netmatrix tle terminal line encryption. spva certified, dukpt, 3des, des, aes, end-to-end encryption...
DESCRIPTION
NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure. 1. Multi-box, high-performance, high-availability, load-balancing architecture 2. Multi-host links: Performs smart routing to multiple hosts 3. Multiple channels: dial-ups, lease lines, GPRS, broadband 4. End-to-end encryption (E2EE) featuring multiple encryption algorithms : TEA, DES, 3DES, AES 5. Upstream/Downstream encryption 6. Multiple MACing algorithms : X9.9, X9.19, SHA-1 + X9.9, SHA-1 + X9.19 7. Multiple key management schemes: Unique key per terminal, unique key per transaction 8. Supports different messaging formats (full message encryption, selected field encryption) 9. Local and remote secure key injection capabilities 10. Supports leading terminal brands and models 11. PCI compliance With NetMATRIX TLE, we addressed network security and fraud threats with a plug-and-play solution that requires no host changes. In providing critical capabilities such as remote key injection and management, NetMATRIX also addresses other administration and deployment issues such as mixed terminal environments, phased deployments, and key changeovers. Despite its holistic approach to security and encryption, it is also scalable and highly available to meet the demands of mission-critical, high-volume transaction processing environments providing 3-in-1fuctionality: a combination Switching NAC, Concentrator NAC and TLE.TRANSCRIPT
Agenda
PAYMENT & SECURITY TRENDS
Payments: The story so far…
“…“…Globally, the drive to increase (card) payments Globally, the drive to increase (card) payments efficiency and security is relentless…”efficiency and security is relentless…”
“…“…Globalisation is increasingly emphasising the need Globalisation is increasingly emphasising the need for widely accessible, seamless, & secure ways of for widely accessible, seamless, & secure ways of effecting non-cash payments to facilitate consumer effecting non-cash payments to facilitate consumer spending, and to reduce fraud and money spending, and to reduce fraud and money laundering.…”laundering.…”
“…“…More efficient, effective systems could also help More efficient, effective systems could also help lessen systemic risk & potentially provide a source of lessen systemic risk & potentially provide a source of additional retail revenue for banks.…”additional retail revenue for banks.…”
Vietnam embraces the electronic era
“…“…Vietnam is regarded by the global bankingVietnam is regarded by the global bankingindustry as one of the most fertile growthindustry as one of the most fertile growthhotspots in the world, particularly for cardshotspots in the world, particularly for cardsand electronic payments….”and electronic payments….”
VRL Financial News, VRL Financial News, October 2009October 2009
Security: The story so far…
“…“…increased incidences of ATM and card skimming.increased incidences of ATM and card skimming.…”…”
“…“…the need to reassure cardholders about the safety the need to reassure cardholders about the safety and security of card transactions.…”and security of card transactions.…”
““Statistics from 2007 show the level of payment Statistics from 2007 show the level of payment card fraud in Vietnam stood at 0.15 percent of total card fraud in Vietnam stood at 0.15 percent of total card payments, a much higher level than the globalcard payments, a much higher level than the globalaverage of 0.06 percent.”average of 0.06 percent.”
E2EE: What is it?
