PCI Crypto Practice

P2PE - 3DS - PIN

Achieve risk reduction and compliance on time and on budget

Cryptography applied to the Payment Industry

 

While cryptography has been regularly used to protect sensitive data within the Payment Industry, experience demonstrates poor implementations lead to a false sense of security and, given this is a technically complex topic, this is often the case.

The PCI SSC, in collaboration with different subject matter experts have created different standards to support the correct implementation of cryptography in payment systems.

Foregenix delivers more P2PE assessments than any other QSAC in the world.

Foregenix Crypto

 

Foregenix Consulting and Compliance team

True Cybersecurity Experts, working with a vast array of clients ranging from small retail merchants to complex industrial environments and large international banks. 

Experience

Remarkable individuals with lifetime of experience as cybersecurity consultants, penetration testers, analysts, developers and engineers for all kinds of industries.

A unique working environment

Our people's technical experience coupled with a unique work environment is the foundation of our services: a complex machinery designed to assist our customers avoid disruption while managing risk. 

Knowledge

Foregenix has been closely involved with the leading cybersecurity frameworks since its inception, including the Payment Card Industry (PCI), ISO, NIST and several country-specific regulatory bodies, earning a reputation of excellence in every program it participates.

Accreditation

While we insist that experience is what makes the difference on this business, our consultants still hold a myriad of certifications, including PCI, SWIFT and ISO, cloud-vendor specific ones, and more general technology credentials like CSSLP, CISM, CISA, CISSP, and many more.

Get support from native-speaking consultants in English, French, Spanish, Italian, Afrikaans, Greek, Gujarati, Hebrew, Hindi, Hungarian, Portuguese, Punjabi, Romanian, Russian, Ukrainian and Urdu

P2PE Point-to-Point Encryption

 

The PCI P2PE is a set of security controls defining the requirements for P2PE Solutions, an estate of secure devices, applications and processes that when correctly implemented protects cardholder data between the point of capture and a secure decryption environment.

P2PE reduces the risk of data compromise and the scope of PCI DSS assessments for merchants using its solutions, saving their businesses time and money.

The PCI P2PE standard combines elements of PCI DSS, PA SSF, PCI PTS (PIN Transaction Security) and Tokenisation into an encompassing standard.

 

 

Foregenix is behind the P2PE certifications of the main payment terminal vendors, acquirers and application providers. With unparalleled experience and expertise in PCI consulting and assessment services, Foregenix can design, build and implement secure crypto environments in a cost-effective manner and validate compliance against industry standards and best practices.

PCI 3DS - 3D Secure Core Security

 

The PCI 3DS Core Security Standard defines physical and logical security requirements for protecting environments where ACS, DS, and/or 3DSS functions are performed, and is mandatory for companies that manage or provide any of these components.

Foregenix has extensive experience in supporting companies implementing 3-D Secure services, providing both assessment and consulting services in relation to the implementation of appropriate security controls to protect the 3DS transaction process.

 

 

 

Foregenix brings our clients the most experienced cryptography team in the payment industry. Thanks to our expertise in P2PE, 3DS and PCI PIN, accumulated since the initiation of the standards and the many projects with largest POI and HSM suppliers worldwide, our clients are able to leverage off our knowledge and expertise to significantly streamline their projects.

PCI PIN Security

 

The PCI PIN Security is a set of requirements designed for entities that process cardholder PINs (Acquirers, Payment Processors) or perform cryptographic key management activities that protect PINs, such as Key Injection Facilities, ATM, or point-of-sale deployment companies.  PIN Security requirements also mandatory for companies that develop and support mobile payments solution (MPoC) for acceptance of the account data and cardholder PINs on Commercial Off-the-Shelf (COTS) devices.

Compliance to PCI PIN ensures protection of cardholders’ PINs throughout the implementation of specific controls to assure that the intended level of security is achieved by the validated entity.

 

 

Foregenix is approved and listed by the PCI SSC PCI as Qualified PIN Assessor (PCI QPA) to perform security assessments against PCI PIN Security Requirements in support of the Payment Brands security programs. Our PIN assessors have the required knowledge, skills, and experience in payment system security and the applicable PIN security requirements. We offer a professional and focused PCI PIN compliance services across the UK, North America, CEMEA, LATAM and Asia Pacific Regions.

Enough marketing chit-chat, find out what our long standing customers have to say about how we help them achieve cybersecurity success.

Streamline Compliance

Foregenix delivers more P2PE assessments than any other QSAC in the world.

Extend your audience by including P2PE validation elements within your solution.

  • A dedicated team of experts focused on cryptography and key management that is fully available to help your organisation build strong security into its business processes and systems
  • Over 15 years helping our customers plan, design, develop, test and maintain their crypto solutions.
  • Leverage specialised resources ranging from programming, cryptography, infrastructure, risk assessment, penetration testing and forensics to deliver maximum efficiency when needed.
  • Acting as your advocate, we accelerate
    communications with the PCI SSC
    preventing unnecessary delays.

The P2PE Compliance Process

01

Pre-Compliance Analysis

Designed to assist your organisation in preparing for the Compliance Assessment Service (CAS) to validate compliance with PCI P2PE, PCI PIN Security and PCI 3DS.

It involves different domains such as Encryption Device and Application Management, Applications Security, P2PE Solution Management, Decryption Environment, P2PE Cryptographic Key Operations and Device Management.

02

GAP Analysis

Our QSAs will provide an expert analysis of your company's current compliance status and security posture by defining the scope for the Compliance Assessment Service (CAS) to validate compliance with the PCI P2PE, 3DS or PCI PIN Standards.

03

Payment Software Testing

Foregenix will evaluate the software code or the operation of the software using a variety of security-testing tools and techniques. This test will validate each control objective. 

