage by merchant 3) PTS approved PIN-pads encrypting at swipe or dip

23 FUTURE OF PA-DSS AND P2PE PA-DSS and P2PE will co-exist for the foreseeable future The decision of which to use, will be the same for the implementation of any technology: 1) Size of application vendor or merchant 2) Complexity of their environment and ease of implementation 3) Technological constraints 4) Business needs New technologies are being used and others will arise to challenge PA-DSS and P2PE in the future

24 FRUSTRATION NEVER ENDS

25 FOR MORE INFORMATION Check the PCI SSC web site:

26 MY CONTACT INFORMATION Joel Dubin, QSA, PA-QSA, CISSP Senior Consultant x7861

27 QUESTIONS?