In The Boardroom Press Room About Us Research Reports Contact Us
Thales e-Security

In The Boardroom With...


Mr. Jose Diaz
Director, Technical & Strategic Business Development
Thales e-Security Thank you for joining us today, Jose.  Before drilling down into Thales e-Security solutions, please tell us about your background and your role with the Company.

Jose Diaz: I have an Engineering background and started with the company in Product Development before moving into Technical Sales Support and later into Sales for the Latin America region. This path provided me a strong technical foundation to work with customers and partners on not only understanding their application environment and challenges but also recommend solutions that would improve the security of their systems. Currently, I work in Business Development focusing on technology partnerships from a global perspective. With data protection being of critical importance in many applications, and proper key protection and management an essential part of the process, Thales Hardware Security Modules (HSMs) improve the security of partner applications and my group works with leading technology companies around the globe, under our Alliance for Solution and Application Providers (ASAP) program, on seamlessly integrating Thales HSMs, and other security products, with their applications and solutions making it easy for security-conscious organizations to deploy best practice security solutions. One will read on Thales e-Security that, "Thales e-Security is a leading global provider of data protection solutions with more than 40 years experience securing the world's most sensitive information. Our customers—businesses, governments, and technology vendors with a broad range of challenges—use Thales products and services to improve the security of applications that rely on encryption and digital signatures. Please give us an overview of the solutions Thales e-Security brings to market. Any "new" solutions you would like to discuss?

Jose Diaz: Thales provides a broad range of products to address security concerns through deployment of high assurance security solutions that satisfy widely established and emerging standards of due care for cryptographic systems and practices.

Our Datacryptor product line of network encryption devices are specifically designed to secure data in motion with minimal latency for mission-critical and business-critical applications. It utilizes high assurance encryption methods and state-of-the-art key management techniques to deliver an ideal blend of security and performance to help organizations meet or exceed business and regulatory requirements for data privacy and confidentiality. Info Security Products Guide, the industry's leading information security research and advisory guide, has named the Thales Datacryptor line of network encryption solutions Gold Winner of the 2013 Global Excellence Awards in the Best Encryption category.

We also provide two different product lines of Hardware Security Modules (HSMs). The nShield™ family of General Purpose HSMs provide support for the widest range of cryptographic algorithms, application programming interfaces (APIs) and host operating systems, enabling the devices to be used with virtually any business application - from identity management, web services and database encryption to tokenization, PKI services and strong authentication. Most nShield HSMs also support the unique ability to host critical application software within the hardened security boundary, so you can establish tamper-resistant business processes in addition to protecting cryptographic operations. Our payShield family of Payment HSMs are specifically designed for transaction processing and key management in the payments industry. They are the most widely deployed payment HSM in the world and used in an estimated 80% of payment card transactions. payShield 9000 also provides chip card and mobile applications issuance functionality optimized for provisioning payment applications to mobile devices over-the-air (OTA) or physical chip cards based on EMV. Both of these HSMs are a primary focus of our technology partnership work under the Thales ASAP program so that customers can obtain pre-tested and integrated offerings from a wide range of commercially available security solutions satisfying widely established and emerging standards of due care for cryptographic systems and practices - while also maintaining high levels of operational efficiency.

The newest solution area is Key Management since managing security operations built on cryptography depends on how well you can manage the cryptographic keys that govern these processes. Thales helps Enterprises address this challenge with keyAuthority, a hardened cryptographic key manager that provides high levels of assurance to users of applications and systems with embedded encryption. Network World recognized the product as one of the Hottest Products at the RSA Conference USA 2013. keyAuthority supports widely-accepted industry standards, including the Key Management Interoperability Protocol (KMIP) standard, to allow comprehensive endpoint interoperability. Centralized administration provides consistent key lifecycle policy enforcement with reliable auditing to ensure data recovery and long-term business continuity. Are there 1 or 2 "wins" or success stories you would like to talk about?

Jose Diaz: There are two solution areas where we have had multiple wins and successes. One of them is in the protection of payment card data at the point of capture, since it can have the greatest impact in terms of reducing security concerns and the scope of compliance with PCI Data Security Standard (DSS). The other is due to the emergence of mobile commerce, which has introduced significant innovation to the merchant environment and the use of mobile devices for payments is changing the shopping experience.

The PCI Security Standards Council (SSC) published the Point-to-Point Encryption (P2PE) Solutions Requirement document defining requirements for P2PE solutions, with goal of reducing the scope of PCI DSS assessment for merchants using such solutions. It requires the use of Secure Cryptographic Devices (SCDs), aka HSMs, for encryption and decryption of payment card data, as well as storage and management of cryptographic keys. Protection of payment card data at the merchant location is provided by the payment acceptance device, e.g. Point of Sale terminal. At the Acquirer or Processor end, the secure management of keys and decryption of payment card data requires the use of HSMs and this is where the Thales payShield 9000 is being used to provide secure cryptographic functionality in concert with the payment processing application. Reducing PCI DSS scope is not only of great interest to merchants, but also to providers of payment processing services for merchants since it enables a new revenue stream. This is why data protection of payment card data based on PCI P2PE has been an interesting market.

