Module for e-Payments

Payment Security in FIPS 140-2 Level 3 Hardware

Today's payments industry has increasingly become a target for fraud. To address rising levels of disputed transactions, the card associations have introduced advanced security controls, including improved authentication techniques that demand sophisticated hardware-based cryptographic processing.

The nCipher hardware security module (HSM) INDUSTRY APPLICATION payShield option is designed to meet the stringent security requirements of the payments The payShield Option Pack for nCipher HSM industry, strengthening the security of card and provides payments functionality to secure and PIN authentication systems by securing accelerate payments industry applications. transaction processes in a FIPS 140-2 Level 3* ePayments validated tamper-resistant environment. In The 3-D Secure specification mandates the use addition to providing increased security, of FIPS certified hardware for storage and PRODUCT SHEET DATA payShield enabled HSM can dramatically management of cryptographic keys. payShield increase transaction throughput by processing provides a single HSM solution that supports high volumes of symmetric and asymmetric Visa's 3-D Secure Cardholder Authentication cryptographic operations, an important Verification Value (CAVV) using the Visa Card requirement of payments initiatives such as Verification Value (CVV) method, as well as 3-D Secure, Visa DPA, MasterCard CAP. MasterCard’s SPA Account Authentication Value *Federal Information Processing Standard (FIPS) 140-2 Level 3 is (AAV) and Card Authentication Program (CAP). the international security standard for cryptographic modules EMV support CARDHOLDER EMV is a smart card standard developed by AUTHENTICATION Europay, MasterCard and Visa to address the universal aspects of chip card issuance and Supported by the major card associations, acceptance. The standard provides the bridge cardholder authentication provides a secure from traditional magnetic strips to chip-based mechanism to better establish the identity and smart cards for debit and credit payments. therefore legitimacy of a person presenting a payShield supports the Authorization Request for a transaction. The process, and Response cryptograms used in smart card whether applied to on-line or traditional in-store based authentication. purchases, provides assurance that the buyer is indeed the authorized cardholder. By using EFTPOS nCipher's HSM payShield option, issuing banks, payShield supports functionality to provide key payment processors and solution providers can management and PIN-based functions relating to ensure that cryptographic operations used in the EFTPOS system deployment. The functionality card authentication process are performed inside supports debit, credit and smart cards for a FIPS 140-2 Level 3 secure device and are authorization and processing in an on-line therefore protected from attack. EFTPOS system. ATM PIN processing KEY-LOADING PIN processing functions are supported by Key-loading is provided using a dedicated hand- payShield, including PIN generation, translation held secure smart card reader/writer. nCipher and authentication. Customized formats can be Key-Loading Devices provide a secure smart card easily developed due to the flexibility of the reader, display and keyboard, and are used to payShield architecture. payShield supports transfer key segments onto smart cards for transfer verification, generation and translation using into the payShield enabled HSM. Using two as a both the Visa PVV and IBM 3624 formats. pair, they enable split-knowledge . payShield™

ADVANCED HSM MANAGEMENT CUSTOMIZED SECURITY The payShield option exploits nCipher’s proven The combination of nCipher’s developer toolkits Security World key management framework. This and broad range of supported software APIs means combines advanced cryptographic techniques for the that the payShield platform can be expanded generation, backup and recovery of cryptographic even further to enable more sophisticated keys. Split knowledge and dual control provide a security solutions. This flexibility enables the mechanism for sharing responsibility across an integration of customized , decryption, administrative team avoiding the threat of a single or signing functions. A payShield enabled HSM “super-user”, a vital capability for the protection can be customized to provide flexible and and secure management of keys used for payment scalable payments functionality system. processing. Most security functions are controlled through an intuitive graphical user interface.

FEATURE BENEFIT

SECURE CARDHOLDER In a single HSM, payShield handles all hardware secured AUTHENTICATION cryptographic functions required for cardholder authentication initiatives, such as 3-D Secure, eliminating the need to purchase multiple HSMs EMV AUTHENTICATION FOR payShield supports payment initiatives such as the validation SMART CARDS of smart card transactions on Internet-based or point-of-sale (POS) systems SECURE MESSAGING Cryptography is used to ensure both the secrecy and the integrity of messages flowing within the payment system. By using payShield, information is digitally signed within the HSM for increased protection

HIGH SPEED CRYPTOGRAPHIC Cryptographic acceleration is a key feature of all nCipher HSMs, PROCESSING allowing organizations to improve transaction throughput during the card authorization process, thus reducing delays while boosting system capacity FIPS 140-2 LEVEL 3 KEY GENERATION, Protected within FIPS 140-2 Level 3 validated tamper-resistant PROTECTION AND MANAGEMENT hardware, cryptographic keys are never exposed – minimising vulnerability and meeting industry privacy requirements COMPREHENSIVE CRYPTOGRAPHIC payShield combines high speed processing support for both SUPPORT symmetric and asymmetric operations within a single physical device. DES,Triple-DES,AES and RSA keys can be managed under a common management framework and security policy, reducing complexity and operational cost SHAREABLE CRYPTOGRAPHIC Provides flexible security for multiple server and multi-site RESOURCE installations, lowering the overall cost of deploying cryptographic hardware FAILOVER CAPABILITY Supports the use of dual HSMs for resiliency, transparently passing processing activities to a second payShield enabled device in the event of failure

TECHNICAL SPECIFICATIONS

Full technical specifications can be viewed at http://www.ncipher.com/cryptographic_hardware/hardware_security_modules/54/payshield_option

Every effort has been made to ensure the information included in this datasheet is true and correct at the time of going to press. However, the products described herein are subject to continuous development and improvement, and the right is reserved to change their specification at any time. ©2007 nCipher Corporation Ltd. nCipher, nShield, payShield, SEE, are trademarks or registered

NCDS/PAYSHIELD/AUG2007 trademarks of nCipher Corporation Ltd. All other trademarks contained herein are the property of their respective owners.

nCipher Inc. nCipher Corporation Ltd. nCipher Corporation Ltd. For more information on nCipher, 92 Montvale Avenue, Suite 4500 Jupiter House, Station Rd. 15th Floor, Cerulean Tower, Stoneham, MA 02180 USA Cambridge, CBI 2JD UK 26-1 Sakuragaoka-cho, Shibuya-ku, visit www.ncipher.com Tel: +1 (781) 994 4000 Tel: +44 (0) 1223 723600 Tokyo 150 8512 Japan [email protected] [email protected] Tel: +81 3 5456 5484 [email protected]

Identify. Protect. Comply.