NetMATRIX (Multi-Application Transaction Routing and Identification eXchange) Terminal Line Encryption - is the complete solution for banks wishing to introduce terminal line encryption into their existing POS network infrastructure.
4. E2EE: What is it?
“…is defined as the continuous protection of the
confidentiality and integrity of transmitted
information by encrypting it at the origin and
decrypting at its destination.…”
Computer Desktop Encyclopedia
7. en·cryp·tion /-'krip-sh&n/
In cryptography, encryption, is the process of transforming information to
make it unreadable to anyone except those possessing special knowledge,
usually referred to as a key. The result of the process is encrypted
information (Wikipedia)
8. MAC-ing is the process of “fingerprinting” data to allow any
tampering to be detected, where the fingerprint is encrypted so only
Sender/Receiver can form a real MAC and thus, allowing the receiver
to authenticate & verify the message
Message
Authentication
Code
16. Minimum Data Encryption Requirements
Encrypted Data Elements
1. CVV
2. CVV and PAN / Track2
Terminal Key Storage 2 2 4 2 3 4
1. Outside secure module
2. Within tamper reactive module MAC algorithm
Key Usage Methodology ENC algorithm
1. Unique-key-per-terminal
2. Unique-key-per-session-per-term Key Differentiation
3. Unique-key-per-transaction Key Usage
4. Derived Unique Key Per Txn (DUKPT) Key Storage
Key Differentiation
1. Same key for ENC & MAC ENC Data elements
2. Different key for ENC & MAC
Encryption Algorithm
1. TEA – Tiny Encryption Algorithm
2. DES – Data Encryption Standard Highest Score: 2-2-4-2-3-4
3. 3DES/AES Lowest Score: 1-1-1-1-1-1
MAC Algorithm
1. No MAC
2. CRC32 + MAC
3. CRC32 + RMAC
4. SHA-1 + RMAC, or SHA-1 + AES MAC
24. Payments: The story today…
Source: BNM, 2009 Financial Stability and Payment Systems Report 2008
25. Payments: The story today
“…(card fraud) losses continued to be insignificant,
accounting for less than 0.04% of total card
transactions during the year.”
28. Summary: Considerations for TLE
Addresses all threats
Addresses Implementation issues
Addresses Deployment Issues
Addresses Administration Issues
Multi-channel & multi-device Support
Vendor Independence
Performance
Cost-Effective
Remote Key Injection
29. Additional References
1. The Smart Card Alliance (http://www.smartcardalliance.org/)
2. PCI Security Standards Council
(https://www.pcisecuritystandards.org/)
3. Visa Best Practices, Data Field Encryption Version 1.0
(http://corporate.visa.com/_media/best-practices.pdf)
4. Secure POS Vendors Association
(http://www.spva.org/index.aspx)
5. GHL Systems (http://www.ghl.com/netMATRIX )
36. “Typical” Transaction Flow
Acquiring
Net MATRIX
Bank
Credit Card Host NII:
160
Acquiring
Host
Issuing Switching NAC
Bank
Host
160 Message
Remote NAC Remote NAC
EDC Terminals
37. Encrypted Transaction Flow
Acquiring
Net MATRIX
Bank
Credit Card Host NII:
160
Acquiring
Host
160 Enc Message NetMATRIX TLE NII:
Issuing 161
Bank Switching NAC
Host
161 Enc Message
Remote NAC Remote NAC
EDC Terminals
38. Encrypted Transaction Flow II
Acquiring
Net MATRIX
Bank
Credit Card Host NII:
160
Acquiring
Host
160 Enc Message
Issuing NetMATRIX TLE NII:
Bank 161
Switching NAC
Host
161 Enc Message
Remote NAC Remote NAC
EDC Terminals