VeriShield Protect: Protecting Consumer Data

1
VeriShield ProtectProtecting Consumer Data

• Jeff Wakefield
• Vice President of Marketing Integrated Systems
• April 10, 2008

2
Cardholder Data Compromises Acceptance
Card Present Merchants provide criminals with
full track data As long as the data is present,
criminals will target it!
Card Present 73
About 3 out of 4 cases are traditional Brick and
Mortar environments
Data gathered from more than 280 card compromise
investigations conducted by Trustwave
3
Cardholder Data Compromises System Type
Majority of the cases involved a compromise of a
Software POS system
The distributed retail environment is extremely
difficult to completely lock down 24 x 7
Data gathered from more than 280 card compromise
investigations conducted by Trustwave
4
Cardholder Data Compromises Error
Merchant Error vs. 3rd Party Error
More than half of the compromises were caused by
fault in the service provided by 3rd party to
Merchant POS Developers, Integrators, and IT
Firms who ARE NOT following PCI DSS and leaving
Merchants at Risk! Many merchants rely on their
3rd Party Providers for their Retail Systems
3rd Party Error
58
Data gathered from more than 280 card compromise
investigations conducted by Trustwave
5
Cardholder Data Compromises Track Data
Brick and Mortar Cases w/ Track Data Storage
Track Data storage is never permitted in any
environment post authorization However data is at
risk pre-authorization!
Non-Compliant software packages are storing Track
Data and the Merchants do not know until it was
too late!
Data gathered from more than 280 card compromise
investigations conducted by Trustwave
6
Payment System Vulnerabilities
Wireless Terminals
Web Site
Automated Fuel Dispensers
Host Servers
Merchant Acquirers
Card Issuers
Store Servers
Payment Terminals
POS Terminals
7
End to End Encryption is Required
Wireless Terminals
Web Site
Automated Fuel Dispensers
Host Servers
Merchant Acquirers
Card Issuers
Store Servers
Payment Terminals
POS Terminals
All PAN and Track Data is encrypted
through-out your system
Increased Security No Compromises Safe
Consumer Info Reduced PCI Costs
8
The Call for Encryption

• In particular, the standards require companies to
  encrypt data that travels over computer networks
  "that are easy and common for a hacker to
  intercept." Whether certain internal networks are
  "easy and common" to crack is a matter of
  judgment, so Navetta believes Hannaford may have
  erroneously felt safe leaving data unencrypted in
  a spot that turned out to be vulnerable.
• David Navetta, president of InfoSec Compliance
  LLC
• Wider use of encryption might seem an obvious
  answer. Because it's so difficult to detect when
  information is being stolen while in transit,
  companies "need to wake up to the fact that they
  need to encrypt information along every step,"
• Richard Gorman, CEO of Vormetric Corp
• But in practice, encryption often goes unused at
  certain points in a data-processing chain because
  the computing power it requires can slow down
  transactions, especially on older hardware.
  (Referring to POS Terminals)
• AP Story, 3/20/08
• Handle card data as little as possible, and
  encrypt it as early as possible. Consider
  solutions (from vendors such as Semtek and
  VeriFone) that enable encryption at the card
  reader, before the card data enters the system.
• Avivah Litan, Gartner, Inc.. 3/20/08

9
Card Security The Elusive Goal

• Issue
• Currently impossible to guarantee security level
  of cardholder information in a consistent way
• Variable No two retail systems are alike, so no
  single solution can protect against data breach
• Expensive - Any system change, no matter how
  small, is costly and time consuming to retailers
  and requires end-to-end re-certification
• Vulnerable Only secure until the next system
  upgrade, employee issue or yet to be discovered
  security flaw
• Conclusion
• PCI Compliance does not necessarily mean your
  enterprise is secure, just compliant
• Retailers may never totally eliminate data
  breaches to their systems, but VeriFone believes
  they can virtually eliminate data compromises
  from those breaches.

