End-to-end Protection for Payment Data
In today’s environment of heightened regulatory requirements and increasing risk of cardholder data breach, it is critical for merchants, payment processors, and acquirers to protect payment data anywhere it moves, anywhere it resides, and however it is used. In payment acceptance systems, including EMV (Europay, Mastercard and Visa) terminals, payment data is commonly left unprotected during the authorization and settlement processes. Payment data is also left unprotected during routine and necessary back-office business processes such as fraud screening, chargeback processing, and recurring payment processing. Traditional methods for protecting payment data are often inflexible, expensive, and difficult to implement.
HPE SecureData Payments securing sensitive data end-to-end
HPE SecureData Payments protects payment data at all points, from swipe/dip through to the payment processor, end-to-end. It eliminates the traditional complexities associated with payment device key injection, key management, payment application changes, and enables a true end-to-end architecture that can be rapidly deployed even in the most complex environments.
PCI Compliance Alignment
HPE SecureData Payments can reduce the cost of complying with PCI DSS—a direct result of reducing the number of changes necessary to implement payment data protection while eliminating payment data from databases and applications. By incorporating HPE Secure Stateless Tokenization with HPE SecureData Payments, service providers, merchants, and enterprises are able to secure back-end data, removing data from PCI audit scope while complying with the latest PCI DSS requirements for cardholder data protection. HPE Secure Stateless Tokenization maintains token schemes across regions with no communication between them, eliminating the need for a central key management database as well as database replication. By tokenizing card numbers immediately at the source, clear data is eliminated from the transaction process.
As providers move to point-to-point encryption (P2PE) validations, HPE SecureData Payments enables service providers to expand their reach by offering a complete P2PE v2 validated solution. With HPE SecureData Payments cardholder data is protected from the earliest point of entry in such a way that decryption keys are not available at POS devices or any other intermediate systems, significantly reducing potential attack areas. HPE SecureData Payments communicates with validated, authorized payment terminals sending secure payment transactions for processing to the back-end system. The back-end host incorporates an integrity check on the cryptographic functions, creating host logs based on crypto changes. This enables management and control of the complete system and payment transactions.
Innovation in cryptography provides end-to-end encryption without massive changes
HPE SecureData Payments is a complete payment transaction protection framework, built on two breakthrough technologies encompassing encryption and key management: HPE Format-Preserving Encryption (FPE) and HPE Identity-Based Encryption (IBE). These two technologies combine to provide a unique architecture that addresses the complexity of retail environments with high transaction volume.
HPE Format-Preserving Encryption
With HPE Format-Preserving Encryption (FPE), credit card numbers and other types of structured information are protected without the need to change the data format or structure. In addition, data properties are maintained, such as a checksum, and portions of the data can remain in the clear. This aids in preserving existing processes such as BIN routing or use of the last four digits of the card in customer service scenarios.
HPE Identity-Based Encryption
HPE Identity-Based Encryption (IBE) is a breakthrough in key management that eliminates the complexity of traditional Public Key Infrastructure (PKI) systems and symmetric key systems. In other words, no digital certificates or keys are required to be injected or synchronized. HPE IBE also enables end-to-end encryption from swipe-to-processor and swipe-to-trusted-merchant applications.
With point-of-sale (POS) solutions that use legacy symmetric encryption, encryption keys must be reset annually for each POS device through a process called key injection. This procedure is expensive and cumbersome, as merchants must take POS devices offline while new keys are injected. With HPE SecureData Payments, because encryption keys are securely generated on demand and not stored, POS devices are not subject to key injection and key rotation. This function happens systematically, eliminating labor-intensive key management processes and costs.
HPE SecureData Payments compatibility
- Robust host side capabilities and broad platform support: HPE SecureData Payments Host SDK can be deployed on a wide variety of platforms including HPE NonStop, Windows®, Linux®, UNIX®, z/OS, and Stratus. HPE SecureData Payments is the only data protection solution available that natively runs on Nonstop (OSS and Guardium) and Stratus VOS, enabling maximum protection and efficiency.
- Unified, complete end-to-end data security: HPE SecureData Payments enables merchants and service providers to protect their entire payment stream and reduce PCI audit scope from the end-user to back-end systems by offering a variety data protection needs for m-commerce (in-app) payment data (mobile), e-commerce/in-browser payment data, device-based encryption of payments data (P2PE), and protect PCI data stored for post-authorization needs.
- Stateless key management: HPE SecureData Payments does not require digital certificates or keys to be injected or synchronized with the host. Because encryption keys are securely generated on demand, POS devices sufficiently protect card data without the need for key injection or key rotation, which can be labor-intensive and expensive to administer.
- Integrated with an industry-leading pioneer: HPE SecureData Payments is the only off-the-shelf integrated solution with a PCI-HSM and FIPS validated secure root of trust (HPE Atalla HSM) to protect payment data, payment authorization and fraud prevention. The integrated solution extends end-to-end data protection through the combined, integrated solutions of HPE SecureData Payments and HPE Atalla Hardware Security Module (HSM). By joining data-centric data protection with a tamper-reactive hardware security module, companies are able to neutralize data breaches by protecting data, rendering it useless to attackers.
- Multiple integration options: Processors and merchants can choose to integrate using SDKs, Web services, and/or command line tools for quick and simple deployment. End-to-end encryption can easily be combined with HPE Secure Stateless Tokenization (SST) to provide merchants with a complete solution for PCI audit scope by protecting data stored for post-authorization needs.
- Integrated POS systems: HPE SecureData Payments solution is integrated into a variety of payment terminal devices and platforms, giving organizations the flexibility to select one or more payment vendor(s) for the required business needs. For a complete list of payment partners, visit com/partners.
- Scalability and performance: Flexible, scalable architecture that handles quickly scales eliminating the need for merchants to self-manage payment transactions. The platform delivers complete control over end-to-end payment security stream for the omni-channel business requirements.
How secure is secure?
To ensure compliance with PCI DSS best practices and requirements, Coalfire, a well-known cyber risk management and compliance organization, conducted independent technical assessments of HPE SecureData Payments to verify HPE SecureData Payments meets the current PCI DSS standards.
End-to-End Data Security for the Payments-driven Market
HPE SecureData Payments is part of the HPE SecureData portfolio for protecting sensitive data in-motion, in-transit and at-rest. HPE SecureData Payments is a complete payment transaction protection framework built on a flexible and highly scalable architecture, including a common back-end infrastructure that protects system and device payment transactions for ecommerce (mcommerce), mobile payments, card on file (CNP) and the associated PII payment stream data.
Protect the full payment stream—more than just the credit card number—and the associated PII payment stream information, including payment data from POS devices, terminals, browsers and mobile devices. By incorporating data-centric endpoint protection with HPE SecureData Web and HPE SecureData Mobile, enterprises and service providers are able to protect the full payment lifecycle.