SlideShare une entreprise Scribd logo

Encryption vs tokenisation (for share)

A
AndrewRJamieson
Technologie
1  sur  28
Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
FPE Algorithm Example EG: Encrypt PAN4123456789012349 ,[object Object]
Discard Luhn checkMod10 addition Output PAN = 4748232137547657 ,[object Object]
Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream  Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26

Recommandé

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
10-1 Vocab of Terms
10-1 Vocab of Terms10-1 Vocab of Terms
10-1 Vocab of TermsAlan Nochenson
 
Cryptography
CryptographyCryptography
Cryptographyvidhiyarahul
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008Nate Koechley
 
Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile developmentGrgur Grisogono
 
Securing Client Side Data
Securing Client Side Data Securing Client Side Data
Securing Client Side DataGrgur Grisogono
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Zach Gardner
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXJWORKS powered by Ordina
 

Recommandé

“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...
“Secure Password Managers” and “Military-Grade Encryption” on Smartphones:...Positive Hack Days
 
10-1 Vocab of Terms
10-1 Vocab of Terms10-1 Vocab of Terms
10-1 Vocab of TermsAlan Nochenson
 
Cryptography
CryptographyCryptography
Cryptographyvidhiyarahul
 
High Performance Web Sites - 2008
High Performance Web Sites - 2008High Performance Web Sites - 2008
High Performance Web Sites - 2008Nate Koechley
 
Practices and obstacles in agile development
Practices and obstacles in agile developmentPractices and obstacles in agile development
Practices and obstacles in agile developmentGrgur Grisogono
 
Securing Client Side Data
Securing Client Side Data Securing Client Side Data
Securing Client Side DataGrgur Grisogono
 
Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Encryption and Tokenization: Friend or Foe?
Encryption and Tokenization: Friend or Foe?Zach Gardner
 
AngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXAngularJS Basics and Best Practices - CC FE &UX
AngularJS Basics and Best Practices - CC FE &UXJWORKS powered by Ordina
 
Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
Mobile payments v1 1
Mobile payments v1 1Mobile payments v1 1
Mobile payments v1 1AndrewRJamieson
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsThorne & Derrick International
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicSaibal Bishnu
 
Portable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementPortable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementAlliance Technical Sales, Inc.
 
Mk9500
Mk9500Mk9500
Mk9500Telectronica
 
Atel Value Proposition
Atel Value PropositionAtel Value Proposition
Atel Value PropositionGianandrea Daverio
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog SiwaliPT. Siwali Swantika
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetPaul Harrison J.P.
 
Cryptography&Security
Cryptography&SecurityCryptography&Security
Cryptography&SecuritySanjeev Kumar Jaiswal
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization6PM Solutions
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVELajldr
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1Nguyen Hien
 
Catalogo general unitronics 2010
Catalogo general unitronics 2010Catalogo general unitronics 2010
Catalogo general unitronics 2010INTRAVE IndustrialAutomation
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data CentersBrian Trentacost
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application NotesTristan King
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3Linkwise Technology
 
Facility Monitoring System; Ac100
Facility Monitoring System; Ac100Facility Monitoring System; Ac100
Facility Monitoring System; Ac100Linkwise Technology
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuatorjuliangoal
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 

Contenu connexe

Similaire à Encryption vs tokenisation (for share)

Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)AndrewRJamieson
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
EncryptionvstokenisationforshareAndrewRJamieson
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsThorne & Derrick International
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicSaibal Bishnu
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog SiwaliPT. Siwali Swantika
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetPaul Harrison J.P.
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization6PM Solutions
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVELajldr
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1Nguyen Hien
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data CentersBrian Trentacost
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application NotesTristan King
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3Linkwise Technology
 
Facility Monitoring System; Ac100
Facility Monitoring System; Ac100Facility Monitoring System; Ac100
Facility Monitoring System; Ac100Linkwise Technology
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuatorjuliangoal
 