10
Protecting Consumer Data

• VeriFone Provides Payment Terminal Encryption
  Deployment

• Semtek Provides Decryption Appliance and CDMS
  Monitoring System

Announce VeriShield Protect CDMS
11
VeriShield Protect Components

• VeriShield Protect protects Retailers by
  seamlessly encrypting consumer card data before
  it enters the Retailers Point of Sale Systemand
  maintains that protection until it is safely
  outside of the merchants infrastructure,
  effectively shielding the merchant from the
  actual details of the consumer data.
• Decryption Appliance high performance
  decryption appliance
• CDMS - provides merchants and acquirers with a
  real time understanding of their security status
  and risk. It is also designed to provide merchant
  processors a definitive real time view of their
  entire portfolio without having to rely on
  self-reporting of the merchants within their
  system.

2
12
VeriShield Protect

• Hidden Triple DES
• Seamless Integration
• When a card is read, patented algorithms encrypt
  card data while preserving essential portions for
  specific purposes
• Hardware Key Management and Encryption
• Performed inside PCI-PED approved Tamper
  Resistant Security Module (TRSM) so not even the
  payment terminal application is aware that data
  is encrypted.

Hidden Triple DES is a registered Trademark of
Semtek Corporation.
13
VeriFone Protect Projected Availability
Dates Subject to change
14
Semtek Decryption Appliance
Located at Retailer HQ, Acquirer or Hosted at
Secure Semtek Data Centers
15
VeriShield Protect Option 1
Retailer Uses Semtek Hosted Decryption Appliance
Merchant HQ
WAN
WAN
In-store LAN
Secure Frame
Decryption Appliance
VeriShield Protect

• Protects Cardholder Data as it flows through
  the end-end system

PCI Audited
Un-Encrypted Cardholder Information
Encrypted Cardholder Information
16
VeriShield Protect Option 2
Retailer Install Decryption Appliance at Data
Center
Merchant HQ
WAN
WAN
In-store LAN
VeriShield Protect
Decryption Appliance

• Protects Cardholder Data as it flows through
  the end-end system

PCI Audited
Un-Encrypted Cardholder Information
Encrypted Cardholder Information
17
VeriShield Protect Option 3
Acquirer Installs or Hosts Decryption Appliance
Merchant HQ
WAN
In-store LAN
Internet
Decryption Appliance
VeriShield Protect

• Protects Cardholder Data as it flows through
  the end-end system

PCI Audited
Un-Encrypted Cardholder Information
Encrypted Cardholder Information
18
CDMS Cipher Device Metrics Server
CDMS is a web portal with three different views
Provides Processors with a real-time portfolio
view of merchant compliance.
19
CDMS VIEW ALERTS
20
CDMS VIEW DASHBOARD
21
CDMS VIEW MERCHANT COMPLIANCE
22
VeriShield Protect Layered Security
CDMS
PCI PED
Host Security Module
VeriShield File Authentication
PCI DSS
Tamper Resistant
VISA PIN Security
VISA PIN Security
Real Time Monitoring Reporting
Encrypted Data
Decryption Appliance
23
PCI DSS Compliance Implications
VeriShield Protect reduces the cost of PCI
Compliance

• Three of the hardest and most expensive PCI DSS
  requirements for merchants to meet are
• VeriShield Protect resolves each of these
  requirements right at the POS Device level
  without requiring changes to most POS
  Applications or further upstream in the
  merchants data processing environment.

• No Requirement to encrypt Cardholder Data on
  private internal WAN networks, internal store
  networks, or between the Payment Terminal and the
  POS Terminal

Merchant Data Processing Environment
24
VeriShield Protect CDMS Benefits
25
VeriFone Protect Partners
We have reviewed this solutions with all of the
major POS Retail Systems Providers and
Acquirers. So far, the following have agreed to
support VeriShield Protect
26
VeriShield Protect Benefits

• Hardware Based Encryption
• Eliminate Card Data From Retail Environment
• BIN Range Checking Still Works
• Real-Time Monitoring of Encryption Compliance
• No POS Changes Expected for Most Systems
• VeriShield Protect is Available For Deployment
  Now
• Semtek is ready to install the Host Decryption
  System
• Semtek has a hosted solution installed for
  testing pilots

27
For more informationContact your VeriFone
Account Representative or send an email to
verishield_at_verifone.com
VeriShield ProtectProtecting Consumer Data