Straight Talk on Data Tokenization for PCI & Cloud
1. Straight Talk on Data Tokenization for
PCI & Cloud
PAN Data Tokens
Presented by:
Andy Thurai
Intel® Application Security & Identity Products
1
2. Tokenization and PCI
• Tokenization: replacing a valuable piece of information with
a surrogate value, or token
- In a PCI context, replacing PAN data with random number
strings
• Why tokens?
- Reduce PCI scope, cost of PCI compliance
- Increase security
2
3. Does it Apply to Me?
“ PCI DSS compliance includes merchants and service
providers who ACCEPT, CAPTURE, STORE, TRANSMIT
or PROCESS credit and debit card data.”
PCI DSS 2.0 standards became effective on
January 1st. Is your organization prepared?
3
4. The Case for Tokenization
• Replace PAN with
(random) number - token
• Use that random number
EVERYWHERE in your
environment
• Keep PAN and reference
to token
4
6. Tokenization Use Cases
• Tokenization replaces primary account number (PAN) data
with surrogate value, or “token”
• Token engine and vault in scope, but post-payment
applications may be out of scope
6
9. Tokenization
• Construction
- Tokens should be random
• Options
- Single- or multi-use
- Format preserving (characteristics of a PAN)
- Lifetime
• Tokenization is not encryption
- Encryption is reversible, tokens are not
- Encryption has a role in token vault
9
10. Tokenization and PCI Council
• Tokens can reduce scope
• “The level of PCI DSS scope
reduction offered by a tokenization
solution will also need to be
carefully evaluated for each
implementation.”
• “High-value” tokens may be in
scope, e.g.:
• Used as a payment instrument”
• Initiate a transaction
10
11. Tokenization and PCI Council
• What does it mean?
- Guidance is, well, guidance
- Tokenization can reduce PCI scope
- High-value tokens require additional controls
- High-value tokens used to initiate a transaction might be in
scope
• Remember
- Token engine and vault always in scope
- Access to token vault must be restricted
11
12. Implementing Tokenization: Options
Tokenization Option Advantages Disadvantages
Internal, Home Grown Control Security a core strength?
Time and cost to
implement
Internal, Package Control Cost
Flexibility
Time to implement
Expertise/functionality
3rd Party, Processor Easy implementation Cost
Good PCI scope reduction Limited flexibility
Compatibility with apps
Vendor lock-in
3rd Party, Token Vendor Easy implementation Cost
Good PCI scope reduction Compatibility with apps
Vendor lock-in
Business risk (12.8)
12
13. Implementing Tokenization: Options
• Third-party solutions appeal to smaller (L3, L4) merchants
- Ease
- Cost
• Internal hosting appropriate for larger (L1, L2) merchants
and service providers
- Control
- Technical capabilities
13
14. Implementing Tokenization: Security
• The tokenization security tradeoff
- Tokens are secure, but…
- Any breach of token vault could be devastating
• Protecting the token vault
- Restricting and authenticating users and access
- Segmenting network to isolate out of scope systems
- Ensuring physical security
- Managing PAN encryption and key management
14
15. Internal vs. External Tokenization
External Tokenization: Internal Tokenization:
• BIG Vision! • Easier to Implement
• Solves BIG Problems! • Solves URGENT Problems!
• Involves processors, brands, • Only involves YOUR
3rd parties organization
Example: Example:
Cybersource/VISA model
15
16. Intel Application Security and Identity Products
• Review of what is available today
• On-premise software, hardware or virtual machines for
• (1) Lightweight ESB, transformation, integration
• (2) Edge Security – Perimeter defense, Cloud API management,
authentication, throttling, metering, auditing
• (3) Tokenization – PCI DSS, format preserving tokenization for service
calls, documents, files and databases
16
17. Data Tokenization for Cloud or PCI
Tokenization enables faster searching for data vs
encryption 17
18. Expressway PCI Scope Reduction with Internal Tokenization
Hosted
Payment Payment
Gateways Processors
Payment
Applications
Customer
Internet Data Warehouse
Retail / Card Swipe / Chip Reader Store
/ Keypad Server
Point of Sale
Environment
(POS)
CRM Order
Applications Processing
Applications
Point of Sale Environment PCI Scope
Complete Merchant PCI Scope Merchant
Data Center
Reduced or Removed PCI Scope
18
19. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
19
20. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
20
21. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Feeds with PAN data
Data
Connected App.
