SlideShare a Scribd company logo
1 of 36
Download to read offline
Straight Talk on Data Tokenization for
   PCI & Cloud

                                               PAN Data           Tokens




Presented by:

                Andy Thurai
                Intel® Application Security & Identity Products




                                                                           1
Tokenization and PCI


• Tokenization: replacing a valuable piece of information with
  a surrogate value, or token
  - In a PCI context, replacing PAN data with random number
    strings
• Why tokens?
  - Reduce PCI scope, cost of PCI compliance
  - Increase security




                                                                 2
Does it Apply to Me?


“ PCI DSS compliance includes merchants and service
  providers who ACCEPT, CAPTURE, STORE, TRANSMIT
  or PROCESS credit and debit card data.”




               PCI DSS 2.0 standards became effective on
               January 1st. Is your organization prepared?
                                                             3
The Case for Tokenization


•   Replace PAN with
    (random) number - token
•   Use that random number
    EVERYWHERE in your
    environment
•   Keep PAN and reference
    to token




                              4
Tokenization Use Cases


• PCI scope without tokenization
  - Everything is in PCI scope




                                   5
Tokenization Use Cases


• Tokenization replaces primary account number (PAN) data
  with surrogate value, or “token”
• Token engine and vault in scope, but post-payment
  applications may be out of scope




                                                            6
Tokenization Use Cases


• Tokenization can be outsourced: processor




                                              7
Tokenization Use Cases


• Tokenization can be outsourced: 3rd party




                                              8
Tokenization


• Construction
  - Tokens should be random
• Options
  - Single- or multi-use
  - Format preserving (characteristics of a PAN)
  - Lifetime
• Tokenization is not encryption
  - Encryption is reversible, tokens are not
  - Encryption has a role in token vault




                                                   9
Tokenization and PCI Council


• Tokens can reduce scope
  • “The level of PCI DSS scope
    reduction offered by a tokenization
    solution will also need to be
    carefully evaluated for each
    implementation.”
• “High-value” tokens may be in
  scope, e.g.:
  • Used as a payment instrument”
  • Initiate a transaction




                                          10
Tokenization and PCI Council


• What does it mean?
  -   Guidance is, well, guidance
  -   Tokenization can reduce PCI scope
  -   High-value tokens require additional controls
  -   High-value tokens used to initiate a transaction might be in
      scope
• Remember
  - Token engine and vault always in scope
  - Access to token vault must be restricted




                                                                     11
Implementing Tokenization: Options


 Tokenization Option             Advantages               Disadvantages
Internal, Home Grown   Control                     Security a core strength?
                                                   Time and cost to
                                                   implement
Internal, Package      Control                     Cost
                       Flexibility
                       Time to implement
                       Expertise/functionality
3rd Party, Processor   Easy implementation         Cost
                       Good PCI scope reduction    Limited flexibility
                                                   Compatibility with apps
                                                   Vendor lock-in
3rd Party, Token Vendor Easy implementation        Cost
                        Good PCI scope reduction   Compatibility with apps
                                                   Vendor lock-in
                                                   Business risk (12.8)
                                                                               12
Implementing Tokenization: Options


• Third-party solutions appeal to smaller (L3, L4) merchants
  - Ease
  - Cost
• Internal hosting appropriate for larger (L1, L2) merchants
  and service providers
  - Control
  - Technical capabilities




                                                               13
Implementing Tokenization: Security


• The tokenization security tradeoff
  - Tokens are secure, but…
  - Any breach of token vault could be devastating
• Protecting the token vault
  -   Restricting and authenticating users and access
  -   Segmenting network to isolate out of scope systems
  -   Ensuring physical security
  -   Managing PAN encryption and key management




                                                           14
Internal vs. External Tokenization


External Tokenization:           Internal Tokenization:
• BIG Vision!                    • Easier to Implement
• Solves BIG Problems!           • Solves URGENT Problems!
• Involves processors, brands,   • Only involves YOUR
  3rd parties                      organization

Example:                         Example:
Cybersource/VISA model




                                                      15
Intel Application Security and Identity Products

• Review of what is available today
   • On-premise software, hardware or virtual machines for
     • (1) Lightweight ESB, transformation, integration
     • (2) Edge Security – Perimeter defense, Cloud API management,
       authentication, throttling, metering, auditing
     • (3) Tokenization – PCI DSS, format preserving tokenization for service
       calls, documents, files and databases




                                                                                16
Data Tokenization for Cloud or PCI




                 Tokenization enables faster searching for data vs
                                   encryption                        17
Expressway PCI Scope Reduction with Internal Tokenization
                           Hosted
                          Payment                                              Payment
                          Gateways                                            Processors




