How is user access controlled in EncryptRIGHT®?
Administration of user access rights includes password policy, user groups and logon quorums. All users of EncryptRIGHT must have a unique user ID and password and may optionally have a unique API key. EncryptRIGHT also supports openLDAP, including MS Active Directory.
Does EncryptRIGHT maintain an audit log?
EncryptRIGHT includes flexible audit logging and reporting functionality to support traceability, alerting and compliance. Virtually every relevant system event can be monitored to establish detailed audit trails, and logging and reporting can be configured to meet the specific need of an enterprise. A PCI Compliance Report details the options in EncryptRIGHT that especially relate to the PCI Data Security Standard (PCI-DSS) for compliance and best practices.
Is EncryptRIGHT an encryption key manager?
Yes, and no. EncryptRIGHT has very robust encryption key management functionality, however it only attends to the cryptographic keys related to the data EncryptRIGHT is protecting. Because of this, it is not considered an enterprise key manager, however it also does not need an enterprise key manager in order to effectively generate, protect and manage keys.
What operating systems does EncryptRIGHT deploy on?
EncryptRIGHT works out-of-the-box on a wide range of operating systems, including z/OS, IBM i (AS/400), Oracle Solaris (SPARC), AIX, Linux and Windows.
How long does it take to deploy EncryptRIGHT?
Because of its unique architecture, EncryptRIGHT can deploy much more quickly than other application level data protection solutions. Need help deploying? We are here to help…but we don’t expect that you’ll need much. Let us prove it with an EncryptRIGHT proof-of-concept (POC) today!
How hard is it to set up an EncryptRIGHT data protection policy (DPP)?
It’s easy, or moderately easy, or incredibly involved – it just depends on your security needs. EncryptRIGHT includes simple, canned DPPs that can be easily selected to begin securing sensitive information immediately. It also has a DPP guided-tour, allowing users to easily customize a DPP for their specific business needs. In addition to these, EncryptRIGHT has tremendous advanced DPP feature that supports seemingly endless configurations for protecting data for the most scrutinizing of enterprises. Most customer start with a guided-tour and customize the few elements that are truly unique to their operations.
Does EncryptRIGHT need an HSM?
No. It’s optional. However, HSMs are considered a best practice for securing sensitive information. EncryptRIGHT can interface with HSMs that support PKCS#11, on premise, in the cloud, or in hosted or as-a-service environments.
Does Prime Factors sell general purpose HSMs?
Yes, Prime Factors sells the nShield® family of general purpose hardware security modules (HSMs) by nCipher Security, an Entrust Datacard company.
What types of cryptography are supported by EncryptRIGHT?
EncryptRIGHT allows you to protect, authenticate and digitally sign data with standards such as Triple DES (2-key and 3-key), AES (128, 192, 256 bits), X9.71 HMAC, OpenPGP, RMD160, and RSA public key algorithms. Strong hashing is provided using SHA-2 or SHA-3. Public keys can be up to 4096 bits.
Can EncryptRIGHT help an organization meet PCI Compliance standards?
Yes. EncryptRIGHT helps to address eight of the core security requirements needed to meet PCI Compliance.
Does BCSS meet the requirements of PCI PIN Security and card schemes such as Mastercard and Visa?
Yes, BCSS can integrate with the Thales payShield HSM to meet the secure cryptographic device (SCD) requirements of PCI and the larger card schemes or brands.
Does BCSS support the EMV standards?
Yes, BCSS supports the EMV requirements for smart (chip or IC) card issuance data preparation and transaction authorization including ARQC verification and ARPC generation.
Does BCSS maintain an audit log?
Yes, all configuration activities are tracked in an encrypted and authenticated Audit Log. Events are sorted by date and time and include the user ID and action performed. The log display also supports filtering. For example, if you want to view entries performed by a specific individual you can enter that person’s user ID in the User field and refresh the view. The contents of the Audit Log can be also copied to a text file, if desired.
How is user access to BCSS controlled?
Administration of user access rights includes user groups, password policy, and logon quorums. All users of the BCSS configuration program must have a user ID and password. OpenLDAP, including MS Active Directory, is supported. In addition, BCSS has an authenticated log that records all changes to user IDs and user privileges to discourage unauthorized tampering.
How does BCSS control the accurate entry of cryptographic keys?
When a key or component value is entered in BCSS, the key check value is calculated. An unexpected key check value indicates that the user did not enter the value correctly. Perhaps the wrong key encrypting key (KEK) was used, or perhaps the wrong value was sent from a partner, or perhaps the user simply made a typographical error. The key check value of the key or component as well as the key check value of the KEK must match the expected values to confirm the accuracy of the value entered.
How does BCSS help programmers identify and correct errors?
BCSS provides subroutine return codes. Most return codes are described in the BCSS API Programming Guide in the section for the specific API invoked, other common messages are explained in the Troubleshooting Appendix. Additionally, programmers can activate diagnostic tracing to capture the host command strings as they are sent to the HSM. Comparing the API trace file to the commands as documented in the Thales payShield Core Host Commands user guide will often allow the programmer to identify an issue.
What types of data are stored in the BCSS database?
The secure BCSS database contains encrypted values for master keys (e.g. KEKs) and card keys. The database also contains EMV issuer certificates, PIN type options, default PIN block formats, PVV options, and CVV options.
Does BCSS provide the ability to migrate from software to HSM-based hardware
encryption?
Yes, BCSS provides the ability to migrate key types used for magnetic-stripe security codes and PINs from software to HSM hardware-based encryption. Detailed instructions are included in the BCSS Configuration Guide.
Does Prime Factors sell Thales HSMs?
Yes, Prime Factors currently sells the Thales payShield 10K HSM. We can also help you find a reseller outside the USA, if needed.
