Payment HSM Overview

Transaction Processing

and Card Issuance

Hermann Bauer

Business Development

hermann.bauer@safenet-inc.com

General Purpose/PKI HSMs

XML

PKCS#11

Microsoft CryptoAPI / CNG

Java JCA/JCE

OpenSSL

Customization Software Development Kit

International EFT/ Payment Processing (MKII)

Incl. Acquiring/Authorisation and Card Issuance

Incl. End-to-End Online Banking Security (OBM)

Australian Payment Processing (AMB/APCA)

CAPS (US POS System)

Hundreds of Customizations

ProtectServer line: Subset of Mark II Cmd Set as FM

Luna EFT

Luna SA, SP, IS

Payment/EFT Command Sets General Purpose Cryptographic APIs

SafeNet HSM Product Line Functionalities and Target Use

Protect Server Internal Express (PSIe)

ProtectServer External (PSE)

Payment/EFT HSMs

Luna G5 and HSM Backup Device

Luna PCI / PCI-X

Protect Server Internal Express (PSIe)

ProtectServer External (PSE)

Luna PED & PED Keys

Luna EFT – Payment HSM

EFT/EMV (TP and CI) HSM • SafeNet’s current dedicated Payment HSM

• Card Issuance and Transaction

Processing Security Functionality

• Positioned against Thales 8000/9000 series

Features/Characteristics • 1U rack-mount size/dimension

• Fast & high-assurance HSM card (common

platform with Luna HSM line)

• RoHS compliant

• FIPS 140-2 level 3 certification (#1524)

• PCI-HSM approved

• APCA & Amex certification

• PIN/Key Mailer on Laser Printer

• USB ports for SW upgrades/key backups and

PIN/Key Mailer Printing

Communications Interfaces • Low Speed

• Async

• High Speed

• (Raw) Ethernet, TCP/IP over Ethernet

Performance Levels • Low (60), Medium (140,280), High (1200, 1600)

• Visa PIN Verifies

Large Internal Key Store

HSM- and Host-stored Key Management

Different Command Sets • Mark II, AMB, CAPS, Custom

In-field Upgradeable • Performance, Connectivity, Command Sets

Integration with many Payment

products

Excellent price/performance proposition

Modern, up-to-date HSM architecture in 1U chassis

PCI-HSM and FIPS 140-2 level 3 certification

Flexible key management (HSM-stored key, host-stored keys or mix)

User-friendly & intuitive GUI-based administration and management

Large internal, configurable secure key storage (up to 9.999 slots per key type)

High performance throughput (up to 1600 tps)

In-field Upgradeability (functionalitly, performance, connectivity)

Combined Transaction Processing and Card Issuance/Personalisation support

Two NICs supporting fail-over and network redundancy (multi-pathing)

Smart Card based or Network-based Backup/Recovery of all (HSM-stored) Keys

Remote HSM administration

Multi-tenancy support (AES keys)

Device monitoring via SNMP v3

PCI-compliant auditing and logging

Comprehensive, Granular Load Sharing and Timeout/Error Handling (via host API)

No separate licenses, all included in standard package

Attractive pricing

Customization friendly

Great support and service

Luna EFT - Strengths

Luna EFT – Remote HSM Management

Remote HSM Management is provided in the form of a bootable image

The user authentication is done via SafeNet eToken 72K Pro • is a portable two-factor USB authentication token with advanced smart card technology.

Console operations • Key Processing operations

• Configuration operations

• Display information

Mark II – Payments Functionality

• EMV Scripting

• Visa Functions

• MasterCard Functions

• American Express Functions

• CEPS functions (electronic purse)

• 3D Secure Support

• Contactless (PayPass & PayWave)

• AS2805.6.3 Support Functions

• TR-31 Key Block

• ZKA functions (Germany)

• Italian ABI and debit support (Italy)

• APACS Support (UK)

• Online Banking Module

• HSM status functions

• Administrative functions

• KM change functions

• Transfer functions

• EFT terminal functions (incl. DUKPT)

• Remote ATM Initialization

• Interchange Functions

• PIN Management Functions

• MAC Management (3DES, HMAC-SHA2, AES)

• Data Ciphering Functions (3DES, AES, SEED, FPE)

• PIN Issuing Functions (incl. PIN mailer)

• EMV Card Issuance (Data Prep & Perso, e.g. GP)

• EMV Transaction Processing (incl. CAP & DPA)