                                                                                      Payment
                                                                                     Applications




                                                                                                               Customer
                                                           Internet                                         Data Warehouse
      Retail / Card Swipe / Chip Reader           Store
                   / Keypad                       Server




                    Point of Sale
                    Environment
                       (POS)
                                                                         CRM                   Order
                                                                      Applications           Processing
                                                                                             Applications
            Point of Sale Environment PCI Scope



            Complete Merchant PCI Scope                                                     Merchant
                                                                                           Data Center
             Reduced or Removed PCI Scope




                                                                                                                             18
Goal: E-Commerce Order Processing
   Manual Invoice Processing                                                            Problem: Exception cases require manual
                                                                                        review, bringing additional systems into scope
                                                                                        Solution: Internal tokenization
                                                         Payment
                                                         Processor




E-Commerce      Invoice with                              Payment                       BPM            Supply
                                    Web Server                                                                         Supply
  Website    Credit Card Number                          Application                   System         Chain App       Chain App
                                                                        Order
                                                                       Exception




                                    Manual review of
                                  invoice and re-entry

                                                                                     Portal        Additional
                                                                                                              …
                                                                                   Data Store    Post-Payment
                                                                                                  Applications



                                     PCI Scope
                                                                                       Merchant
                                                                                      Data Center



                                                                                                                                   19
Goal: E-Commerce Order Processing
   Manual Invoice Processing                                                            Problem: Exception cases require manual
                                                                                        review, bringing additional systems into scope
                                                                                        Solution: Internal tokenization
                                                         Payment
                                                         Processor




E-Commerce      Invoice with                              Payment                       BPM            Supply
                                    Web Server                                                                         Supply
  Website    Credit Card Number                          Application                   System         Chain App       Chain App
                                                                        Order
                                                                       Exception




                                    Manual review of
                                  invoice and re-entry

                                                                                     Portal        Additional
                                                                                                              …
                                                                                   Data Store    Post-Payment
                                                                                                  Applications



                                     PCI Scope
                                                                                       Merchant
                                                                                      Data Center



                                                                                                                                   20
Goal: Bill Processing, Consolidation, Printing
      Financial Statement Processor                                             Problem: Non-payment processing applications
                                                                                contain PAN information, increasing scoping
                                                                                costs
                                                                                Solution: Internal tokenization




     Customer                                                                                                       Customized Bills
Billing Information                                                                                                 and Statements




                                                                                                                      Documents
   Large Data                                                                                                      with original PAN
 Feeds with PAN                                                                                                           data
      Data

                                                   Connected          App.
                                                   Databases         Portals

                      IBM WebSphere Middleware      Invoicing, Bill Payment       Bill Production and Printing
                                                 Bank Statement Customization
                                                      and Consolidation




                          PCI Scope                               Service Provider
                                                                    Data Center




                                                                                                                            21
Goal: Bill Processing, Consolidation, Printing
      Financial Statement Processor                                                 Problem: Non-payment processing applications
                                                                                    contain PAN information, increasing scoping
                                                                                    costs
                                                                                    Solution: Internal tokenization
                                                Data w/ Tokens



     Customer                                                                                                           Customized Bills
Billing Information                                                                                                     and Statements




                                                                                                                          Documents
   Large Data                                                                                                          with original PAN
                      Edge Security + Tokenization
 Feeds with PAN                                                                                                               data
      Data

                                                       Connected          App.
                                                       Databases         Portals


                                                        Invoicing, Bill Payment       Bill Production and Printing
                                                     Bank Statement Customization
                                                          and Consolidation




                         PCI Scope                                    Service Provider
                                                                        Data Center




                                                                                                                                22
Typical Retail Architecture



                                 Settlement
                                  Engine
   Retail POS



                                      AuthZ
                                      Engine

      Syndication
       Channels
       (Amazon)



Browser



                    E-Commerce
          Website     Engine

                                               23
Typical PCI DSS Scope



                                 Settlement
                                  Engine

   Retail POS



                                      AuthZ
                                      Engine

      Syndication
       Channels
       (Amazon)


                                               Legend:
Browser                                        Outside of Retailer
                                               In PCI DSS Scope
                                               Out of PCI DSS Scope


                    E-Commerce
          Website     Engine

                                                                      24
Scope with Expressway Tokenization Broker



                                 Settlement
                                  Engine

   Retail POS



                                      AuthZ
                                      Engine

      Syndication
       Channels
       (Amazon)


                                               Legend:
Browser                                        Outside of Retailer
                                               In PCI DSS Scope
                                               Out of PCI DSS Scope


