The Art of Designing Crypto Infrastructure for Payments (I21b)
The design, development, and certification of cryptographic modules for protecting PCI data in a payments ecosystem is a unique challenge, especially when compared with general-purpose, embedded, or IoT environments. Compliance considerations notwithstanding, designing these modules and the infrastructure they operate in is far from a defined recipe—it’s an art with room for improvisation and customization within a series of established best practices. This presentation will look broadly at the state of cryptographic infrastructure for electronic payments, focusing on common ecosystem designs and use cases. These designs include traditional application-constrained silos, internal crypto-as-a-service deployments, and HSMs on the cloud. From there, the presentation will discuss how those responsible for designing, developing, and certifying the cryptographic modules used in these environments can understand these ecosystem types and plan for them throughout their own processes. Many commonly asked questions surrounding enterprise data security for payments and PCI data will be addressed, including: – What is necessary for cryptographic modules to operate in compliance with both PCI HSM and FIPS 140-2 standards simultaneously? – Aside from FIPS 140-2 and PCI (DSS, PTS, P2PE, SPoC, and more), what standards are most applicable to payments-focused cryptographic modules? – How does the Derived Unique Key Per Transaction (DUKPT) key management scheme work, what are TR-31 key blocks, and can they share any benefits to general-purpose environments? – How are transitions such as the move from 3DES to AES and the move from SHA-1 to SHA-2 affecting the financial services industry? With this information, audience members will be able to self-assess their designs, certification plans, and deployment architecture for their cryptographic infrastructure. Along with that, they will learn how to implement both new and battle-tested techniques, determine whether they align with the current state of the industry, and learn the established yet customizable best practices inherent to protecting some of the world’s most sensitive payment data.