Databases Portals
IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
21
22. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Data w/ Tokens
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Edge Security + Tokenization
Feeds with PAN data
Data
Connected App.
Databases Portals
Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
22
27. Addressing PCI DSS Requirements
with Tokenization Broker
Intel® Expressway Tokenization
Requirement
Broker Capabilities
Build/ Maintain Secure
• Application-level security proxy & firewall.
Network
• Protects credit card data stored at rest/ in transit .
Protect Cardholder Data
• Supports tokenization for reduced PCI scope.
Maintain Vulnerability • Integrates with on-premise virus scanning servers
Management Program • Reduces threat of malicious attachments.
• Supports strong access control.
Implement Strong Access
• Integrates with existing identity management investments.
Control Measures
• Improves physical security for tokenization through tamper-resistant form-factor.
• Tracks, monitors & logs authorization requests from merchant to card
Regularly Monitor & Test
processor.
Networks
• Offers regular testing & alerts in case of server failures.
Maintain Information • Maintains auditable security policies in hardened form-factor.
Security Policy • Allows for convenient review & change control.
Review our QSA Assessors Guide, which shows how Tokenization
Broker addresses more than 200 PCI compliance requirements.
27
28. Intel® Expressway Tokenization Broker:
Features & Benefits
Feature Summary Benefit Summary
• Flexible Software Appliance Reduce or remove payment
Form Factor applications and databases from
• Secure Appliance Form Factor PCI scope
• Tokenization Own and manage PAN data
on-premise with a secure hardware
• Token Vault
appliance
• Authentication & Access Control Easily Choose tokenization scheme
• High Performance, optimized appropriate for your business
for Intel® Multi-Core High performance operation
ensures low-latency document
processing
Leverage existing Enterprise identity
management investments
Avoid token migration challenges
Minimize change to existing
applications compared to E2E
Encryption
28
29. For Additional Information, go to: www.intel.com/go/identity
Download Eval
Data Sheet
PCI White Paper
Assessors Guide
E-mail: intelsoainfo@intel.com 29
31. Market Shifts to Brokers to Solve Cloud Consumption Complexity
Functions: Service API:
Security/Governance, Billing,
Integration, Support, Process
Provider
• Apps
• SaaS, PaaS, IaaS
• IdM 3rd Party
IT Broker Service Broker • B2B
• Legacy Consumption
Provider
• App Mashups
Enterprise • Mobile CSB Platform CSB Platform
Private Cloud Public Cloud
Provider
CSB is a role in which a 3 Broker Types
company or other entity adds • Aggregation - Distributor/Solution Provider
Unify access via service bundling
value to one or more cloud • Integration - System Integrator
services on behalf of 1-n New functions via data/process integration
consumers of those services • Customization - ISV
New functions via service enhancement
Do-it-yourself IT and/or 3rd Party Consumption Models
Software and Services Group 31
32. Specialty Focus on Cloud Access & Security Brokerage
Identity & Services Brokers
IT Private IT Cloud Provider 3rd Party
Cloud Public/Hybrid Bundled Service
Access Platform Functions
Policy Enforce
Authentication
& Orchestrate
ID Integration
Compliance
IID Context
Federation
Transport
AuthZ
Enabling Technology
Strong Auth Access Data Security Gov & Integration Form Factor
Cloud Security Platform • Adaptive • SSO • Tokenization • API Mgt • Soft, hardware,
• Client aware • Provisioning PII, PHI, PAN • Edge Threats VM appliance
• Soft token • XACML • Encryption • Meter • Multi-tenant as-
• Hard token • STS Token • DLP • Orchestrate a service
• OOB Signing Mapping • SIEM • Transform • Mobile Browser
• IdM Connectors • Logs-Data, • Protocol & Native
User, Apps
Intel & McAfee are CSB platform technology providers
32
33. Cloud Access Broker Vision: Example IT as a Broker
IT Private
Supports “mix and match” of capabilities Cloud “Broker” IaaS and PaaS
Applications
per internal/external tenant
Identity HTTP,
Trusted Internal Network Broker REST
Tenant #1
Apps, IDM and SaaS Applications
Middleware
PII
M2M Service Tokenization
Call Tenant #2 HTTP
Departments 1-n Browser and Mobile
External Enterprise
Employees, Applications
Administrators API Mgt Browser and Mobile
Tenant 3 Applications
Portal/Browser
Strong HTTP,
Request
Auth REST
Transform &
Orchestrate
Tennant 4 Partner Apps &
3rd Party Brokers
HTTP,
REST/SOAP
• Extends security policy to cloud
• Complete visibility & audit
• Enables aggregation of services
• Protects PII data stored in cloud
• Up-levels security posture of providers with
strong auth overlay 33
34. Use Model: Cloud Security Gateway & API Security
• Perimeter Security
API/Service • Authentication
Proxy