                    E-Commerce
          Website     Engine

                                                                      25
Intel® Expressway Tokenization Broker:
Product Components

                Hardware or Software Broker
                • Tamper resistant appliance
                • Software on Linux AS5-64




                 Sample Tokenization Application
                 • Token Exchange
                 • Token Management



                 Secure Token Vault
                 • HQSQL Starter Token Vault
                 • Production Database Schemas



                 Intel® Services Designer
                 • Policy Design and Deployment
                 • Token Exchange / Management Actions




                 Web Interface
                 • Policy Deployment & Monitoring




                                                         26
Addressing PCI DSS Requirements
with Tokenization Broker
                               Intel® Expressway Tokenization
        Requirement
                               Broker Capabilities
    Build/ Maintain Secure
                               • Application-level security proxy & firewall.
    Network

                               • Protects credit card data stored at rest/ in transit .
    Protect Cardholder Data
                               • Supports tokenization for reduced PCI scope.

    Maintain Vulnerability     • Integrates with on-premise virus scanning servers
    Management Program         • Reduces threat of malicious attachments.
                               • Supports strong access control.
    Implement Strong Access
                               • Integrates with existing identity management investments.
    Control Measures
                               • Improves physical security for tokenization through tamper-resistant form-factor.
                               • Tracks, monitors & logs authorization requests from merchant to card
    Regularly Monitor & Test
                               processor.
    Networks
                               • Offers regular testing & alerts in case of server failures.

    Maintain Information       • Maintains auditable security policies in hardened form-factor.
    Security Policy            • Allows for convenient review & change control.




               Review our QSA Assessors Guide, which shows how Tokenization
                Broker addresses more than 200 PCI compliance requirements.
                                                                                                                27
Intel® Expressway Tokenization Broker:
Features & Benefits
 Feature Summary                      Benefit Summary
• Flexible Software Appliance        Reduce or remove payment
  Form Factor                         applications and databases from
• Secure Appliance Form Factor        PCI scope
• Tokenization                       Own and manage PAN data
                                      on-premise with a secure hardware
• Token Vault
                                      appliance
• Authentication & Access Control    Easily Choose tokenization scheme
• High Performance, optimized         appropriate for your business
  for Intel® Multi-Core              High performance operation
                                      ensures low-latency document
                                      processing
                                     Leverage existing Enterprise identity
                                      management investments
                                     Avoid token migration challenges
                                     Minimize change to existing
                                      applications compared to E2E
                                      Encryption



                                                                          28
For Additional Information, go to: www.intel.com/go/identity

                                         Download Eval



                                         Data Sheet




                                         PCI White Paper




                                         Assessors Guide




             E-mail: intelsoainfo@intel.com                29
Cloud Service Broker Capabilities




       Technology Enablement




                                    30
Market Shifts to Brokers to Solve Cloud Consumption Complexity


                                              Functions: Service API:
                                           Security/Governance, Billing,
                                           Integration, Support, Process
                                                                                                                Provider
             • Apps
                                                                                   • SaaS, PaaS, IaaS
             • IdM                                                    3rd Party
                                   IT Broker      Service              Broker      • B2B
             • Legacy                           Consumption
                                                                                                      Provider
                                                                                   • App Mashups
Enterprise   • Mobile           CSB Platform                       CSB Platform
                                Private Cloud                     Public Cloud
                                                                                                                Provider




              CSB is a role in which a                   3 Broker Types
              company or other entity adds               • Aggregation - Distributor/Solution Provider
                                                              Unify access via service bundling
              value to one or more cloud                 • Integration - System Integrator
              services on behalf of 1-n                       New functions via data/process integration
              consumers of those services                • Customization - ISV
                                                              New functions via service enhancement




                         Do-it-yourself IT and/or 3rd Party Consumption Models
                                                                                        Software and Services Group   31
Specialty Focus on Cloud Access & Security Brokerage


                                                                              Identity & Services Brokers
                                     IT Private                                 IT                    Cloud Provider                                3rd Party
                                       Cloud                              Public/Hybrid                  Bundled                                    Service

                                                                              Access Platform Functions




                                                         Policy Enforce
                                      Authentication




                                                                                                                      & Orchestrate




                                                                                                                                                           ID Integration
                                                                                                        Compliance




                                                                                                                                      IID Context
                                                                              Federation




