Presentation is loading. Please wait.

Presentation is loading. Please wait.

Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential.

Published byOswin Lynch Modified over 10 years ago

Similar presentations

Presentation on theme: "Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential."— Presentation transcript:

1 Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential

2 1.What is Heartland Payment Systems’ Business? 2.The Bigger Picture 3.What Are We Doing Now? 4.Working Together Topics Reviewed Heartland Confidential 2

3 Card Processing- (USA) Credit/debit/prepaid cards: Process 11 million transactions a day Process over 4.2 billion transactions annually Fund accepting merchants over $100 billion annually #4 Payment transaction acquirer by transaction volume 3,500 Employees Payroll processing Check 21 Processing (electronic depositing of scanned checks) Electronic Commerce and Online payment processing MicroPayments – Vending, Laundry, Campus Solutions Gift cards and loyalty processing Petroleum Processing What Is Heartland Payment Systems’ Business? – A Full Service Payments Processor Heartland Confidential 3

4 1 2 3 4 5 6 7 8 9 10 Update: First Data and Bank of America announced merger of payment processing services in June 2009 Making Heartland #4. Heartland Confidential 4

5 National Interest Personal Gain Personal Fame Curiosity Script-kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser Fastestgrowingsegment Author Steve Riley, http://blogs.technet.com/sterileyhttp://blogs.technet.com/steriley The Bad Guys Wake Up Every Morning Trying to Find Ways to Destroy Us!!! Heartland Confidential 5

6 The Bigger Picture Knowledge of security threats should not be viewed as a competitive advantage. Heartland’s approach: Collaborate with private and public bodies to address information security gaps in the payments processing ecosystem Demonstrate that protecting consumer and merchant data is a better competitive edge than hiding threats to our security Advocate for Encryption and Tokenization standards NOW – while we wait for conversion to EMV. Heartland Confidential 6

7 Payments Processing Information Sharing Council (PPISC) Established under the Financial Services Information Sharing (FS-ISAC) umbrella Provides a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation in the payments industry http://www.ppisc.com/ Heartland utilized the PPISC to distribute copies of the malware code discovered during its breach investigation to the members of the PPISC. 7 PPISC Overview Heartland Confidential 7

8 Security Innovation Network = SINET In order to order to stay ahead of our adversaries, we must foster the advancement of innovation, promote awareness, rapid identification, and early adoption of “best of class” solutions and do so Globally… SINET enables small business and innovation UNITED STATES GLOBAL ALLIES

9 Holistic Approach Better than only EMV / Chip and Pin…. Layering of defenses in depth: Dynamic Data Authentication to protect consumers, issuers and the ecosystem against authorizing transactions from cloned / skimmed cards. End-To-End Encryption to protect card data in transmission. Back Office Tokenization to reduce the merchant’s need to store sensitive transaction data for disputes, charge backs, and other legitimate business uses. -Single Use (unique transaction id) -Multi-Use (card number substitution) Heartland Confidential 9

10 What the Industry is Saying: “End to End encryption recognized as the technology with greatest potential to reduce Merchant PCI DSS compliance scope.” -PricewaterhouseCoopers review for the PCI Security Standards Council disclosed on 9/24/2009 PCI commissioned PWC to review technologies for reducing DSS scope. PWC interviewed 125 companies across 10 countries. Conclusion: End-to-End encryption is the most effective technology for reducing PCI DSS scope. Heartland Confidential 19

11 What the Industry is Saying: "While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security, Visa Inc. "Using encryption as one component of a comprehensive data security program can enhance a merchant's security by eliminating any clear text data either in storage or in flight." he added. - VISA Releases Global Data Encryption Best Practices Press Release, San Francisco; October 5 2009 http://corporate.visa.com/media-center/press-releases/press941.jsp Heartland Confidential 18

12 Challenges Encryption Key Management Overhead Security “Tax” model Standardizing Encryption Mode and FPE Security Requirements Standardizing Tokenization Security Industry Inertia – Nothing Mandated yet! - X9-F6: X9.119 provides standards IF you choose Encryption or Tokenization - SPVA: provides guidelines IF you choose Encryption - VISA Data Encryption Best Practices: Best Practices Only -PCI 3.0 SRED Module: Only applies IF you choose Encryption -No standard definition for Tokenization or Security Requirements Heartland Confidential 12

13 Protect data in flight and at rest throughout the entire payment lifecycle vs. point-to-point Reduce cost of PCI compliance and audit for merchants End-to-End Encryption Complements other Technologies -Address the overlap between time EMV introduced and Magstripe completely removed -Protects data on its way to tokenization service. Address Consumer Confidence Opportunities Heartland Confidential 13

14 E3™ End-to-End Encryption Heartland E3 Terminal Commercially launched May 24, 2010. Equipped with EMV reader. Heartland E3 Wedge Commercially launching July, 2010 14Heartland Confidential

15 Heartland E3™ End-to-End Encryption Apply data encryption to remove sensitive data from the merchant’s environment. -Employ AES 128 bit strong encryption to protect data. - Encrypt data from Credit and Debit Card Swipes - Encrypt data from manual entry Protect encryption keys, encryption operations, and clear text data in a TRSM. -Physical protections to detect tampering -Logical protections to detect and respond to tampering Simplify key management on encrypting devices. -Each device creates and manages its own keys. -Key change transparent to the operator. No junk fees or security taxes. -No charge related to key change. -No encryption fees added to transaction processing costs. -E3 warranty at no extra cost 15Heartland Confidential

16 Heartland CEO says data breach was 'devastating' Analysts say the company's response could make it model for others… Tom Wills got it right! Tom Wills, a senior analyst at Javelin Strategy & Research, recently compared Carr's response to the crisis with that adopted by Israeli airline El Al in the wake of a series of hijackings in the 1970s. "El Al redesigned its security from the ground up and went on to build a reputation, one that it holds to this day, as the world's most secure airline“, Wills wrote in an alert released in June 2009. Heartland Confidential 22

17 Working Together Foster technological innovation – apply pressure to the payments ecosystem to promote adoption of end-to-end encryption Uniform international laws about cybercrime Prosecute the bad guys – in our country or theirs Help us keep up with the bad guys Validate/Test/Penetration testing of new technologies Law enforcement share information with FS-ISAC Heartland Confidential 21

18 Thank You! Steven Elefant Heartland Payment Systems Chief Information Officer Steven.Elefant@e-hps.com Heartland Confidential 23 Questions ??

Download ppt "Realizing Payments Security Through Encryption and Tokenization Steven M. Elefant, Chief Information Officer July 7 th, 2010 - Zurich Heartland Confidential."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
PCI DSS for Retail Industry

PCI DSS for Retail Industry
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.

ETA UNIVERSITY MARCH 19, 2015 Deana Rich R ICH C ONSULTING, I NC. Edward A. Marshall A RNALL G OLDEN G REGORY LLP Payments 101: Overview of the Payments.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
CyberSource Strengths

CyberSource Strengths
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.

© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.

Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
Around the World, Around the Corner WorldPay for Small Business.

Around the World, Around the Corner WorldPay for Small Business.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.

SMARTER. TOGETHER. Skimming Prevention: Overview of Best Practices August 5, 2014.
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Similar presentations

Ads by Google