Payment HSM Overview Transaction Processing and Card Issuance

Home , Laser (debit card)

Hermann Bauer Business Development [email protected] SafeNet HSM Product Line Functionalities and Target Use

Payment/EFT HSMs General Purpose/PKI HSMs

Luna SA, SP, IS

ProtectServer External (PSE) ProtectServer External (PSE)

Luna EFT Luna PCI / PCI-X Luna PED & PED Keys

Protect Server Internal Express (PSIe) Protect Server Internal Express (PSIe)

Luna G5 and HSM Backup Device Payment/EFT Command Sets General Purpose Cryptographic APIs

. International EFT/ Payment Processing (MKII) . XML . Incl. Acquiring/Authorisation and Card Issuance . PKCS#11 . Incl. End-to-End Online Banking Security (OBM) . Microsoft CryptoAPI / CNG . Australian Payment Processing (AMB/APCA) . Java JCA/JCE . CAPS (US POS System) . OpenSSL . Hundreds of Customizations . Customization Software Development Kit . ProtectServer line: Subset of Mark II Cmd Set as FM

Luna EFT – Payment HSM

. Communications Interfaces • Low Speed • Async • High Speed • (Raw) Ethernet, TCP/IP over Ethernet . EFT/EMV (TP and CI) HSM . Performance Levels • SafeNet’s current dedicated Payment HSM • Card Issuance and Transaction • Low (60), Medium (140,280), High (1200, 1600) Processing Security Functionality • Visa PIN Verifies • Positioned against Thales 8000/9000 series . Large Internal Key Store . Features/Characteristics . HSM- and Host-stored Key Management • 1U rack-mount size/dimension • Fast & high-assurance HSM card (common . Different Command Sets platform with Luna HSM line) • Mark II, AMB, CAPS, Custom • RoHS compliant . In-field Upgradeable • FIPS 140-2 level 3 certification (#1524) • Performance, Connectivity, Command Sets • PCI-HSM approved • APCA & Amex certification . Integration with many Payment • PIN/Key Mailer on Laser Printer products • USB ports for SW upgrades/key backups and PIN/Key Mailer Printing . Excellent price/performance proposition Luna EFT - Strengths . Modern, up-to-date HSM architecture in 1U chassis . PCI-HSM and FIPS 140-2 level 3 certification . Flexible key management (HSM-stored key, host-stored keys or mix) . User-friendly & intuitive GUI-based administration and management . Large internal, configurable secure key storage (up to 9.999 slots per key type) . High performance throughput (up to 1600 tps) . In-field Upgradeability (functionalitly, performance, connectivity) . Combined Transaction Processing and Card Issuance/Personalisation support . Two NICs supporting fail-over and network redundancy (multi-pathing) . Smart Card based or Network-based Backup/Recovery of all (HSM-stored) Keys . Remote HSM administration . Multi-tenancy support (AES keys) . Device monitoring via SNMP v3 . PCI-compliant auditing and logging . Comprehensive, Granular Load Sharing and Timeout/Error Handling (via host API) . No separate licenses, all included in standard package . Attractive pricing . Customization friendly . Great support and service

Luna EFT – Remote HSM Management

. Remote HSM Management is provided in the form of a bootable image . The user authentication is done via SafeNet eToken 72K Pro • is a portable two-factor USB authentication token with advanced smart card technology. . Console operations • Key Processing operations • Configuration operations • Display information

Mark II – Payments Functionality

One of multiple Payment command sets for Luna EFT International Payment Transaction Processing & Card Issuance functionality Mark II functionality covers approx. 200 commands

Constantly evolving

• HSM status functions • EMV Scripting • Administrative functions • Visa Functions • KM change functions • MasterCard Functions • Transfer functions • American Express Functions • EFT terminal functions (incl. DUKPT) • CEPS functions (electronic purse) • Remote ATM Initialization • 3D Secure Support • Interchange Functions • Contactless (PayPass & PayWave) • PIN Management Functions • AS2805.6.3 Support Functions • MAC Management (3DES, HMAC-SHA2, AES) • TR-31 Key Block • Data Ciphering Functions (3DES, AES, SEED, FPE) • ZKA functions (Germany) • PIN Issuing Functions (incl. PIN mailer) • Italian ABI and debit support (Italy) • EMV Card Issuance (Data Prep & Perso, e.g. GP) • APACS Support (UK) • EMV Transaction Processing (incl. CAP & DPA) • Online Banking Module ProtectServer Internal Express EFT ProtectServer External EFT