• Quality of Service
• Policy Control
• API Versioning
SOAP/REST • Auditing
On premise
Enterprise applications
Service Clients Mobile Clients
See detailed back up for All Use Case Diagrams
34
35. Expressway provides API Security for vCloud
Non-vCloud Partner
(SOAP) REST API Security
• SSL/TLS Termination
• SOAP to REST Mediation
• Authentication
• HTTP Inspection
• Message Throttling
• Audit Logging
• API Masking
• API Versioning
•Strong Authentication
•Code Injection Protection
• Threat detection / AV
scanning in OVF files
Intel® Expressway can provide full API
protection and mediation for vCloud
35
36. Case Study
Hybrid Cloud Bursting (PaaS)
2. Local Authentication
Enterprise
4. AWS Credential Mapping
Private Cloud and Data Retrieval
IdM or Active
Directory
Amazon EC2 Storage
Service Gateway Public Cloud
Portal
Application The Gateway mediates access to public
cloud services
•Perimeter Security
1. Enterprise Portal Login
•Seamless User Experience
•Preserve existing IDM investments
•Abstract cloud providers
•Data Control
3. Resource Request
36
Editor's Notes
Visa: “Knowing only the token, the recovery of the original PAN must not be computationally feasible” see page 18
Intel Expressway Tokenization Broker enables an organization to tokenize sensitive data such as credit card information so that back end enterprise systems or cloud based environments do not store or handle the data directly. This has an added benefit of taking systems out of scope for PCI-DSS audits. Tokenization produces faster searches of data vs encrypting and decrypting data.
Editor’s Note: Once again, match the product components/benefits on this slide with the customer’s specific needs.
EAMSoftware Appliance Form FactorRed Hat AS5-64 bit, Solaris 10 64 bit, SLES 11, Windows 2003Secure Appliance Form FactorPhysical Tripwire, Secure Boot and BIOSSnooping protection, Seamless Disk EncryptionHardware Random Number GenerationTokenizationFormat preserving tokens based on secure random number generationToken VaultAutomatic encryption of PAN data (AES/3DES)Includes starter token vault Supports Oracle, MySQL, SQL ServerAuthentication and Access ControlIntegrates with identity management systems for secure PAN data retrievalPerformanceBuilt on Intel’s high-performance service gateway platform optimized for Intel® Multi-CoreCustomers’ benefits include: Reducing or removing payment applications and databases from PCI scopeOwning and managing PAN data on-premise with a secure hardware applianceEasilyChoosing the tokenization scheme appropriate for theirbusinesses High performance operation that ensures low-latency document processing Leveraging existing Enterprise identity management investmentsAvoiding token migration challengesMinimizing changes to existing applications compared to E2E Encryption
Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)
While many varying definitions of a Cloud Service Brokerage exist, in general they follow the same value propositions. Gartner defines a CSB as a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services. This can be further segmented into 3 broker types: An Aggregation brokerage that unifies service access for consumers through service bundling, unified billing, and is responsible for overall SLAs- today this is a common- for instance there are CSBs that say aggregate licensing, support, reporting, migration kits, etc for google apps. Many other examples exist.Integration Brokerages go one step further by organizing services, integrating multiple on-prem & cloud data service providers to create a complete product offering generally around a vertical industry or community business process. An example of this are many of the large B2B supply chain oriented exchanges that have connected vertical industries for years like GHX in healthcare or Covisint in automotive supply chain management. This role will go beyond the narrow B2B role to service any community business process. To run an integration brokerage with people & connected processes will require an experise on security, integration/translation, service governance & API management to name a few. Security is such an important & complex area that may evolve to specialized security brokerage providers that Integration brokerages leverage. Customization Brokerages actually create brand new value added services that may tailored uniquely for the Enterprise cloud consumer. In the CSB realm there is a role for 3rd party broker operators and a role where IT creates a brokerage for a certain set of services it wishes to maintain under its control as it manages consumption by internal departments. Many IT departments are already planning for a unified cloud access layer in their enterprise architectures to be operated in a private cloud. Bottom line CSBs- help simplify sourcing, technical consumption, increase time to market and add value with a better ROI.