The Green Sheet Online Edition
June 13, 2016 • Issue 16:06:01
Comprehensive transaction transport security
NewNet Communication Technologies LLC, a telecom solutions provider established in 1989 and headquartered in Chicago, added TransKrypt Security Server (TransKrypt) to its NewNet Secure Transaction (NST) suite, a line of payment security systems designed to protect transaction data.
NewNet said it has deployed on-site, hosted, cloud and managed global communications solutions to millions of users in more than 90 countries, and its NewNet Secure Transaction Portfolio transports an estimated one out of every five payment transactions.
TransKrypt combines point-to-point encryption (P2PE) with secure host hardware modules (HSMs) to protect transaction sessions between POS devices and transaction processing hosts. Acquirers, processors, financial institutions and network service providers can use the solution to protect data traveling over dial, broadband and mobile networks, the company stated.
"Encrypting cardholder sensitive data and tokenization in transit and at rest is being adopted more than ever, even with the U.S. transitioning to EMV," said Tai-Kei Cheung, President, Secure Transactions at NewNet. "NewNet Secure Transactions offers a format preserving solution that meets and exceeds payments industry guidelines."
Advanced data protection
The growth of mobile and broadband consumption has led to higher transaction volumes; NewNet views advanced data protection as a critical component of network security strategy. POS devices, especially non-SSL [secure sockets layer] dial terminals that transmit cardholder data over public networks, require multilayered security. At minimum, data must be encrypted from card entry and tokenized; device certificates must also be verified. "Basic cardholder data protection is insufficient protection against cyberattacks, and the industry must exceed those requirements," Cheung said. The company affirmed that its TransKrypt Security Server addresses these critical requirements.
TransKrypt's P2PE supports data encryption from POS terminals, reducing the scope of the Payment Card Industry Data Security Standard in the cardholder data environment. P2PE solutions are also required to use secure cryptographic devices such as host HSMs to encrypt and decrypt payment card data and to store and manage cryptographic keys. The TransKrypt HSM is FIPS 140-2 compliant; its physical and logical boundaries are designed to protect cryptographic keys, which are immediately cleared in the event of unauthorized access.
TransKrypt can be used to generate a base derivation key (BDK) for each acquirer and merchant. Each BDK is stored in the HSM and cannot be retrieved by the system. A BDK can also generate an initial phase encryption key (IPEK) for each POS terminal. POS devices receive each IPEK securely, using each IPEK to generate a unique encryption key to encrypt every payment transaction. Additional security features include:
- DUKPT: Derived Unique Key Per Transaction (DUKPT) is a key management scheme that creates a unique key for every transaction, which is derived from a fixed key. If a derived key is compromised, future and past transaction data remain protected because previous and subsequent keys are difficult to determine. DUKPT implementation is as specified in ANSI X9.24 part 1.
- Full payload or sensitive field encryption: TransKrypt Security Servers P2PE solution offers the option to select from the usage of the entire transaction data being encrypted or only selected fields being encrypted. This gives acquirers, processors and service providers working with POS device software the flexibility to handle the encryption process according to native device formats and environments.
- With full payload encryption, all data is encrypted apart from any specific routing protocol headers. Sensitive data fields, such as iPAN, CC1/2 and CVV are encrypted to ensure transaction integrity and secure cardholder information.
TransKrypt can be integrated with other NewNet Secure Transaction solutions to securely transport and route encrypted data to and from POS devices and authorization hosts. All systems are equipped with integrated server hardware, HSM hardware, application software and built-in redundancy. Multiple configuration options are available, including customization according to the unique needs of enterprise-scale client organizations, the company stated.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.