                                                                                                                      Transport
                                                                                              AuthZ
                                                                                           Enabling Technology
                          Strong Auth                  Access                                Data Security           Gov & Integration                       Form Factor
Cloud Security Platform   • Adaptive                   • SSO                                 • Tokenization          • API Mgt                               • Soft, hardware,
                          • Client aware               • Provisioning                        PII, PHI, PAN           • Edge Threats                            VM appliance
                          • Soft token                 • XACML                               • Encryption            • Meter                                 • Multi-tenant as-
                          • Hard token                 • STS Token                           • DLP                   • Orchestrate                           a service
                          • OOB Signing                Mapping                               • SIEM                  • Transform                             • Mobile Browser
                                                       • IdM Connectors                      • Logs-Data,            • Protocol                                & Native
                                                                                             User, Apps



                          Intel & McAfee are CSB platform technology providers
                                                                                                                                                                            32
Cloud Access Broker Vision: Example IT as a Broker
                                                                               IT Private
 Supports “mix and match” of capabilities                                    Cloud “Broker”                  IaaS and PaaS
                                                                                                              Applications
     per internal/external tenant

                                                                                  Identity       HTTP,
          Trusted Internal Network                                                Broker         REST
                                                                                 Tenant #1


                   Apps, IDM and                                                                           SaaS Applications
                    Middleware


                                                                                    PII
                                                        M2M Service             Tokenization
                                                           Call                  Tenant #2       HTTP




 Departments 1-n                   Browser and Mobile
                                                                                                           External Enterprise
   Employees,                         Applications
  Administrators                                                                  API Mgt                  Browser and Mobile
                                                                                  Tenant 3                    Applications
                                                            Portal/Browser
                     Strong                                                                      HTTP,
                                                               Request
                      Auth                                                                       REST



                                                                                Transform &
                                                                                Orchestrate
                                                                                 Tennant 4                   Partner Apps &
                                                                                                            3rd Party Brokers
                                                                                                 HTTP,
                                                                                               REST/SOAP
               • Extends security policy to cloud
               • Complete visibility & audit
               • Enables aggregation of services
               • Protects PII data stored in cloud
               • Up-levels security posture of providers with
               strong auth overlay                                                                                               33
Use Model: Cloud Security Gateway & API Security




                                          • Perimeter Security
                       API/Service        • Authentication
                       Proxy
                                          • Quality of Service
                                          • Policy Control
                                          • API Versioning
                       SOAP/REST          • Auditing




                                                                                   On premise
                                                                      Enterprise   applications
     Service Clients   Mobile Clients




                           See detailed back up for All Use Case Diagrams
                                                                                            34
Expressway provides API Security for vCloud


        Non-vCloud Partner
             (SOAP)                                                   REST API Security

                                                                      • SSL/TLS Termination
                                                                      • SOAP to REST Mediation
                                                                      • Authentication
                                                                      • HTTP Inspection
                                                                      • Message Throttling
                                                                      • Audit Logging
                                                                      • API Masking
                                                                      • API Versioning
                                                                      •Strong Authentication
                                                                      •Code Injection Protection
                                                                      • Threat detection / AV
                                                                      scanning in OVF files




                             Intel® Expressway can provide full API
                               protection and mediation for vCloud
                                                                                                   35
Case Study
Hybrid Cloud Bursting (PaaS)

                2. Local Authentication




       Enterprise

                                                             4. AWS Credential Mapping
                                             Private Cloud       and Data Retrieval
IdM or Active
  Directory
                                                                                         Amazon EC2 Storage

                                          Service Gateway                                   Public Cloud


   Portal
 Application                                                   The Gateway mediates access to public
                                                                          cloud services

                                                                      •Perimeter Security
                1. Enterprise Portal Login
                                                                      •Seamless User Experience
                                                                      •Preserve existing IDM investments
                                                                      •Abstract cloud providers
                                                                      •Data Control
                3. Resource Request



                                                                                                              36

More Related Content

What's hot

Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureInformation Technology
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Amazon Web Services
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Avirot Mitamura
 
Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudHassan EL ALLOUSSI
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key InfrastructureTheo Gravity
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverableSarmad Ibrahim
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and ApplicationsSvetlin Nakov
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeDigiCert, Inc.
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 

What's hot (20)

Ch12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key InfrastructureCh12 Cryptographic Protocols and Public Key Infrastructure
Ch12 Cryptographic Protocols and Public Key Infrastructure
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)Digital certificate management v1 (Draft)
Digital certificate management v1 (Draft)
 
Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
 
Introduction to Public Key Infrastructure
Introduction to Public Key InfrastructureIntroduction to Public Key Infrastructure
Introduction to Public Key Infrastructure
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
Pki for dummies
Pki for dummiesPki for dummies
Pki for dummies
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Blockchain Fundamentals for Technology Engineers
Blockchain Fundamentals for Technology EngineersBlockchain Fundamentals for Technology Engineers
Blockchain Fundamentals for Technology Engineers
 
