FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY: PA-DSS VS P2PE - PowerPoint PPT Presentation

FUTURE OF CREDIT CARD PAYMENT APPLICATION SECURITY: PA-DSS VS P2PE ForenSecure’17 April 27, 2017

SPEAKER Joel Dubin, PCI QSA, PA-QSA, CISSP Senior Consultant, Application Validation -Eight years as a PA-QSA and QSA and five years in PCI for a global bank -Reviewed payment vendors from small mom-and-pop to major global companies -Conducted PA-DSS assessments in U.S., Latin America, Europe and Middle East -Scoped architectures for PCI, PA-DSS applications and P2PE

OVERVIEW • Payment application architectures • The payment application ecosystem • Who is the PCI SSC? • What is PA-DSS and P2PE? • Current Issues with PA-DSS • Growth and challenge of P2PE • Advantages and Drawbacks of PA-DSS and P2PE • The future of PA-DSS and payment application security

PAYMENT APP (POS) ARCHITECTURE I

PAYMENT APP (POS) ARCHITECTURE II

PAYMENT APP (POS) ARCHITECTURE III (P2PE)

WHO IS THE PCI SSC? Payment Card Industry Security Standards Council • Visa • MasterCard • American Express • Discover • JCB One standard for merchants and service providers PCI One standard for payment applications PA-DSS One standard for P2PE solution providers P2PE

SUITE OF PCI STANDARDS Hierarchy of PCI Standards • PTS PIN-pad Level è • PA-DSS Application Level è • PCI Network Level è • P2PE ALL OF THE ABOVE è

WHAT IS PA-DSS? Payment Application Data Security Standard (PA-DSS) Card industry standard for payment applications

WHAT IS P2PE? P2PE stands for “Point-to-Point Encryption” • Encryption of card data at the merchant point of acceptance • Most frequently at the point of swipe or dip at the payment terminal • Complete end-to-end encryption of card number • From merchant location • Through merchant network • Over a public (i.e., Internet) or private network • Ending at P2PE solution provider, may be a P2PE-certified acquirer

THE PROMISE OF P2PE The Holy Grail of P2PE in three words: PCI SCOPE REDUCTION

THE SIX DOMAINS OF P2PE

PARTS OF A P2PE SOLUTION • Encryption of card data at point of swipe or dip • PTS compliant PIN-pad with SRED functionality • Domain 1 • Key injection by P2PE solution provider or their third-party • Encrypted card data flows untouched all the way out to the processor or acquirer • No management of keys by merchant • Key management and decryption handled by P2PE solution provider • Domain 5 – Decryption • Domain 6 – Key management

P2PE HIGH-LEVEL RECAP • Card data . . . • . . . is encrypted at point of swipe or dip • . . . flows untouched through merchant environment • . . . is never stored by the merchant at any point • . . . encryption keys never handled by merchant • . . . is only decrypted outside merchant at solution provider • P2PE components • PTS PIN-pad with SRED • PIN-pads with pre-loaded keys by solution provider or their third party • P2PE approved solution provider with decryption environment

THREE FLAVORS OF P2PE 1) All-in-one solution provider 2) Solution provider using P2PE components • Outsourced PIN-pads • Outsourced key injection • Outsourced decryption • Outsourced payment apps – Domain 2 P2PE PA-DSS 3) Merchant provided solutions • Segregated P2PE environment within PCI CDE • Also called “Hybrid” P2PE solutions

GEOGRAPHIC SPREAD OF P2PE • Europe • Early adopters with regional or country-based processors • Latin America • One or two big processors dominate each country • United States • Large number of processors and acquirers, so slower to catch on • Not as standardized as smaller countries but gaining traction

CURRENT ISSUES WITH PA-DSS • Complicated and expensive assessments with PA-DSS 3.x • Document and testing requirements difficult for smaller vendors • Requirements for PA-QSA certification are more difficult • Shrinking pool of qualified PA-QSAs and fewer SSC classes • Changes in technology have removed some apps from scope • Growth of P2PE and other end-to-end encryption technologies • Vendors deliberately reducing releases to avoid assessments • Vendors consolidating code base to reduce assessments

GROWTH AND CHALLENGE OF P2PE • Rapidly gaining ground around the world • Vendors moving toward implementing P2PE features in apps • Merchants attracted to possible reduction of PCI scope • But scope reduction isn’t always as big as promised • P2PE “club” is an exclusive elite but still growing • Moves PCI headache from merchant to processor • Moves management of payment apps from merchant to processor

PA-DSS VS P2PE PA-DSS P2PE Time Frame 2 to 3 months 6 months to a year Overhead 1-2 PA-QSAs Teams, sometimes multinational Reporting (ROV) About 200 pages Can be 600+ pages Implementation No change to merchant New PIN-pads from solution environment provider May have to rip out “plumbing” Assessor Training Must be QSA in good standing Must be QSA/PA-QSA Must have pen test experience Must know encryption Must have been developer Must know PTS hardware Must be CISSP Must have dev and pen testing Must have done two PCI ROCs Must have done two PCI ROCs >4 years experience >2 years experience in above Must pass SSC exam/requal Must pass SSC exam/requal Only about 60 P2PE QSAs

PA-DSS VS P2PE FAQ Will PA-DSS completely disappear as P2PE technologies advance? No. First, the SSC has a commitment to keeping PA-DSS alive and adapting it to new technologies. Second, P2PE requires significant overhead and, until now, has been a preserve of larger merchants and larger acquirers. In that case, since P2PE is so much more involved, will it buckle under and go back to PA-DSS? Not necessarily. The SSC has been streamlining the standard since it came out in 2013, and we’re seeing smaller entities, other than just large acquirers entering the game. In fact, with the mix and match approach of assembling P2PE components from diverse third- parties, it’s getting easier for players to get on board.

PA-DSS VS P2PE FAQ (CONT’D) Is P2PE the wave of the future? Yes and no. It’s the current hot technology of today. But there are competitors with various types of tokenization, creative new encryption technologies and even cloud solutions challenging the traditional P2PE space. P2PE is here to stay, but it might be very different in a few years than what we’re seeing today. Is there a shortage of P2PE QSAs? Absolutely, and the demand is outstripping the supply. The barriers to entry for P2PE QSAs are high and not coming down.

NESA – P2PE AND E2E • Non-Listed Encryption Solutions • SSC work around for end-to-end encryption solutions that aren’t fully P2PE compliant • Can avoid overhead of full P2PE assessment, if applicable • Must still be compliant with Domains 5 and 6 of P2PE • NESA released in November 2016 by SSC • Response to growth of E2E solutions resembling P2PE 1) Encryption and keys not handled by merchant 2) No card data storage by merchant 3) PTS approved PIN-pads encrypting at swipe or dip

FUTURE OF PA-DSS AND P2PE • PA-DSS and P2PE will co-exist for the foreseeable future • The decision of which to use, will be the same for the implementation of any technology: 1) Size of application vendor or merchant 2) Complexity of their environment and ease of implementation 3) Technological constraints 4) Business needs • New technologies are being used – and others will arise – to challenge PA-DSS and P2PE in the future

FRUSTRATION NEVER ENDS

FOR MORE INFORMATION Check the PCI SSC web site: https://www.pcisecuritystandards.org

MY CONTACT INFORMATION Joel Dubin, QSA, PA-QSA, CISSP Senior Consultant jdubin@coalfire.com 877-224-8077 x7861

QUESTIONS?