Your SlideShare is downloading. ×
Straight Talk on Data Tokenization for PCI & Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Straight Talk on Data Tokenization for PCI & Cloud

1,424

Published on

Published in: Technology, Business
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,424
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
56
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Visa: “Knowing only the token, the recovery of the original PAN must not be computationally feasible” see page 18
  • Intel Expressway Tokenization Broker enables an organization to tokenize sensitive data such as credit card information so that back end enterprise systems or cloud based environments do not store or handle the data directly. This has an added benefit of taking systems out of scope for PCI-DSS audits. Tokenization produces faster searches of data vs encrypting and decrypting data.
  • Editor’s Note: Once again, match the product components/benefits on this slide with the customer’s specific needs.
  • EAMSoftware Appliance Form FactorRed Hat AS5-64 bit, Solaris 10 64 bit, SLES 11, Windows 2003Secure Appliance Form FactorPhysical Tripwire, Secure Boot and BIOSSnooping protection, Seamless Disk EncryptionHardware Random Number GenerationTokenizationFormat preserving tokens based on secure random number generationToken VaultAutomatic encryption of PAN data (AES/3DES)Includes starter token vault Supports Oracle, MySQL, SQL ServerAuthentication and Access ControlIntegrates with identity management systems for secure PAN data retrievalPerformanceBuilt on Intel’s high-performance service gateway platform optimized for Intel® Multi-CoreCustomers’ benefits include: Reducing or removing payment applications and databases from PCI scopeOwning and managing PAN data on-premise with a secure hardware applianceEasilyChoosing the tokenization scheme appropriate for theirbusinesses High performance operation that ensures low-latency document processing Leveraging existing Enterprise identity management investmentsAvoiding token migration challengesMinimizing changes to existing applications compared to E2E Encryption
  • Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)
  • While many varying definitions of a Cloud Service Brokerage exist, in general they follow the same value propositions. Gartner defines a CSB as a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services. This can be further segmented into 3 broker types: An Aggregation brokerage that unifies service access for consumers through service bundling, unified billing, and is responsible for overall SLAs- today this is a common- for instance there are CSBs that say aggregate licensing, support, reporting, migration kits, etc for google apps. Many other examples exist.Integration Brokerages go one step further by organizing services, integrating multiple on-prem & cloud data service providers to create a complete product offering generally around a vertical industry or community business process. An example of this are many of the large B2B supply chain oriented exchanges that have connected vertical industries for years like GHX in healthcare or Covisint in automotive supply chain management. This role will go beyond the narrow B2B role to service any community business process. To run an integration brokerage with people & connected processes will require an experise on security, integration/translation, service governance & API management to name a few. Security is such an important & complex area that may evolve to specialized security brokerage providers that Integration brokerages leverage. Customization Brokerages actually create brand new value added services that may tailored uniquely for the Enterprise cloud consumer. In the CSB realm there is a role for 3rd party broker operators and a role where IT creates a brokerage for a certain set of services it wishes to maintain under its control as it manages consumption by internal departments. Many IT departments are already planning for a unified cloud access layer in their enterprise architectures to be operated in a private cloud. Bottom line CSBs- help simplify sourcing, technical consumption, increase time to market and add value with a better ROI.
  • Transcript

