maximize compliance benefits of payment encryption · benefits of payment encryption. agenda...
TRANSCRIPT
![Page 1: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/1.jpg)
Tim Winston, Principal, Payment Processors & P2PE
MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION
![Page 2: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/2.jpg)
AGENDA• Coalfire At A Glance
• Solutions to Remove Payment Data From Your Environment
– Retail
– E-Commerce
– Tokenization
– Mobile payments
– EMV
• Bottom Line: Minimum Risk and Compliance
• Questions
![Page 3: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/3.jpg)
COALFIRE AT A GLANCE
![Page 4: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/4.jpg)
COALFIRE AT A GLANCE
Who we are
• Thought-leader and go-to advisor in
the fast-growing cybersecurity market
• More than 1,400 customers across
a broad set of industry sectors
• More than 500 employees in 12
locations in North America and Europe
• Backed by The Carlyle Group
and The Chertoff Group
• A sophisticated portfolio of cyber risk
advisory and assessment services
• Industry-leading ethical hacking and
technical testing services
• Cyber engineering services for designing,
integrating, monitoring, and optimizing
security systems
• Cloud-based CoalfireOnesm enterprise
risk and compliance platform, used
by more than 800 clients
Who is Coalfire? What do we do?
![Page 5: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/5.jpg)
TIM WINSTONEducation + CertificationsMathematics, University of Washington
• Certified Information Systems Security Professional
(CISSP) – 2000
• Certified Information Systems Auditor (CISA) – 2011
• Payment Card Industry (PCI) Qualified Security
Assessor (QSA) – 2010
• PCI Point-To-Point Encryption QSA (P2PE QSA) –
2013
• Visa PIN Security Assessor - 2016
![Page 6: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/6.jpg)
SOLUTIONS TO MINIMIZE PAYMENT DATA IN YOUR ENVIRONMENT
![Page 7: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/7.jpg)
STRATEGIES TO MINIMIZE PAYMENT DATA
• Encryption
• Tokenization
• Outsourcing
![Page 8: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/8.jpg)
SOLUTIONS TO MINIMIZE PAYMENT DATA IN YOUR ENVIRONMENT
Payment Channel Solution
Retail, Kiosk, & Phone Point-to-Point Encryption
Retail and Kiosk Mobile Payments
Web Commerce E-Commerce Outsourcing
Recurring Payments Tokenization
Off-line Payments EMV
![Page 9: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/9.jpg)
IMMORTAL MERCHANT DSS RESPONSIBILITIES
• Training
• Physical security of terminals
• Follow payment vendor instructions
• Vendor compliance
• Policies, risk, and scope management
• Monitoring
• Incident response
![Page 10: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/10.jpg)
DSS SCOPE MANAGEMENT
• Number of systems that store, process, and/or
transmit PAN/SAD
• Number of DSS controls applicable to a system
![Page 11: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/11.jpg)
RETAIL SOLUTIONS
![Page 12: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/12.jpg)
POINT-TO-POINT ENCRYPTION
6/20/2017 12
Encryption Point Decryption Point
![Page 13: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/13.jpg)
ENCRYPTION: THE POINT OF INTERACTION
Hardware or firmware encryption immediately on
swipe, chip read, or entry
![Page 14: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/14.jpg)
DECRYPTION: THE OTHER POINT
• Bank or other Acquirer
• Payment Gateway
• Payment Service
Provider
![Page 15: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/15.jpg)
KEY MANAGEMENT: THE IMITATION GAME
Encryption
Device
Decryption
Environment
• Key injection
• Asymmetric keys
• Derived Keys
• Identity Based Encryption
![Page 16: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/16.jpg)
COMPLIANCE EFFORT WITH P2PE (LISTED VERSUS NON-LISTED)Are non-PCI listed encryption solutions just as secure as PCI P2PE Solutions?
• No – most are much better than non-encrypting solutions
• Assurance of minimal security – Non-Listed Encryption Solution Assessment or other
third party testing
• More solutions available – especially market specific
• Acquirer must agree annually to the reduction of controls proposed by the QSA
PCI P2PE provides a pre-validated solution for merchants.
• Limited certified solutions list doubled this year
• Healthcare, Higher Education, and Public Sector are leading
• (+) P2PE SAQ for merchants, Significant reduction of controls
16
![Page 17: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/17.jpg)
E-COMMERCE OUTSOURCING
![Page 18: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/18.jpg)
REDIRECT PAYMENT FLOW
![Page 19: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/19.jpg)
IFRAME PAYMENT FLOW
![Page 20: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/20.jpg)
DIRECT POST PAYMENT FLOW
![Page 21: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/21.jpg)
JAVASCRIPT FORM PAYMENT FLOW
![Page 22: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/22.jpg)
API PAYMENT FLOW
![Page 23: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/23.jpg)
TOKENIZATION
![Page 24: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/24.jpg)
TOKENIZATION FLOW
![Page 25: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/25.jpg)
DE-TOKENIZATION FLOW
![Page 26: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/26.jpg)
EMV PAYMENTS
![Page 27: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/27.jpg)
EMV PAYMENT FLOW
![Page 28: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/28.jpg)
MOBILE PAYMENTS
• Still no Mobile standard for payment applications
• PCI guidelines and taskforce
• P2PE Tokenization Service Provider Standard
• FSISAC/PPISC voluntary guidelines
• Conexxus mobile working group
![Page 29: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/29.jpg)
MOBILE PAYMENTS
![Page 30: MAXIMIZE COMPLIANCE BENEFITS OF PAYMENT ENCRYPTION · BENEFITS OF PAYMENT ENCRYPTION. AGENDA •Coalfire At A Glance •Solutions to Remove Payment Data From Your Environment –Retail](https://reader033.vdocuments.mx/reader033/viewer/2022050503/5f959c230e5c22508a293eb1/html5/thumbnails/30.jpg)
BOTTOM LINE
• Security concerns are ever changing
• Cyber Risk should guide your security plans
• Know your technology and security partners,
don’t check the box
• There is no silver bullet – If you take credit
cards you have PCI DSS Compliance
responsibilities (but you can have a lot less!)