1 / 35

PCI Encryption requirements demystified Andreas Lutz comForte GmbH November 2007

PCI Encryption requirements demystified Andreas Lutz comForte GmbH November 2007. comForte company Introduction. Our Mission: Assisting enterprises to deploy secure, manageable and cost-effective NonStop server access. comForte GmbH / Germany Founded: Oct 1998

hunt
Download Presentation

PCI Encryption requirements demystified Andreas Lutz comForte GmbH November 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI Encryption requirements demystified Andreas Lutz comForte GmbH November 2007

  2. comForte company Introduction Our Mission: Assisting enterprises to deploy secure, manageable and cost-effective NonStop server access • comForte GmbH / Germany • Founded: Oct 1998 • CEO: Dr. Michael RossbachCTO: Michael Horst • Offices: • Neuruppin (north of Berlin) • Wiesbaden (near Frankfurt) • comForte Inc. / USA • Founded: June 2005 • President: Knut RossbachCTO: Thomas Burg • Office: Old Tappan, New Jersey • Employees: 25 • Customers: 400 communication is our Forte

  3. Agenda • Part 1: PCI DSS encryption requirements • Part 2: Encryption Standards and Technologies • Part 3: comForte products helping to achieve PCI compliance

  4. Part 1: PCI encryption requirements What is the PCI standard anyway: http://en.wikipedia.org/wiki/PCI_DSS PCI Introduction PCI DSS stands for Payment Card Industry (PCI) Data Security Standard (DSS). It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security issues. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments. The PCI DSS reflects the combined interests of VISA, Mastercard, Discover, American Express, and JCB. These five credit card brands have agreed upon a common set of security standards. Prior to this each card brand managed their own set of requirements:

  5. Get the PCI standard at: https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm

  6. Overview of PCI DSS requirements

  7. PCI requirement 2:

  8. PCI requirement 3: Protect stored cardholder data • 3.1 Keep cardholder data storage to a minimum. • 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted). • 3.3 Mask PAN when displayed (does not apply to employees and other parties with a specific need to see the full PAN) • 3.4 Render PAN, at minimum, unreadable anywhere it is stored by using any of the following approaches: • Strong one-way hash functions (hashed indexes) • Truncation • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key management processes and procedures. The MINIMUM account information that must be rendered unreadable is the PAN. If for some reason, a company is unable to encrypt cardholder data, refer to Appendix B: “Compensating Controls for Encryption of Stored Data.” • 3.5 Protect encryption keys used for encryption of cardholder data • 3.6 Fully document and implement all key management processes

  9. PCI Standard and the NonStop platform • Requirement 3: calls for DB encryption • Nearly all NonStop customers use „Appendix B: Compensating Controls“ • This is *hard* to implement – the devil is in the details

  10. Requirement 4: Encrypt transmission of cardholder data across open, public networks • 4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS). • 4.2 Never send unencrypted PANs by e-mail.

  11. PCI Requirement 8: Assign a unique ID to each person with computer access (excerpt)

  12. PCI DSS and NonStop –summary • Different areas of the standards apply different to the NonStop platfom • Some have been taken care of well over the past 20+ years on NonStop • Some do not apply • Others are typically adressed at an enterprise level • Some other typically require changes • Regarding Encryption and in a nutshell, the PCI standard requires • Encryption of sensitive data (cardholder data, passwords) in transit: • Encryption of Telnet and FTP traffic • Encryption of cardholder data at rest • Databases • Backup tapes

  13. Part 2: Encryption Standards and Technologies

  14. PCI Encryytion Requirements 1/3:Encrypt Telnet, FTP and other network protocols

  15. Telnet and File transfer –Picking theright protocol and products • Two protocols to choose from: • SSL • Evolved through the Internet (“https”) • Popular on PC file transfer clients since 2001 • Available from comForte since 1999 • Natural fit for file transfer with IBM mainframes and 6530 Telnet • SSH • Comes out of the Unix world • Popular on PC file transfer clients since 2005 • Available from comForte since 2003 (file transfer)/2007(6530 shell) • Natural fit for communication with Unix • Natural fit for OSS shell traffic (i.e. with PuTTY) • Choosen by HP for NonStop Console Telnet/FTP encryption • You may need to implement both …

  16. PCI Requirements 2/3: Encrypt databases

  17. DB encryption: The challenges (1) • three databases (ENSCRIBE, SQL/MP, SQL/MX) • (as of now:) no hooks for third-party vendors in SQL/MP or SQL/MX • lack of features in SQL/MX which allow “transparent”encryption (triggers, views, triggers on views, user functions in C)

  18. DB encryption: The challenges (2) • Key management, • key rotation, ... • searches for • encrypted data ? • “find next”for • encrypted data ?

  19. PCI Requirements 3/3: Encrypt backup tapes

  20. “No-one can read Tandem tapes ?”

  21. Backup tape encryption: Technologies

  22. Part 3: comForte products helping to achieve PCI compliance

  23. comForte and encryption on NonStop • 1991 - MR-TN6530 • 1994 - MR-WIN6530 • 2000 - SSL for terminal emulation • 2001 - SecurTN • 2002 - SecurFTP/SSL + SecurCS • 2003 - SecurCS for Websphere MQ • 2004 - WIN6530, J6530 with integrated SecurFTP client • 2004 -HP licenses comForte’s SSL technology for internal use • 2005 - SecurFTP/SSH, SecurPrint • 2006 - SecurSH, SecurTape • 2006 - HP licenses comForte’s SSH technology for internal use • 2007 - MR-Win6530 on NonStop Console • 2007 - SecurSH in HP price book

  24. comForte security solutions in production • SSL Telnet Server (FCS 2000) • more than 100 customers • more than 300 NonStop systems • SecurFTP/SSL (FCS 2002) • more than 20 customers • more than 50 systems • SecurCS for Middleware (FCS 2002) • more than 20 customers • more than 50 systems • SecurSH (FCS 2004) • more than 15 customers • more than 80 systems

  25. The Telnet and file transfer scenario beforeencryption

  26. comForte products for Telnet/FTP encryptionusing SSL

  27. comForte products for Telnet encryptionusing SSL (contd)

  28. comForte products for Telnet/FTP encryptionusing SSH

  29. Encryption of Telnet and File transfer:summary

  30. SecurTape

  31. SecurTape - CPU usage/throughput • “It depends” • More impact for slower CPU, faster tape drive • The more CPU cycles it uses, the faster SecurTape will be (!) • We have seen elapsed time for BACKUP jobs being about same, smaller or a bit larger • Test it in your environment …

  32. Database encryption with SecurDB • comForte’s vision: • Don’t reinvent the wheel on NonStop • Bring cross-platfrom solutions to NonStop • comForte partnering with Ingrian, Industry leader in DB encryption • Leverage a centralized, standard-based approach to increase ROI and cross-platform capabilities • Hardware encryption for compliance with legislation and policy • (optional) FIPS-140-2 Level 3 compliant • Encryption in SW alone

  33. Database encryption with SecurDB

  34. Summary

  35. Thank you for your attention For further information please contact: Andreas Lutz Sales Representative Phone: +49 (0)3391-4557 21 Fax: +49 (0)3391-4557 66 E-Mail: A.Lutz@comforte.com

More Related