    • 1. Straight Talk on Data Tokenization for PCI & Cloud PAN Data TokensPresented by: Andy Thurai Intel® Application Security & Identity Products 1
    • 2. Tokenization and PCI• Tokenization: replacing a valuable piece of information with a surrogate value, or token - In a PCI context, replacing PAN data with random number strings• Why tokens? - Reduce PCI scope, cost of PCI compliance - Increase security 2
    • 3. Does it Apply to Me?“ PCI DSS compliance includes merchants and service providers who ACCEPT, CAPTURE, STORE, TRANSMIT or PROCESS credit and debit card data.” PCI DSS 2.0 standards became effective on January 1st. Is your organization prepared? 3
    • 4. The Case for Tokenization• Replace PAN with (random) number - token• Use that random number EVERYWHERE in your environment• Keep PAN and reference to token 4
    • 5. Tokenization Use Cases• PCI scope without tokenization - Everything is in PCI scope 5
    • 6. Tokenization Use Cases• Tokenization replaces primary account number (PAN) data with surrogate value, or “token”• Token engine and vault in scope, but post-payment applications may be out of scope 6
    • 7. Tokenization Use Cases• Tokenization can be outsourced: processor 7
    • 8. Tokenization Use Cases• Tokenization can be outsourced: 3rd party 8
    • 9. Tokenization• Construction - Tokens should be random• Options - Single- or multi-use - Format preserving (characteristics of a PAN) - Lifetime• Tokenization is not encryption - Encryption is reversible, tokens are not - Encryption has a role in token vault 9
    • 10. Tokenization and PCI Council• Tokens can reduce scope • “The level of PCI DSS scope reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.”• “High-value” tokens may be in scope, e.g.: • Used as a payment instrument” • Initiate a transaction 10
    • 11. Tokenization and PCI Council• What does it mean? - Guidance is, well, guidance - Tokenization can reduce PCI scope - High-value tokens require additional controls - High-value tokens used to initiate a transaction might be in scope• Remember - Token engine and vault always in scope - Access to token vault must be restricted 11
    • 12. Implementing Tokenization: Options Tokenization Option Advantages DisadvantagesInternal, Home Grown Control Security a core strength? Time and cost to implementInternal, Package Control Cost Flexibility Time to implement Expertise/functionality3rd Party, Processor Easy implementation Cost Good PCI scope reduction Limited flexibility Compatibility with apps Vendor lock-in3rd Party, Token Vendor Easy implementation Cost Good PCI scope reduction Compatibility with apps Vendor lock-in Business risk (12.8) 12
    • 13. Implementing Tokenization: Options• Third-party solutions appeal to smaller (L3, L4) merchants - Ease - Cost• Internal hosting appropriate for larger (L1, L2) merchants and service providers - Control - Technical capabilities 13
    • 14. Implementing Tokenization: Security• The tokenization security tradeoff - Tokens are secure, but… - Any breach of token vault could be devastating• Protecting the token vault - Restricting and authenticating users and access - Segmenting network to isolate out of scope systems - Ensuring physical security - Managing PAN encryption and key management 14
    • 15. Internal vs. External TokenizationExternal Tokenization: Internal Tokenization:• BIG Vision! • Easier to Implement• Solves BIG Problems! • Solves URGENT Problems!• Involves processors, brands, • Only involves YOUR 3rd parties organizationExample: Example:Cybersource/VISA model 15
    • 16. Intel Application Security and Identity Products• Review of what is available today • On-premise software, hardware or virtual machines for • (1) Lightweight ESB, transformation, integration • (2) Edge Security – Perimeter defense, Cloud API management, authentication, throttling, metering, auditing • (3) Tokenization – PCI DSS, format preserving tokenization for service calls, documents, files and databases 16
    • 17. Data Tokenization for Cloud or PCI Tokenization enables faster searching for data vs encryption 17
    • 18. Expressway PCI Scope Reduction with Internal Tokenization Hosted Payment Payment Gateways Processors Payment Applications Customer Internet Data Warehouse Retail / Card Swipe / Chip Reader Store / Keypad Server Point of Sale Environment (POS) CRM Order Applications Processing Applications Point of Sale Environment PCI Scope Complete Merchant PCI Scope Merchant Data Center Reduced or Removed PCI Scope 18
    • 19. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 19
    • 20. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 20
    • 21. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Feeds with PAN data Data Connected App. Databases Portals IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 21
    • 22. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Data w/ Tokens Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Edge Security + Tokenization Feeds with PAN data Data Connected App. Databases Portals Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 22
    • 23. Typical Retail Architecture Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon)Browser E-Commerce Website Engine 23
    • 24. Typical PCI DSS Scope Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 24
    • 25. Scope with Expressway Tokenization Broker Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 25
    • 26. Intel® Expressway Tokenization Broker:Product Components Hardware or Software Broker • Tamper resistant appliance • Software on Linux AS5-64 Sample Tokenization Application • Token Exchange • Token Management Secure Token Vault • HQSQL Starter Token Vault • Production Database Schemas Intel® Services Designer • Policy Design and Deployment • Token Exchange / Management Actions Web Interface • Policy Deployment & Monitoring 26