Computer Desktop EncyclopediaComputer Desktop Encyclopedia
“…“…is defined as the continuous protection of the is defined as the continuous protection of the confidentiality and integrity of transmitted confidentiality and integrity of transmitted information by encrypting it at the origin and information by encrypting it at the origin and decrypting at its destination.…”decrypting at its destination.…”
E2EE: The story so far…
Smart Card Alliance Smart Card Alliance Sept 2009Sept 2009
KEY CONCEPTS OF TLE
In cryptography, encryption, is the process of transforming information to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (Wikipedia)
en·cryp·tion /-'krip-sh&n/
MAC-ing is the process of “fingerprinting” data to allow any tampering to be detected, where the fingerprint is encrypted so only Sender/Receiver can form a real MAC and thus, allowing the receiver to authenticate & verify the message
Message Authentication
Code
THE MALAYSIAN EXPERIENCE
Real Tapping Threats
Wire tapping threats
A brief look at history…
The Line Encryption Working Group
Design Parameters
Key Key ConsiderationsConsiderations
MAC algorithmMAC algorithmENC algorithmENC algorithm
Key DifferentiationKey DifferentiationKey UsageKey Usage
Key StorageKey StorageENC Data elementsENC Data elements
22 22 44 22 4433
Highest Score: 2-2-4-2-3-4Highest Score: 2-2-4-2-3-4Lowest Score: 1-1-1-1-1-1Lowest Score: 1-1-1-1-1-1
Minimum Data Encryption Requirements
Encrypted Data Elements1. CVV2. CVV and PAN / Track2
Terminal Key Storage1. Outside secure module2. Within tamper reactive module
Key Usage Methodology1. Unique-key-per-terminal2. Unique-key-per-session-per-term3. Unique-key-per-transaction4. Derived Unique Key Per Txn (DUKPT)
Key Differentiation1. Same key for ENC & MAC2. Different key for ENC & MAC
Encryption Algorithm1. TEA – Tiny Encryption Algorithm2. DES – Data Encryption Standard3. 3DES/AES
MAC Algorithm1. No MAC2. CRC32 + MAC3. CRC32 + RMAC4. SHA-1 + RMAC, or SHA-1 + AES MAC
General Approaches
Host-basedHost-based
HostHSM
NAC
NAC-basedNAC-based
NAC
Host
SNAC
NAC
NAC
Interception-basedInterception-based
NAC
NACNAC
Host
Data Center HostNAC
Encrypt selected fields in transaction
1
Send to Host
4
Decrypt & validate transaction
2
Reform to original message
3
Response from Host
5Encrypt & MAC response
6
Decrypt & validate response message
7
TLE: Typical Transaction Flow
Terminal
THE RESULTS
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Source: Visa VPSS Payment Security Bulettin, 2006
The Results…
Payments: The story today…
Source: BNM, 2009 Financial Stability and Payment Systems Report 2008
Payments: The story today
“…“…(card fraud) losses continued to be insignificant, (card fraud) losses continued to be insignificant, accounting for less than 0.04% of total card accounting for less than 0.04% of total card transactions during the year.”transactions during the year.”
PAYMENT SECURITY MYTHS
Encryption Myths
Summary: Considerations for TLE
Addresses all threats
Addresses Implementation issues
Addresses Deployment Issues
Addresses Administration Issues
Multi-channel & multi-device Support
Remote Key Injection
Vendor Independence
Performance
Cost-Effective
Additional References
1. The Smart Card Alliance (http://www.smartcardalliance.org/)
2. PCI Security Standards Council
(https://www.pcisecuritystandards.org/)
3. Visa Best Practices, Data Field Encryption Version 1.0
(http://corporate.visa.com/_media/best-practices.pdf)
4. Secure POS Vendors Association
(http://www.spva.org/index.aspx)
5. GHL Systems (http://www.ghl.com/netMATRIX )
WHAT IS NETMATRIX TLE?
