February 5, 2015 KeyBRIDGE™ Newsletter GEOBRIDGE Corporation (703) 857-2100 www.geobridge.net Contents: • What’s New What’s New • payShield 9000 Integration with KeyBRIDGE KeyBRIDGE Product Line: • Ask the Assessor KeyBRIDGE Key Management Solution (KMS) which includes integrated functionality with Host Security Module (HSM) units is now available. For pricing and license options please contact your GEOBRIDGE sales representative @ [email protected] • Did You Know? • About GEOBRIDGE Compliance: PCI released PCI PIN Security Requirements 2.0 in December 2014. In order to help our customers understand what the new requirements mean to their operations, we are scheduling webinars to review the updates and changes. Contact [email protected] to schedule your webinar today! PEDs: The following PEDs are now available for customers with an active support contract: o IDTech SecureMag IDRE-33XXXX o Ingenico iPP350 Events: GEOBRIDGE will be attending TRANSACT 15 ETA Annual Conference in San Francisco March 31st – April 4th. We will be scheduling meetings with our customers and vendors during the conference. We look forward to seeing you there! Reminders: All PED Certification requests and inquiries should be submitted to [email protected] All KeyBRIDGE 2100 appliances should be running on firmware version 4.2 or higher. Firmware version 3.0 and earlier are no longer supported. KeyBRIDGE Newsletter Page 2 of 4 payShield 9000 Integration with KeyBRIDGE Keep an eye out for upcoming newsletters and press releases as additional third party HSMs are integrated with KeyBRIDGE. For organizations that utilize HSMs to process and support financial payment transactions, key generation and key export activities pose unique challenges when it comes to day-to-day key management activities. These keying activities often take significant planning, including scheduling of personnel, managing access to secure, physically and/or geographically isolated data centers, and oversight of related keying materials and equipment. The KeyBRIDGE product line now offers Thales® payShield 9000 HSM integration that allows organizations to support and manage keying generation and key export activities through the KeyBRIDGE user interface, giving users better control and better access to complete key generation and key management functions. By integrating with the Thales® payShield 9000, KeyBRIDGE is able to reduce the number of required steps, allowing organizations to save time and resources. With its easy to navigate user interface, users are able to quickly perform key management tasks. Additionally, KeyBRIDGE allows users to securely store keys on the appliance and export them under LMK encryption. In addition to simplifying key generation activities, KeyBRIDGE also features automated audit logging and full key lifecycle management. KeyBRIDGE tracks the full history of a key generated or imported to the appliance, including all instances of key export and specific key details. Setup of the payShield HSMs is a quick and easy process. Up to twenty payShield devices may be connected to the KeyBRIDGE appliance at one time and up to two LMKs may be managed per HSM. Once the serial connection has been established, the HSM and KeyBRIDGE share a unique, triple length DES key, which is then used to encrypt keys passed between KeyBRIDGE and the HSM for LMK encryption. Furthermore, KeyBRIDGE uses FIPS 140-2, Level 3 certified cryptographic processing to encrypt sensitive keys and data. Once a key has been generated in KeyBRIDGE, it can be exported as a cryptogram, encrypted under the selected HSM’s LMK, encrypted under a different KEK / ZMK, or even as a TR-31 key block. What used to take organizations hours to complete, can now be accomplished in a fraction of the time, requiring fewer resources and potentially improving many of the security procedures and processes, while automating logging and access controls. For more information, please reach out to your GEOBRIDGE Account Manager or send us an email at [email protected] Page 3 of 4 KeyBRIDGE Newsletter Ask the Assessor Dear GEOBRIDGE Assessor, I see that the PCI Security Standards Council has published a new version of the PCI PIN standard. Is there anything new that I should be aware of? PCI PIN version 2.0 was published in December and introduces a new format with more detailed requirements as well as a supporting version with comprehensive testing procedures. This means that now both assessors and the parties being assessed have a much more clearly defined set of criteria against which a PCI PIN assessment will be performed. In the past the requirements left some room for interpretation, which can be a good thing and a bad thing. With version 2.0, the requirements are much more specific and with the supplemental testing procedures, everyone should be on the same page and have a clear understanding of what is expected prior to undergoing a formal assessment. While we strongly encourage all of our customers to perform a full review of the new PCI PIN standard, we also wanted to point out a few of the changes that we think will have an impact on our KeyBRIDGE users. Device inventory and tracking requirements for Point of Interaction (POI) devices include explicit, granular details on the information being captured at the individual device level. There are no longer allowances for “newly deployed” SCDs (EPP, PED, UPT or HSM) to be PCI certified. All such devices in use must be PCI or FIPS approved. Devices used for generating clear-text key components that are outputted in the clear must be powered off when not in use. This means that KeyBRIDGE appliances must be powered off when not in use/at the end of the day. Printers used to print clear components may not be used for other purposes. The printers must be dedicated for component printing. There are specific items that need to be added to policy and procedure documentation regarding key component handling. For example, procedures must explicitly state that verbal disclosure of a component is prohibited. The complete list of items that need to be included in your procedures are included in Requirement 6. Bags used for transporting components must be tamper-evident, not just numbered/serialized. Prohibits the use of TDES keys to encrypt AES keys. This is something that is automatically enforced within KeyBRIDGE when importing and export encrypted keys. Requires the use of key blocks by January 2018. KeyBRIDGE currently stores all keys in key block format and supports the import and export of both TDES and AES keys using key blocks. Requires that a PED that interfaces with more than one acquirer must support and use unique keys for each acquiring relationship. Requires that key activity logs be retained for a minimum of two years. KeyBRIDGE automatically logs all key generation, import, export and termination activity. This information is retained for all keys in the KeyBRIDGE inventory, even after the system audit logs are archived. In general, we believe that the changes are positive as they remove any ambiguity that may have previously existed around the requirements. If you have additional questions about PCI PIN version 2.0 and how the changes may impact your organization, please contact [email protected] to arrange to speak to one of our consultants. Have a question for our Assessors? Send an email to [email protected] and include “Ask the Assessor” in the email subject. Your question may be featured in our next newsletter. Page 4 of 4 KeyBRIDGE Newsletter Did you know…? 18 years of business and counting! GEOBRIDGE has been in business for 18 years. The GEOBRIDGE team consists of certified assessors for: o TR-39 PIN Security and Key Management Assessments o PCI PIN Assessments o Payment Card Industry Data Security Standard (PCI DSS) Assessments Additional Cryptographic Application Development Services offered by GEOBRIDGE: o PED Application Development o HSM Application Development o Software Cryptographic Development o Protocol Development DUKPT MK/SK Fixed Key EMV Global Platform The KeyBRIDGE solution is been in the marketplace for 10 years. KeyBRIDGE 2100 supports over 25 point of sale manufacturers and over 150 point of sale devices. There are additional license options with KeyBRIDGE 2100 including: o Custom PED Key Export o Custom Key Usage o Custom Key Attributes o SCD Component Entry o Network Support About GEOBRIDGE Established in 1997, GEOBRIDGE emerged as one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations. Today, GEOBRIDGE is a leading information security solutions and compliance provider that offers Network Security, Cryptography and Key Management, Payment Security and Compliance solutions and services. Our client list includes Fortune 500 companies, financial institutions, healthcare organizations and government clients across North America and around the globe. GEOBRIDGE leverages our team's expertise in data protection, program development, enforcement and governance to help architect solutions to help mitigate risk for our clients.
© Copyright 2020