Presentation is loading. Please wait.

Presentation is loading. Please wait.

Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential.

Similar presentations

Presentation on theme: "Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential."— Presentation transcript:

1 Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential

2 1.What is Heartland Payment Systems’ Business? 2.The Bigger Picture 3.What Are We Doing Now? 4.Working Together Topics Reviewed Heartland Confidential 2

3 Card Processing- (USA) Credit/debit/prepaid cards: Process 11 million transactions a day Process over 4.2 billion transactions annually Fund accepting merchants over $100 billion annually #4 Payment transaction acquirer by transaction volume 3,500 Employees Payroll processing Check 21 Processing (electronic depositing of scanned checks) Electronic Commerce and Online payment processing MicroPayments – Vending, Laundry, Campus Solutions Gift cards and loyalty processing Petroleum Processing What Is Heartland Payment Systems’ Business? – A Full Service Payments Processor Heartland Confidential 3

4 1 2 3 4 5 6 7 8 9 10 Update: First Data and Bank of America announced merger of payment processing services in June 2009 Making Heartland #4. Heartland Confidential 4

5 National Interest Personal Gain Personal Fame Curiosity Script-kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser Fastestgrowingsegment Author Steve Riley, The Bad Guys Wake Up Every Morning Trying to Find Ways to Destroy Us!!! Heartland Confidential 5

6 The Bigger Picture Knowledge of security threats should not be viewed as a competitive advantage. Heartland’s approach: Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security Advocate for Encryption and Tokenization standards NOW – while we wait for conversion to EMV. Heartland Confidential 6

7 Payments Processing Information Sharing Council (PPISC) Established under the Financial Services Information Sharing (FS-ISAC) umbrella Provides a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation in the payments industry Heartland utilized the PPISC to distribute copies of the malware code discovered during its breach investigation to the members of the PPISC. 7 PPISC Overview Heartland Confidential 7

8 Security Innovation Network = SINET In order to order to stay ahead of our adversaries, we must foster the advancement of innovation, promote awareness, rapid identification, and early adoption of “best of class” solutions and do so Globally… SINET enables small business and innovation UNITED STATES GLOBAL ALLIES

9 Holistic Approach Better than only EMV / Chip and Pin…. Layering of defenses in depth: Dynamic Data Authentication to protect consumers, issuers and the ecosystem against authorizing transactions from cloned / skimmed cards. End-To-End Encryption to protect card data in transmission. Back Office Tokenization to reduce the merchant’s need to store sensitive transaction data for disputes, charge backs, and other legitimate business uses. -Single Use (unique transaction id) -Multi-Use (card number substitution) Heartland Confidential 9

10 What the Industry is Saying: “End to End encryption recognized as the technology with greatest potential to reduce Merchant PCI DSS compliance scope.” -PricewaterhouseCoopers review for the PCI Security Standards Council disclosed on 9/24/2009 PCI commissioned PWC to review technologies for reducing DSS scope. PWC interviewed 125 companies across 10 countries. Conclusion: End-to-End encryption is the most effective technology for reducing PCI DSS scope. Heartland Confidential 19

11 What the Industry is Saying: "While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security, Visa Inc. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight." he added. - VISA Releases Global Data Encryption Best Practices Press Release, San Francisco; October 5 2009 Heartland Confidential 18

12 Challenges Encryption Key Management Overhead Security “Tax” model Standardizing Encryption Mode and FPE Security Requirements Standardizing Tokenization Security Industry Inertia – Nothing Mandated yet! - X9-F6: X9.119 provides standards IF you choose Encryption or Tokenization - SPVA: provides guidelines IF you choose Encryption - VISA Data Encryption Best Practices: Best Practices Only -PCI 3.0 SRED Module: Only applies IF you choose Encryption -No standard definition for Tokenization or Security Requirements Heartland Confidential 12

13 Protect data in flight and at rest throughout the entire payment lifecycle vs. point-to-point Reduce cost of PCI compliance and audit for merchants End-to-End Encryption Complements other Technologies -Address the overlap between time EMV introduced and Magstripe completely removed -Protects data on its way to tokenization service. Address Consumer Confidence Opportunities Heartland Confidential 13

14 E3™ End-to-End Encryption Heartland E3 Terminal Commercially launched May 24, 2010. Equipped with EMV reader. Heartland E3 Wedge Commercially launching July, 2010 14Heartland Confidential

15 Heartland E3™ End-to-End Encryption Apply data encryption to remove sensitive data from the merchant’s environment. -Employ AES 128 bit strong encryption to protect data. - Encrypt data from Credit and Debit Card Swipes - Encrypt data from manual entry Protect encryption keys, encryption operations, and clear text data in a TRSM. -Physical protections to detect tampering -Logical protections to detect and respond to tampering Simplify key management on encrypting devices. -Each device creates and manages its own keys. -Key change transparent to the operator. No junk fees or security taxes. -No charge related to key change. -No encryption fees added to transaction processing costs. -E3 warranty at no extra cost 15Heartland Confidential

16 Heartland CEO says data breach was 'devastating' Analysts say the company's response could make it model for others… Tom Wills got it right! Tom Wills, a senior analyst at Javelin Strategy & Research, recently compared Carr's response to the crisis with that adopted by Israeli airline El Al in the wake of a series of hijackings in the 1970s. "El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world's most secure airline“, Wills wrote in an alert released in June 2009. Heartland Confidential 22

17 Working Together Foster technological innovation – apply pressure to the payments ecosystem to promote adoption of end-to-end encryption Uniform international laws about cybercrime Prosecute the bad guys – in our country or theirs Help us keep up with the bad guys Validate/Test/Penetration testing of new technologies Law enforcement share information with FS-ISAC Heartland Confidential 21

18 Thank You! Steven Elefant Heartland Payment Systems Chief Information Officer Heartland Confidential 23 Questions ??

Download ppt "Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential."

Similar presentations

Ads by Google