One of multiple Payment command sets for Luna EFT

International Payment Transaction Processing & Card Issuance functionality

Mark II functionality covers approx. 200 commands

Constantly evolving

ProtectServer Internal Express EFT

ProtectServer External EFT

• Low-cost, low performance, entry-level EFT HSM

• Supported OS (all 32-bit and 64-bit)

• Windows, Linux, Solaris, AIX

• Performance Level

• 25 tps

• Key Entry through host or PIN/Key Entry Device

• Admin utilities

• Subset of Luna EFT Mark II facilities

• No customizations

Payment SW Vendors – HSM Integration Payment Software Vendor Product Name Business Region Served

ACI Base24-eps + TSS Global

ACI / EPS ASx EE

ACI / S1 Postilion Global

ACI / S2 Systems ON/2, OpeN/2 MEA

ACI / Distra e-switch Global

AJB Software RTS Americas

Arius Asoft EMEA

Banksoft BPS (Banksoft Pre-Personalisation System) EMEA

BPC (Banking Production Centre) SmartVista Global

Compass Plus Tranzware Online, Card Factory EMEA, APAC

CR2 BankWorld EMEA

CSFI u/SWITCHWARE Global

CubeIQ AlphaPIN EMEA

Distra e-switch APAC, EMEA

FIS / EFunds / Oasis Technology Connex, IST/Switch Global

HPS PowerCARD EMEA

Interblocks iSuite iSwitch APAC, MEA

Interpro Switch Americas

i-Sprint USO, AccessMatrix UAS MEA

IWI Net+1 APAC

N&TS ACFS EMEA

OMA Emirates EFT POS Application MEA

OpenWay Way4 EMV Issuance EMEA, APAC

Opus / ECS Electra EFT Switch APAC, EMEA

RS2 BankWorks EMEA

S2M SELECT EMEA

Silverlake SIBS APAC

SmartSoft/CardTek Ocean EMEA

Sparkassen IT Solution Payment Switch EMEA

Sungard CardPro Americas, APAC

Tallyho Online Switch Module Americas, APAC

TAS CARD EMEA

TECS TECS Payment System EMEA

TietoEnator TransMaster EMEA

TPS Iris (Phoenix), Access, Sentinel EMEA

TSYS CTL ONLINE, PRIME, NCRYPT Global

Collis EMV Host Toolkit, PVT Global

Barnes International CPT 3000 EMV PVT EMEA

Role of HSM in Card Issuance Environment

Bank

HSM Government

Issuer Card Application

Management System

Data Preparation System

Card Manufacturer

OS +

Card

Application

HSM

HSM

Card Production System

Personalisation System

Personalizer / Personalization Bureau

KEK

KEK

KMC

KMC

Chip Manufacturer

OS +

App

encrypted

file(s)

9

Card Issuance Vendors – HSM Integration

Smart Card Vendors

Card Management, Perso and Data Prep

Software Vendors

Personalisation Equipment

Vendors

Gemalto BellID / ACI OpenWay Datacard

G&D Cryptomathic TSYS CardTech NBS

Oberthur UbiQ BPC Mühlbauer

Safran Morpho (Sagem) Datacard / DCS Compass Plus Atlantic Zeiser / Böwe-CardTec

ST CardTek/SmartSoft Banksoft CIM

Nagra CardHall/Pronit Maurer Electronics

Trüb

AustriaCard

OTI

Data Preparation/Personalisation/Card Management Systems Integration with/Supplier to all Major Smart Card, Card Mgmt, Data Preparation Personalisation SW and Personalisation Equipment Vendors

via Luna EFT or PSIe or PSE + Card Issuing SW + PP Customisation SDK

Major SafeNet HSM Deployment Areas

Application Space HSM Product Customers & Partners

PKI & Authentication Luna SA

Luna PCI/PCI-E

Luna G5

Luna CA4

Symantec (VeriSign),

GlobalSign, Entrust, Microsoft,

RSA, SafeLayer, OpenTrust,

Kinectis, EJBCA/PrimeKey,

Nexus, …

Card Issuance

ProtectServer Internal Express

ProtectServer External

G&D, Gemalto, Oberthur,

Morpho, DataCard, Mühlbauer,

BellID, Cryptomathic, CardHall,

OpenWay, BPC, TSYS,

Compass Plus, …

Wholesale Payments Luna IS

Luna SA

Luna SP

SWIFT (ww)

SIX (Swiss Payment Systems),

…

Retail Payments Luna EFT Banks and Processors (ww)

ACI, FIS, OpenWay, TSYS

BPC, Compass Plus, HPS,…

Thank You