Similaire à Encryption vs tokenisation (for share) (20)

Securing embedded systems (for share)
Securing embedded systems (for share)Securing embedded systems (for share)
Securing embedded systems (for share)
 
Encryptionvstokenisationforshare
EncryptionvstokenisationforshareEncryptionvstokenisationforshare
Encryptionvstokenisationforshare
 
Mobile payments v1 1
Mobile payments v1 1Mobile payments v1 1
Mobile payments v1 1
 
Hellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper ProductsHellermann Tyton Fibre Optic, Telecom & Copper Products
Hellermann Tyton Fibre Optic, Telecom & Copper Products
 
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 PandemicWearable Wristband for Workplace Safety during Covid-19 Pandemic
Wearable Wristband for Workplace Safety during Covid-19 Pandemic
 
Portable pH Meter for Process Measurement
Portable pH Meter for Process MeasurementPortable pH Meter for Process Measurement
Portable pH Meter for Process Measurement
 
Mk9500
Mk9500Mk9500
Mk9500
 
Atel Value Proposition
Atel Value PropositionAtel Value Proposition
Atel Value Proposition
 
2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali2019 Network Test Measurement | Catalog Siwali
2019 Network Test Measurement | Catalog Siwali
 
AMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data SheetAMSEC DHS Bourke Street Data Sheet
AMSEC DHS Bourke Street Data Sheet
 
Cryptography&Security
Cryptography&SecurityCryptography&Security
Cryptography&Security
 
Data Centre Optimization
Data Centre OptimizationData Centre Optimization
Data Centre Optimization
 
PINsafe by SWIVEL
PINsafe by SWIVELPINsafe by SWIVEL
PINsafe by SWIVEL
 
30052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_130052909 ifu magellan7-0_english_v1_1
30052909 ifu magellan7-0_english_v1_1
 
Catalogo general unitronics 2010
Catalogo general unitronics 2010Catalogo general unitronics 2010
Catalogo general unitronics 2010
 
China Telecom - China Data Centers
China Telecom - China Data CentersChina Telecom - China Data Centers
China Telecom - China Data Centers
 
0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes0015-D17V4 PLC Application Notes
0015-D17V4 PLC Application Notes
 
Facility monitoring system; ATU3
Facility monitoring system; ATU3Facility monitoring system; ATU3
Facility monitoring system; ATU3
 
Facility Monitoring System; Ac100
Facility Monitoring System; Ac100Facility Monitoring System; Ac100
Facility Monitoring System; Ac100
 
Circular Voice Coil Actuator
Circular Voice Coil ActuatorCircular Voice Coil Actuator
Circular Voice Coil Actuator
 

Dernier

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Dernier (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Encryption vs tokenisation (for share)

  • 1. Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
  • 2. Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
  • 3. Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
  • 4. Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
  • 5. Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
  • 6. Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
  • 7. Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
  • 8. Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
  • 9. Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
  • 10. Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
  • 11. Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
  • 12. Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
  • 13. What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
  • 14. Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
  • 15. FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
  • 16. Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
  • 17.
  • 18.
  • 19. Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
  • 20. Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
  • 21. P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
  • 22. TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
  • 23. Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
  • 24. AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream  Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
  • 25. PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
  • 26. What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
  • 27. SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
  • 28. Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26
  • 29. Tokenisation Auditing How is the tokenisation performed? (Non) Random? Encryption? Details! What is the attack surface of this method? Key, algorithm, DB, system, network, etc Does one exploit result in multiple exposures? Security of tokenisation system At least as per PCI DSS reqs 1.x and 2.x FPE methods used for tokenisation? Refer encryption reqs. Ask for details! Ask for evidence of peer review output Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 27
  • 30. Questions? For further information please contact Andrew Jamieson Technical Manager Witham Laboratories Email: andrew.jamieson@withamlabs.com Phone: +61 3 9846 2751 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 28