While cryptography has been regularly used to protect sensitive data within the Payment Industry, experience demonstrates poor implementations lead to a false sense of security and, given this is a technically complex topic, this is often the case.
The PCI SSC, in collaboration with different subject matter experts have created different standards to support the correct implementation of cryptography in payment systems.
Foregenix delivers more P2PE assessments than any other QSAC in the world.
True Cybersecurity Experts, working with a vast array of clients ranging from small retail merchants to complex industrial environments and large international banks.
Remarkable individuals with lifetime of experience as cybersecurity consultants, penetration testers, analysts, developers and engineers for all kinds of industries.
Our people's technical experience coupled with a unique work environment is the foundation of our services: a complex machinery designed to assist our customers avoid disruption while managing risk.
Foregenix has been closely involved with the leading cybersecurity frameworks since its inception, including the Payment Card Industry (PCI), ISO, NIST and several country-specific regulatory bodies, earning a reputation of excellence in every program it participates.
While we insist that experience is what makes the difference on this business, our consultants still hold a myriad of certifications, including PCI, SWIFT and ISO, cloud-vendor specific ones, and more general technology credentials like CSSLP, CISM, CISA, CISSP, and many more.
The PCI P2PE is a set of security controls defining the requirements for P2PE Solutions, an estate of secure devices, applications and processes that when correctly implemented protects cardholder data between the point of capture and a secure decryption environment.
P2PE reduces the risk of data compromise and the scope of PCI DSS assessments for merchants using its solutions, saving their businesses time and money.
The PCI P2PE standard combines elements of PCI DSS, PA SSF, PCI PTS (PIN Transaction Security) and Tokenisation into an encompassing standard.
Foregenix is behind the P2PE certifications of the main payment terminal vendors, acquirers and application providers. With unparalleled experience and expertise in PCI consulting and assessment services, Foregenix can design, build and implement secure crypto environments in a cost-effective manner and validate compliance against industry standards and best practices.
The PCI 3DS Core Security Standard defines physical and logical security requirements for protecting environments where ACS, DS, and/or 3DSS functions are performed, and is mandatory for companies that manage or provide any of these components.
Foregenix has extensive experience in supporting companies implementing 3-D Secure services, providing both assessment and consulting services in relation to the implementation of appropriate security controls to protect the 3DS transaction process.
Foregenix brings our clients the most experienced cryptography team in the payment industry. Thanks to our expertise in P2PE, 3DS and PCI PIN, accumulated since the initiation of the standards and the many projects with largest POI and HSM suppliers worldwide, our clients are able to leverage off our knowledge and expertise to significantly streamline their projects.
The PCI PIN Security is a set of requirements designed for entities that process cardholder PINs (Acquirers, Payment Processors) or perform cryptographic key management activities that protect PINs, such as Key Injection Facilities, ATM, or point-of-sale deployment companies. PIN Security requirements also mandatory for companies that develop and support mobile payments solution (MPoC) for acceptance of the account data and cardholder PINs on Commercial Off-the-Shelf (COTS) devices.
Compliance to PCI PIN ensures protection of cardholders’ PINs throughout the implementation of specific controls to assure that the intended level of security is achieved by the validated entity.
Foregenix is approved and listed by the PCI SSC PCI as Qualified PIN Assessor (PCI QPA) to perform security assessments against PCI PIN Security Requirements in support of the Payment Brands security programs. Our PIN assessors have the required knowledge, skills, and experience in payment system security and the applicable PIN security requirements. We offer a professional and focused PCI PIN compliance services across the UK, North America, CEMEA, LATAM and Asia Pacific Regions.
Foregenix delivers more P2PE assessments than any other QSAC in the world.
Extend your audience by including P2PE validation elements within your solution.
Designed to assist your organisation in preparing for the Compliance Assessment Service (CAS) to validate compliance with PCI P2PE, PCI PIN Security and PCI 3DS.
It involves different domains such as Encryption Device and Application Management, Applications Security, P2PE Solution Management, Decryption Environment, P2PE Cryptographic Key Operations and Device Management.
Our QSAs will provide an expert analysis of your company's current compliance status and security posture by defining the scope for the Compliance Assessment Service (CAS) to validate compliance with the PCI P2PE, 3DS or PCI PIN Standards.
Foregenix will evaluate the software code or the operation of the software using a variety of security-testing tools and techniques. This test will validate each control objective.
The results of this phase will provide a detailed report on the environment and any remediation steps that should be taken.
A complete set of services to assist you with achieving and maintaining PCI P2PE, PCI PIN Security and PCI 3DS validated status.
Exclusively for P2PE, we also provide Delta Assessment of P2PE Application, Delta Change to P2PE Solution or Component and Assessment for P2PE Listing updates.
It ensures that both your entity and Foregenix keep compliance with the PCI SSC requirements to the highest level.
We receive a significant number of questions about PCI P2PE, 3DS and PCI PIN Compliance. You will find the answers to the most frequently asked ones.
Per PCI PIN Security Requirements, Requirement 18-3, “Key Blocks,” encrypted symmetric keys must be managed in structures called Key Blocks. The key usage must be cryptographically bound to the key using accepted methods, such that it must be infeasible for the key to be used if the usage attributes have been altered.
The phased implementation dates are as follows:
Phase 1 – Implement Key Blocks for internal connections and key storage within service provider environments. This would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019.
Phase 2 – Implement Key Blocks for external connections to associations and networks. Estimated timeline for this phase is 24 months following Phase 1, or 1 January 2023.
Phase 3 – Implement Key Blocks to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Estimated timeline for this phase is 24 months following Phase 2, or 1 January 2025.
Key blocks must be used for all PIN security-relevant symmetric keys that are exchanged or stored. For example, Zone Master Keys (ZMKs), Key-Encipherment Keys (KEKs), Base Derivation Keys (BDKs), Terminal Master Keys (TMKs), and PIN-Encryption Keys (PEKs). Key block requirement applies whether the subject symmetric key is conveyed using asymmetric or symmetric techniques.
However, the requirement only applies to encrypted symmetric keys that are stored at a transaction host or in a POI device or are transported over a network connection. It is not intended to apply to keys, encrypted or clear text, when injected by being directly cabled to a KLD.
PCI PTS (PIN Transaction Security) is a set of documents managed by PCI Security Standards Council and comprises of PIN Transaction Security Point of Interaction (PTS POI) Modular Security Requirements, PIN Transaction Security Hardware Security Module (PTS HSM) Security Requirements and PIN Security Requirements (PCI PIN).
PCI PIN is one of the PCI PTS modular framework Standards contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and point-of-sale (POS) terminals.
Collections of online technical articles, tools, events, whitepapers and industry insights.
Sep 20, 2022