• Low-cost, low performance, entry- level EFT HSM

• Supported OS (all 32-bit and 64-bit) • Windows, Linux, Solaris, AIX

• Performance Level • 25 tps

• Key Entry through host or PIN/Key Entry Device

• Admin utilities

• Subset of Luna EFT Mark II facilities

• No customizations

Payment SW Vendors – HSM Integration

Payment Software Vendor Product Name Business Region Served ACI Base24-eps + TSS Global ACI / EPS ASx EE ACI / S1 Postilion Global ACI / S2 Systems ON/2, OpeN/2 MEA ACI / Distra e-switch Global AJB Software RTS Americas Arius Asoft EMEA Banksoft BPS (Banksoft Pre-Personalisation System) EMEA BPC (Banking Production Centre) SmartVista Global Compass Plus Tranzware Online, Card Factory EMEA, APAC CR2 BankWorld EMEA CSFI u/SWITCHWARE Global CubeIQ AlphaPIN EMEA Distra e-switch APAC, EMEA FIS / EFunds / Oasis Technology Connex, IST/Switch Global HPS PowerCARD EMEA Interblocks iSuite iSwitch APAC, MEA Interpro Switch Americas i-Sprint USO, AccessMatrix UAS MEA IWI Net+1 APAC N&TS ACFS EMEA OMA Emirates EFT POS Application MEA OpenWay Way4 EMV Issuance EMEA, APAC Opus / ECS Electra EFT Switch APAC, EMEA RS2 BankWorks EMEA S2M SELECT EMEA Silverlake SIBS APAC SmartSoft/CardTek Ocean EMEA Sparkassen IT Solution Payment Switch EMEA Sungard CardPro Americas, APAC Tallyho Online Switch Module Americas, APAC TAS CARD EMEA TECS TECS Payment System EMEA TietoEnator TransMaster EMEA TPS Iris (Phoenix), Access, Sentinel EMEA TSYS CTL ONLINE, PRIME, NCRYPT Global Collis EMV Host Toolkit, PVT Global Barnes International CPT 3000 EMV PVT EMEA Role of HSM in Card Issuance Environment

Issuer Card Application Management System Data Preparation System

Bank encrypted file(s) Personalizer / Personalization Bureau

Personalisation System Government HSM KEK

Chip Manufacturer

KEK HSM KMC Card Manufacturer Card Production System

OS + OS + App Card Application HSM KMC

9 Card Issuance Vendors – HSM Integration

Data Preparation/Personalisation/Card Management Systems

Integration with/Supplier to all Major Smart Card, Card Mgmt, Data Preparation Personalisation SW and Personalisation Equipment Vendors

Card Management, Perso and Data Prep Personalisation Equipment Smart Card Vendors Software Vendors Vendors

Gemalto BellID / ACI OpenWay Datacard G&D Cryptomathic TSYS CardTech NBS Oberthur UbiQ BPC Mühlbauer Safran Morpho (Sagem) Datacard / DCS Compass Plus Atlantic Zeiser / Böwe-CardTec ST CardTek/SmartSoft Banksoft CIM Nagra CardHall/Pronit Maurer Electronics Trüb AustriaCard OTI

via Luna EFT or PSIe or PSE + Card Issuing SW + PP Customisation SDK Major SafeNet HSM Deployment Areas

Application Space HSM Product Customers & Partners

PKI & Authentication Luna SA Symantec (VeriSign), Luna PCI/PCI-E GlobalSign, Entrust, Microsoft, Luna G5 RSA, SafeLayer, OpenTrust, Luna CA4 Kinectis, EJBCA/PrimeKey, Nexus, …

Card Issuance ProtectServer Internal Express G&D, Gemalto, Oberthur, ProtectServer External Morpho, DataCard, Mühlbauer, BellID, Cryptomathic, CardHall, OpenWay, BPC, TSYS, Compass Plus, … Wholesale Payments Luna IS SWIFT (ww) Luna SA SIX (Swiss Payment Systems), Luna SP … Retail Payments Luna EFT Banks and Processors (ww) ACI, FIS, OpenWay, TSYS BPC, Compass Plus, HPS,… Thank You