The use of mobile devices for payments has expanded the usage of electronic payments in merchant transactions. Probably the best known example in this space is Square, with their 'square' card reader that plugs into a mobile device. There are other similar products in the market, of different shapes and sizes, from companies like PayPal, Intuit, iZettle, payleven, etc. that work with either the magnetic stripe cards we still use in the U.S., or the smart cards used in other parts of the world, and being introduced in the U.S. At the same time, new processes create new security vulnerabilities and securing payment data in a mobile environment brings new challenges since it potentially creates new attack vectors for eavesdroppers to steal and misuse cardholder or customer data. Again, this is an area where the secure management of keys and protection of payment, or payment application, data is relying on the use of Thales payShield 9000 or nShield family HSMs to reduce the risk of data compromise and help ensure that consumers can have confidence in using mobile based payments. We understand that Thales e-Security is a participant in CARTES. May we have a preview of the key subjects Thales e-Security will be presenting?

Jose Diaz: The overall Thales theme for the event will be how PCI DSS, and more specifically PCI P2PE which I talked about previously, the introduction of EMV in the U.S., and the emergence of mobile payments are driving payment security innovation.

We will be presenting in two of the conference tracks at the event. In the EMV and Security track, our presentation is titled 'PCI DSS, Account Data and Non-Proliferation' and will focus on the concept of scope and practical advice on how to reduce it for PCI DSS audits, which as I mentioned previously is an area of high interest in the market place. In The Wallet War conference track, we will be doing a joint presentation with Celent, a leading research and advisory firm, titled 'Who will win in the Era of Mobile Payments?' discussing the environment and alternatives for mobile payment deployments including both secure element as well as cloud based options. With the market still undecided as to a preferred approach for mobile payment deployment, this session will help understand the alternatives and associated risks.

In the exhibition area we will be showcasing how our products and services secure both traditional payment environments as well as the new alternative payment services that continue to appear in the market. Payment systems in the U.S., and elsewhere, are undergoing some rather significant changes which can be game changers, or at least game shifting, for all parties involved in the ecosystem. Mobile devices will be the foundation for many of the changes, as I previously mentioned. Payment systems demand security and securing payments is one of Thales' core competencies. Delivering alternative payment solutions, including mobile, that are acceptable to consumers means security has to be part of the infrastructure. Complementing the products we will be showcasing at the event, many of our technology partners, under the Thales ASAP program, will also be exhibiting the solutions that integrate our products to deliver secure payment systems. What is your perspective on the migration of EMV in the USA?

Jose Diaz: U.S. adoption of EMV technology has been a debated topic for many years. Between late 2011 and early 2012, the four major card schemes in the U.S. (American Express, Discover, MasterCard, and Visa) announced their plans and roadmaps for U.S. migration to EMV. Part of those roadmaps is that processors should be able to support EMV transactions as of April of 2013 (now). In addition, and the more important piece, is that the majority of the card schemes (excludes Discover) also defined a liability shift for certain types of fraudulent Point of Sale transactions which today are absorbed by the Card Issuers. From October 2015, if a fraudulent transaction is completed using a non-EMV POS device (excluding fuel merchants), liability will lie with the Merchant. The logic is that the entity that has not invested in EMV technology will be responsible for the loss.

One of the big hurdles for EMV migration is the upgrade of payment acceptance devices to accept chip cards. Several years ago there was a card scheme drive to use contactless technology on payment cards (e.g. MasterCard PayPass, Visa payWave) and several merchants upgraded their devices to support this technology as a way of expediting checkouts. Over time, however, support for contactless technology acceptance dwindled, even after initial merchant investment. Merchants are reluctant to go through the expense of upgrading their devices without clear direction of the required functionality and business benefits. Keep in mind that today we are not only talking about a migration to EMV, but also the potential use of contactless and NFC technology at the point of sale in addition to other alternative forms of payments. Merchants, particularly the smaller ones, need to understand not only what is required but the business value to justify the investment in upgrades. On the positive side, several major retailers including Walmart and McDonald's have already embraced the upgrade to EMV.

Mobile and alternative payment schemes will play a part in a migration to EMV, at least from a merchant perspective. On the business side, mobile commerce can offer numerous features of interest to merchants and therefore must be part of the conversation for EMV support in the merchant environment. 2012 was a year of much innovation in mobile commerce and, with EMV roadmaps from the card schemes already underway, 2013 should be the start of a converged view to leverage both EMV and mobile technologies in preparation for mass deployment. It will not be a quick process - it took years to reach mass deployment of magnetic stripe card acceptance - but perhaps there is a developing momentum in the market to finally start seeing increased deployment of EMV. Thanks again for joining us today, Jose.  Are there any other subjects you would like to discuss?

Jose Diaz: I think the market today is certainly much more aware of the importance of securing sensitive information than at any time in the past. News items over the past few years about data breaches and compromises of personal information have made Enterprises acutely aware of what can happen to a company's image if they are the target of hackers, not to mention the financial consequences in both revenue losses as well as penalties. The market is also becoming much more comfortable with cryptography and the value of its use to protect sensitive information.

Our HSMs can be used with a wide variety of commercial software products, from our technology partners, and in-house, or custom developed, software systems to protect both sensitive data as well as the cryptographic keys. For virtually any system that employs cryptography in the form of encryption and digital signatures, a Thales HSM will enable you to overcome the security vulnerabilities and performance challenges typically associated with software-only cryptography.

Drawing on Thales e-Security's more than 30 years of global experience protecting data for enterprises and governments around the globe, our independently certified hardware and software products deliver an ideal blend of high assurance and operational efficiency—so you never have to make tough tradeoffs between security, performance, and agility. Complementary services delivered by data protection experts in the Thales Advanced Solutions Group (ASG) can accelerate deployments, increase your confidence, improve your knowledge of best practices, and maximize return on your investment in data protection solutions.

You do not have to leave the security of your systems to chance. Our Network Encryption, HSM, and Key Management Systems can provide hardened, tamper-resistant solutions for secure cryptographic processing, key protection, and key management.