Home | About Us | Management Team | Careers | Contact Us
Security Consulting
What makes Mustang Microsystems qualified to consult with regards to Debit Security? ... Certification from Star Network and VISA; Dedication to the standards and policies as set forth by PCI and ANSI; Years of experience and a "Genuine" concern and understanding of all that is secretive and inclusive of this complicated and vital encryption process.
Mustang Microsystems MicroSystems, Inc. is also a Member of the Accredited Standards Committee X9, Inc., Financial Industry Standards. For further information about the x9 Standards, visit their web site at: www.x9.org.
Alert!
Effective July 2010, ALL retailers who accept PIN-based debit payment are required to update their POS system PIN security to TDES (The Triple – DES Encryption Method). This requires replacement of the encryption keys that have been loaded into your terminals. Mustang Microsystems MicroSystems, Inc. has developed a program to simplify this conversion for all retailers. See: TDES Key Conversion for Retailers for more Information.
Security Reviews – PIN Based Debit Processing
Mustang Microsystems will provide a review of your facilities, policies, and documented procedures which are required for the secure operation of retail debit transaction processing, and specifically the protection of consumer PINs and the related secret encryption keys. Following is some information, provided to assist in your preparation for a consulting visit and for your general knowledge.
"Any companies that are involved in debit card payment transactions require a secure operating environment."
At the present time, the core of this security is via the encryption of customer PINs using secret “keys”. The keys are loaded into the retailers’ PIN entry terminals and security modules according to specific security procedures. The keys provide a security barrier surrounding the consumer PINs as they move through the retail systems to the processing networks. There are two reasons for investing in the tools and training for debit security. The first is to protect the organization (and consumers and their banks) from damaging financial losses. The second is to avoid publicity that would damage consumer confidence in the retailer or the debit payment method itself. It is important to understand that these threats are real, attacks are frequent, and they often originate within the very organizations that are responsible for security.
Consumer PINs are a form of electronic signature. PINs are the property of the consumer’s bank, as a part of the consumer’s accounts. The only way that the issuing banks have to control the risk of lost PINs is to require training and certification of all parties who are involved. This is the purpose of the work that Mustang Microsystems provides as a consultant.
Retailers who operate their own Host Security Modules (HSMs) will realize significant savings in operating costs; will have better internal control of their own store operations, and independence from their processing partners. Conversely, installation and operation of an HSM requires direct PIN and encryption key management, and a much higher level of internal security. Involvement in debit transactions requires understanding of:
- The larger picture of keys, key injection, correspondent systems, and other system and business implications of debit card payment in the United States.
- An understanding of PINs and how they flow through your systems, how HSMs are involved, and why HSM and key security is so important.
- An understanding of the keys that are installed in your PEDs (PIN entry devices), and how PEDs with secrets must be protected.
- The process of generating, transporting, installing, and storing the secret keys.
Our work is to be sure that procedures and physical security protect keys from both internal and external threats. Our work is to help the retailer build an environment where attacks will cost much more than the value of any secrets that are gained.
"Debit security and training varies with the functions being provided."
For instance, the retailer who operates a Host Security Module (HSM) but does not get involved in debit terminal support needs to understand the security needs and regulations that apply to HSM operations and how to keep the installed base of PIN-entry terminals secure (Key management, key transfer, HSM physical security, isolation of test and production operations, spare terminal management, etc.) Clients who are involved in loading keys into PEDs (payment terminals or other devices that accept PINs) need additional knowledge of secure key loading tools, operations, key storage, and key archiving. Even when PED key loading is done by an outside vendor, the retailer must be aware of the risks in lost terminals, or rogue terminals. The retailer is also responsible to require that his key loading vendor meets the current security requirements.
Specific Areas of Interest
Mustang Microsystems will provide a review of the retailers’ PIN and key management operations. The specific areas of interest include:
- An overview of the organization and individuals involved in all phases of debit key management. We will look for conflicts of interest, and review those identified as key custodians and their alternates.
- The physical installation and protection of the HSMs. We will want to see the HSM equipment as installed, and review the security procedures regarding access to HSMs.
- We will want to review your software test and development equipment to be sure that testing is fully isolated from the production (secure) operations. We will want to understand the extent of software done in your facility vs. work by outside vendors.
- We will want to review the key hierarchy, the inventory of keys, and the locations where keys are stored, and the procedures that guarantee that no single person has access to enough information that could compromise a key.
- We will want to review logs of key activity (receipt, installation, storage, and destruction), and the related procedures for keeping complete records. We will also be interested in your procedures for tracking PED terminal assets.
Client Readiness and Support
The client should identify at least one technical individual as the primary recipient of training and documentation, and one who with work with the reviewer while at your facility. Involved management should plan to be available for an orientation session when Mustang Microsystems will formally present an overview of the process and procedures. At least one manager must be assigned the debit security responsibility, and be sure that it is a continuous activity. It is very important that company management understand the need for this security, and the real risks that are involved. The trusted individuals who participate in this process must have management support for the work. Security is continuous, and the procedures require time and effort.
Scope of Services
This review focuses on the specific security of debit transactions, and more specifically the protection of consumer PINs using secret encryption keys as they flow through the retailers’ systems. There are several other issues surrounding payment transaction processing that can be discussed for awareness, such as protection of other consumer data, the “life cycle” of transactions, and overall transaction flow. However, this review does not intend to provide technical guidance for this security, or any implied approval of security outside of the area of debit PINs and key management.
Deliverables
After the initial orientation for the reviewer, the "Work" will primarily be done using the workbooks provided in the TG-3 audit and the PCI PIN Security Manual. These documents will be completed in partnership with the retailers’ staff, and the “findings” requiring attention and improvement will be evident from this work. Some findings will require comments by the responsible managers, and include action plans and dates for correction.
If you are planning on getting involved in any portion of key enrcryption, management, or processing, contact Mustang Microsystems. We are happy to discuss any of the variety of consulting services that we may provide. You may also find additional security related information in some of our White Papers, found in the literature section of this site.