    • 27. Addressing PCI DSS Requirementswith Tokenization Broker Intel® Expressway Tokenization Requirement Broker Capabilities Build/ Maintain Secure • Application-level security proxy & firewall. Network • Protects credit card data stored at rest/ in transit . Protect Cardholder Data • Supports tokenization for reduced PCI scope. Maintain Vulnerability • Integrates with on-premise virus scanning servers Management Program • Reduces threat of malicious attachments. • Supports strong access control. Implement Strong Access • Integrates with existing identity management investments. Control Measures • Improves physical security for tokenization through tamper-resistant form-factor. • Tracks, monitors & logs authorization requests from merchant to card Regularly Monitor & Test processor. Networks • Offers regular testing & alerts in case of server failures. Maintain Information • Maintains auditable security policies in hardened form-factor. Security Policy • Allows for convenient review & change control. Review our QSA Assessors Guide, which shows how Tokenization Broker addresses more than 200 PCI compliance requirements. 27
    • 28. Intel® Expressway Tokenization Broker:Features & Benefits Feature Summary Benefit Summary• Flexible Software Appliance  Reduce or remove payment Form Factor applications and databases from• Secure Appliance Form Factor PCI scope• Tokenization  Own and manage PAN data on-premise with a secure hardware• Token Vault appliance• Authentication & Access Control  Easily Choose tokenization scheme• High Performance, optimized appropriate for your business for Intel® Multi-Core  High performance operation ensures low-latency document processing  Leverage existing Enterprise identity management investments  Avoid token migration challenges  Minimize change to existing applications compared to E2E Encryption 28
    • 29. For Additional Information, go to: www.intel.com/go/identity Download Eval Data Sheet PCI White Paper Assessors Guide E-mail: intelsoainfo@intel.com 29
    • 30. Cloud Service Broker Capabilities Technology Enablement 30
    • 31. Market Shifts to Brokers to Solve Cloud Consumption Complexity Functions: Service API: Security/Governance, Billing, Integration, Support, Process Provider • Apps • SaaS, PaaS, IaaS • IdM 3rd Party IT Broker Service Broker • B2B • Legacy Consumption Provider • App MashupsEnterprise • Mobile CSB Platform CSB Platform Private Cloud Public Cloud Provider CSB is a role in which a 3 Broker Types company or other entity adds • Aggregation - Distributor/Solution Provider Unify access via service bundling value to one or more cloud • Integration - System Integrator services on behalf of 1-n New functions via data/process integration consumers of those services • Customization - ISV New functions via service enhancement Do-it-yourself IT and/or 3rd Party Consumption Models Software and Services Group 31
    • 32. Specialty Focus on Cloud Access & Security Brokerage Identity & Services Brokers IT Private IT Cloud Provider 3rd Party Cloud Public/Hybrid Bundled Service Access Platform Functions Policy Enforce Authentication & Orchestrate ID Integration Compliance IID Context Federation Transport AuthZ Enabling Technology Strong Auth Access Data Security Gov & Integration Form FactorCloud Security Platform • Adaptive • SSO • Tokenization • API Mgt • Soft, hardware, • Client aware • Provisioning PII, PHI, PAN • Edge Threats VM appliance • Soft token • XACML • Encryption • Meter • Multi-tenant as- • Hard token • STS Token • DLP • Orchestrate a service • OOB Signing Mapping • SIEM • Transform • Mobile Browser • IdM Connectors • Logs-Data, • Protocol & Native User, Apps Intel & McAfee are CSB platform technology providers 32
    • 33. Cloud Access Broker Vision: Example IT as a Broker IT Private Supports “mix and match” of capabilities Cloud “Broker” IaaS and PaaS Applications per internal/external tenant Identity HTTP, Trusted Internal Network Broker REST Tenant #1 Apps, IDM and SaaS Applications Middleware PII M2M Service Tokenization Call Tenant #2 HTTP Departments 1-n Browser and Mobile External Enterprise Employees, Applications Administrators API Mgt Browser and Mobile Tenant 3 Applications Portal/Browser Strong HTTP, Request Auth REST Transform & Orchestrate Tennant 4 Partner Apps & 3rd Party Brokers HTTP, REST/SOAP • Extends security policy to cloud • Complete visibility & audit • Enables aggregation of services • Protects PII data stored in cloud • Up-levels security posture of providers with strong auth overlay 33
    • 34. Use Model: Cloud Security Gateway & API Security • Perimeter Security API/Service • Authentication Proxy • Quality of Service • Policy Control • API Versioning SOAP/REST • Auditing On premise Enterprise applications Service Clients Mobile Clients See detailed back up for All Use Case Diagrams 34
    • 35. Expressway provides API Security for vCloud Non-vCloud Partner (SOAP) REST API Security • SSL/TLS Termination • SOAP to REST Mediation • Authentication • HTTP Inspection • Message Throttling • Audit Logging • API Masking • API Versioning •Strong Authentication •Code Injection Protection • Threat detection / AV scanning in OVF files Intel® Expressway can provide full API protection and mediation for vCloud 35
    • 36. Case StudyHybrid Cloud Bursting (PaaS) 2. Local Authentication Enterprise 4. AWS Credential Mapping Private Cloud and Data RetrievalIdM or Active Directory Amazon EC2 Storage Service Gateway Public Cloud Portal Application The Gateway mediates access to public cloud services •Perimeter Security 1. Enterprise Portal Login •Seamless User Experience •Preserve existing IDM investments •Abstract cloud providers •Data Control 3. Resource Request 36

    ×