NetMATRIX TLE (Terminal Line Encryption) is a plug-and-play solution for banks who wish to introduce terminal line encryption into their POS network
infrastructure
Net MATRIX Terminal Line Encryption
NetMATRIX TLE: Approach
Host-basedHost-based
HostHSM
NAC
NAC-basedNAC-based
NAC
Host
SNAC
NAC
NAC
Interception-basedInterception-based
NAC
NAC
NAC
Host
Key Key ConsideratioConsideratio
nsns
Key Features
Key Features
NETMATRIX ARCHITECTURE
Acquiring Bank
EDC Terminals
Switching NAC
Remote NAC Remote NAC
Net MATRIX
Acquiring Host
160 Message
Credit Card Host NII: 160
“Typical” Transaction Flow
Issuing Bank Host
EDC Terminals
Switching NAC
Remote NAC Remote NAC
161 Enc Message
Credit Card Host NII: 160
NetMATRIX TLE NII: 161
160 Enc Message
Encrypted Transaction Flow
Issuing Bank Host
Net MATRIXAcquiring
Bank
Acquiring Host
Encrypted Transaction Flow II
Issuing Bank Host
EDC Terminals
Switching NAC
Remote NAC Remote NAC
161 Enc Message
Credit Card Host NII: 160
160 Enc Message
NetMATRIX TLE NII: 161
Net MATRIXAcquiring
Bank
Acquiring Host
Data Center
HostNAC
Encrypt selected fields in transaction
1
Send to Host
4
Decrypt & validate transaction
2
Reform to original message
3
Response from Host
5Encrypt & MAC response
6
Decrypt & validate response message
7
NetMATRIX: How it Works
Terminal
HostNAC
TCP/IP Cluster
Efficiency: Clustering & Load-Balancing
Load
Bala
ncin
g
Business Continuity: Auto-Failover
TCP/IP Cluster
TC
P/I
P F
ailover
HostNAC
GHL SYSTEMS
Our Mission
To be the leading
end-to-end
payment services
enabler
in the Asia-Pacific region,
deploying world-class
payment infrastructure,
technology and services
Products & Services offerings
World-class payment infrastructure, services and technology:
Transaction routers & concentrators
Terminal Line Encryption technologies
Loyalty & Online Payment solutions
Smartcard technologies
24x7 Managed Network Services
Consulting Services
Terminal Management Solutions
Contactless Payments
Complete Payment Network Integration
Addressing Strategic Needs
GHL Systems Regional Presence
Country Offices:• Bangkok • Beijing • Hong Kong • Kuala Lumpur• Manila• Singapore• Hanoi• Ho Chi Minh
City• Wuhan
Products Deployed:• Australia• Bangladesh• Bhutan• Brazil• Brunei• Cambodia• China• Guam • Hong Kong• KSA• India• Indonesia
Future Expansion:• Australia/NZ• Brazil• India• Qatar• Romania• UAE• United
Kingdom• USA
• New Zealand• Pakistan• Philippines• Qatar• Romania• Sri Lanka • Seychelles• Taiwan• Thailand • Vietnam• United
Kingdom
Accolades & Accomplishments
• MSC APICTA Asia/Pacific ICT Awards 2009: Security & Communications
• MSC APICTA Asia/Pacific ICT Awards 2008: Financial Applications & Communications
• MasterCard Worldwide PayPass Best Product Solutions Partner 2008
• Largest Third-Party Debit Acquirer in Malaysia 2008 - CardPay
• VeriFone’s VIP (distributor) in Malaysia since 1999
• Verifone President’s Club Award 2000, 2002, 2003, 2004, 2005 Award for outstanding performance in Asia-Pacific
• VeriFone Innovation Award 2001, 2002, 2003 & 2007
• Ingenico / Sagem-Monetel OEM Partner 2006, 2007, 2008 & 2009
• Sagem-Monetel Partner Value Added Reseller for Malaysia/South East Asia 2006-2007
• Sagem Defense Securite SHARK Club Member 2006
• D’ucoty Awards Market Leadership Malaysia 2005
• D’ucoty Awards Banking – Product Innovation Southeast Asia Gold Award 2006
• Frost & Sullivan Industrial Technologies Award - Vertical Market Penetration Leadership: Smart Cards Financial Application Market (Malaysia) 2006
• VISA VPSS-Certified Post Equipment Vendor 2006
Malaysia
Singapore
Indonesia
Vietnam
Brunei
Customer References
Philippines
China / Hong Kong
Middle East
Romania
Asia/Pacific
Australia / New Zealand
Thailand
Customer References
Thank you
Alex TanVice President – International [email protected]