The results of this phase will provide a detailed report on the environment and any remediation steps that should be taken. 

04

Compliance Assessment Service (CAS)

A complete set of services to assist you with achieving and maintaining PCI P2PE, PCI PIN Security and PCI 3DS validated status. 

Exclusively  for P2PE, we also provide Delta Assessment of P2PE Application, Delta Change to P2PE Solution or Component and Assessment for P2PE Listing updates.

05

Report of Validation (P-ROV)/Report on Compliance (RoC)

It ensures that both your entity and Foregenix keep compliance with the PCI SSC requirements to the highest level.

We have supported many companies to achieve PCI P2PE, PCI PIN, 3DS Compliance. Become one of them.

CONTACT US? 

for PCI P2PE Compliance Consulting
 

FAQs

We receive a significant number of questions about PCI P2PE, 3DS and PCI PIN Compliance. You will find the answers to the most frequently asked ones.

Merchants that use a P2PE Solution are allowed significant scope reduction for PCI DSS compliance, basically removing the merchant network from scope. Therefore, entities that develop and register P2PE Solutions (P2PE Solution Providers) can provide merchants the benefit of scope reduction if they use their P2PE Solutions.

P2PE Solutions centre around the management and security of 2 main elements: The card acceptance device that encrypts the data (POI device) and the device that decrypts the data (Usually an HSM). The POI device resides in the merchant environment and the HSM will be elsewhere in a backend payment processing environment, providing robust encryption between these 2 points effective desensitizes the card data as it travels through the various networks between these 2 points to the point that it is no longer considered cardholder data and therefore those networks are not deemed in-scope for PCI DSS, provided that is the only PCI payment data traversing those channels.
 
The secure management and configuration of the POI devices from the manufacturer through to the merchant site and thereafter, including cryptographic key loading, software and key signing, software loading and configuration management, is an important part of the P2PE Solution that is handled by a P2PE Solution provider or a service provider to the Solution Provider. 
 
The secure management of the HSMs and systems that handle the decryption of the cardholder data as well as the network where those systems and devices reside are also a critical part of the P2PE Solution and of course strong cryptographic key management processes are fundamental to maintain a strong encryption Solution. 
 
The final and often overlooked part of the effort that goes into managing a P2PE Solution is the actual management of the P2PE Solution and related listings. This includes tracking dependencies, managing changes to the P2PE Solution, managing incidents and reporting between all stakeholders and providing important guidance information to stakeholders that use and form part of the P2PE Solution.

Entities that only perform a part of a P2PE Solution can develop and list their own P2PE Component or Components. The following types of Components can be listed independently and be used by P2PE Solution Providers:
  • POI Deployment - Entity responsible for managing POI devices from the manufacturer through to the merchant site, including software signing, software loading and configuration management
  • POI Management - Entity responsible for managing POI devices deployed at the Merchant environment (Usually through a Terminal Management System), including software signing, software loading and configuration management.
    • Encryption Management -  Entity responsible for both  POI Deployment and  POI Management
  • Key Loading - Entities responsible for performing  key injection or key loading to cryptographic devices
  • Key Management  - Entities responsible for performing key management to cryptographic devices
    • Key Injection facilities  -  Entity responsible for both Key Loading and  Key Management
  • Certificate/Registration Authorities - Entity responsible for generating and signing certificates and establishing a Public Key Infrastructure which provides a trust anchor for remote key exchange.
  • Decryption Management -  Entity responsible for managing the decryption environment network, systems and HSMs

The PCI PIN Assessments mandatory for an organizations, acting as service providers that handle cardholder PIN data, including PIN processing, translation, acceptance and/or perform key management to support PIN services on behalf of Payment Brands clients. Specific compliance and validation requirements are outlined in the operational rules and program guides managed by the respective Payment Brands (such as Visa or MasterCard) and must be followed accordingly.

Per PCI PIN Security Requirements, Requirement 18-3, “Key Blocks,” encrypted symmetric keys must be managed in structures called Key Blocks. The key usage must be cryptographically bound to the key using accepted methods, such that it must be infeasible for the key to be used if the usage attributes have been altered.

The phased implementation dates are as follows:

Phase 1 – Implement Key Blocks for internal connections and key storage within service provider environments. This would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019.

Phase 2 – Implement Key Blocks for external connections to associations and networks. Estimated timeline for this phase is 24 months following Phase 1, or 1 January 2023.

Phase 3 – Implement Key Blocks to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Estimated timeline for this phase is 24 months following Phase 2, or 1 January 2025.

Key blocks must be used for all PIN security-relevant symmetric keys that are exchanged or stored. For example, Zone Master Keys (ZMKs), Key-Encipherment Keys (KEKs), Base Derivation Keys (BDKs), Terminal Master Keys (TMKs), and PIN-Encryption Keys (PEKs). Key block requirement applies whether the subject symmetric key is conveyed using asymmetric or symmetric techniques.

However, the requirement only applies to encrypted symmetric keys that are stored at a transaction host or in a POI device or are transported over a network connection. It is not intended to apply to keys, encrypted or clear text, when injected by being directly cabled to a KLD.

PCI PTS (PIN Transaction Security) is a set of documents managed by PCI Security Standards Council and comprises of PIN Transaction Security Point of Interaction (PTS POI) Modular Security Requirements, PIN Transaction Security Hardware Security Module (PTS HSM) Security Requirements and PIN Security Requirements (PCI PIN).

PCI PIN is one of the PCI PTS modular framework Standards contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and point-of-sale (POS) terminals.

SPEAK WITH US

Need help? Or have any questions?

We're here to assist you. We aim to understand your data security challenges - no matter the size of your project.

Start your PCI Project Today!