Point to Point Encryption and Terminal Requirements in Europe

Point to Point Encryption and Terminal Requirements in Europe

Point to Point Encryption and Terminal Requirements in Europe - Status Report - A Study for the European Association of Payment Service Providers for Merchants EPSM prepared by SRC Security Research & Consulting GmbH Graurheindorfer Str. 149 A 53117 Bonn, Germany Bonn, 16 May 2011 Terminal Requirements in Europe - Status Report Contents Management Summary ...................................................................................................................1 1 Background and Objectives......................................................................................................3 2 Basic Items of Interest ..............................................................................................................5 2.1 Scenarios of Merchant Solutions .....................................................................................5 2.2 The Challenge: Defining the PCI DSS Scope ................................................................13 2.3 The Challenge for Merchants ........................................................................................15 3 Requirements for POI.............................................................................................................16 3.1 Requirements of the Global Card Schemes...................................................................16 3.1.1 PCI DSS ............................................................................................................16 3.1.1.1 Overview ..............................................................................................16 3.1.1.2 Standard...............................................................................................17 3.1.1.3 Additional documents ...........................................................................20 3.1.2 PCI PA-DSS.......................................................................................................21 3.1.3 PCI PTS 3.0.......................................................................................................22 3.1.3.1 PED......................................................................................................22 3.1.3.2 SRED ...................................................................................................22 3.1.3.3 Open Protocols.....................................................................................23 3.2 Common Approval Scheme CAS / Open Standards for Security and Certification OSeC.........................................................................................................23 3.3 Zentraler Kreditausschuss ZKA / ZKA Approval Scheme...............................................25 3.3.1 girocard Requirements.......................................................................................25 3.3.2 ZKA Approval Scheme.......................................................................................25 4 Solutions ................................................................................................................................26 4.1 IFSF ..............................................................................................................................26 4.2 EPAS ............................................................................................................................27 4.3 Common Implementation Recommendations CIR/Open Standards for Cards OSCAR...............................................................................................................29 4.4 PNC ..............................................................................................................................31 4.5 Emerging Technologies@POS/Approaches ..................................................................31 4.5.1 Tokenisation.......................................................................................................32 4.5.2 Point-to-Point Encryption....................................................................................33 16 May 2011 page i Terminal Requirements in Europe - Status Report 4.5.2.1 Symmetric and asymmetric encryption...................................................34 4.5.2.2 Key Management: PCI PIN Security Requirements................................34 4.5.2.3 Secure Channel: VPN, TLS (Server authentication, C/S authentication)......................................................................................35 4.6 Industry Solutions..........................................................................................................36 4.6.1 Heartland Payment Systems E3Secure .............................................................36 4.6.2 Verifone VeriShield Protect ................................................................................36 4.6.3 ATOS Worldline .................................................................................................37 5 PCI DSS and EMV .................................................................................................................39 6 PCI DSS and Data Protection.................................................................................................40 6.1 Data Protection Act in EU..............................................................................................40 6.2 Example: Data Protection Act in DE National Requirements .........................................42 6.3 ISO 27001/2 and PCI DSS as Implementations.............................................................43 7 Open Issues ...........................................................................................................................44 8 About SRC .............................................................................................................................45 9 References.............................................................................................................................46 16 May 2011 page ii Terminal Requirements in Europe - Status Report Management Summary The European Association for Payment Service Providers for Merchants EPSM asked for an over- view on requirements to be supported by POS terminals in Europe with the expectation to be pro- vided with a clear guidance how to achieve the best solution. This request is well understood, be- cause the POS environment is one of the most challenging questions today. Especially the security programs of the global card schemes and their specification and certification organization PCI SSC lay down complex and difficult sets of requirements linked to huge investments of the acquiring markets. Due to these programs numerous new solutions emerge in the market promising to solve all challenges. The document at hand provides the overview EPSM has asked for covering the most important sets of requirements. More sets of requirements might have been included, but looking at the se- lection being covered the benefit of an extension would be only marginal. In addition this document describes and assesses the most relevant vendor solutions being currently offered in the market. Both parts result in a lively and coloured status report. EPSM’s expectation on a guidance or best practice solutions to meet the requirements best, how- ever, faces several challenges. The most important one is the lacking guidance on the interpreta- tion and application of the different PCI standards. PCI SSC confirmed during an interview per- formed for this study, that it hopes to publish their guidance document “Validation requirements for P2PE solutions” in Q2/2011. This document is expected to close the gaps identified by the docu- ment at hand. Therefore the current situation can be summarized as follows: • The requirements to be met are numerous, complex and difficult. • Some solutions, which are offered (and installed) today may be approached with respect since some features or requirements are critical or are not clear by now. These solutions are not as mature as they should be. • Other solutions, which are offered (and installed) today may pass the different certification processes, but result in vendor specific dependencies. • Investments being made today for solutions face a high degree of uncertainty and financial risks: Either they may not meet the requirements or may be too complex, i.e. too expensive. To overcome this situation the only way forward is to wait for the guidance document of PCI SSC. The paper is expected to enter the consultation phase with the global card schemes now before being published at the end of 2Q 2011. SRC was offered to be involved. Being provided with this guidance and improved certainty further steps should be envisaged. EPSM and its members are in an excellent position to develop an own implementation guideline or industry standard taking all requirements into consideration. An integrated and state-of-the-art- approach – which may include a few core solutions - will provide huge benefit to the payment ser- vice providers in Europe which are facing more and more requirements within the upcoming SEPA world on one hand and economic pressures on the other hand. Such an approach would also be able to reduce the complexity in many PCI DSS implementation projects not only at payment ser- vice providers but also their customers, the merchants. 16 May 2011 page 1 Terminal Requirements in Europe - Status Report For optimization purposes, EPSM should participate in the PCI SSC Special Interest Group dealing with P2PE to assure that the knowledge and experiences of the European payment service provid- ers will be taken into

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    49 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us