Blockchain Breakout Session Tech Coast Conference Jacksonville
Blockchain Breakout Session Tech Coast Conference JacksonvilleBlockchain Breakout Session Tech Coast Conference Jacksonville
Blockchain Breakout Session Tech Coast Conference Jacksonville
 
Blockchain solution architecture deliverable
Blockchain solution architecture deliverableBlockchain solution architecture deliverable
Blockchain solution architecture deliverable
 
PKI and Applications
PKI and ApplicationsPKI and Applications
PKI and Applications
 
The Rise of Cloud Service Brokerage featuring Gartner and BCBS
The Rise of Cloud Service Brokerage featuring Gartner and BCBSThe Rise of Cloud Service Brokerage featuring Gartner and BCBS
The Rise of Cloud Service Brokerage featuring Gartner and BCBS
 
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone BeforeScott Rea - IoT: Taking PKI Where No PKI Has Gone Before
Scott Rea - IoT: Taking PKI Where No PKI Has Gone Before
 
Blockchain Proof or Concepts for Pre Sales Engineers
Blockchain Proof or Concepts for Pre Sales EngineersBlockchain Proof or Concepts for Pre Sales Engineers
Blockchain Proof or Concepts for Pre Sales Engineers
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim Polk
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 

Viewers also liked

Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Samuel Kamuli
 
Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudLiwei Ren任力偉
 
8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security BrokerBitglass
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Samsung Pay, The future of Pay
Samsung Pay, The future of PaySamsung Pay, The future of Pay
Samsung Pay, The future of PayJay JH Park
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?Rambus Inc
 
What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?Rambus Inc
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 

Viewers also liked (9)

Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
 
Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the Cloud
 
8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Samsung Pay, The future of Pay
Samsung Pay, The future of PaySamsung Pay, The future of Pay
Samsung Pay, The future of Pay
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?
 
What is a Token Service Provider?
What is a Token Service Provider?What is a Token Service Provider?
What is a Token Service Provider?
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 

Similar to Straight Talk on Data Tokenization for PCI & Cloud

What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011Ulf Mattsson
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEGreg Stone
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012gaborvodics
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionUlf Mattsson
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Quiterian analytics
Quiterian analyticsQuiterian analytics
Quiterian analyticsMode Baldeh
 
Rubik Financial - Introduction- March 2012
Rubik Financial - Introduction- March 2012Rubik Financial - Introduction- March 2012
Rubik Financial - Introduction- March 2012Shelf Companies Aust
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Zuora, Inc.
 
Plutus credit debit solution
Plutus credit debit solutionPlutus credit debit solution
Plutus credit debit solutionpinelabsblog
 
Smart Clouds for Smart Companies
Smart Clouds for Smart CompaniesSmart Clouds for Smart Companies
Smart Clouds for Smart CompaniesPeter Coffee
 
Having the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should CareHaving the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should CarePeter Coffee
 
Solving Compliance for Big Data
Solving Compliance for Big DataSolving Compliance for Big Data
Solving Compliance for Big Datafbeckett1
 
Peter Coffee at share2010seattle
Peter Coffee at share2010seattlePeter Coffee at share2010seattle
Peter Coffee at share2010seattlePeter Coffee
 

Similar to Straight Talk on Data Tokenization for PCI & Cloud (20)

Tokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - IntelTokenization Webinar featuring Securosis - Intel
Tokenization Webinar featuring Securosis - Intel
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011PCI DSS Conference in London UK 2011
PCI DSS Conference in London UK 2011
 
Understanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PEUnderstanding the Role of Hardware Data Encryption in EMV and P2PE
Understanding the Role of Hardware Data Encryption in EMV and P2PE
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data ProtectionISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
ISSA: Next Generation Tokenization for Compliance and Cloud Data Protection
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
Quiterian analytics
Quiterian analyticsQuiterian analytics
Quiterian analytics
 
Secure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & IntelSecure Big Data Analytics - Hadoop & Intel
Secure Big Data Analytics - Hadoop & Intel
 
Rubik Financial - Introduction- March 2012
Rubik Financial - Introduction- March 2012Rubik Financial - Introduction- March 2012
Rubik Financial - Introduction- March 2012
 
Iot in-production
Iot in-productionIot in-production
Iot in-production
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 
Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)Usage Based Metering in the Cloud (Subscribed13)
Usage Based Metering in the Cloud (Subscribed13)
 
Plutus credit debit solution
Plutus credit debit solutionPlutus credit debit solution
Plutus credit debit solution
 
Smart Clouds for Smart Companies
Smart Clouds for Smart CompaniesSmart Clouds for Smart Companies
Smart Clouds for Smart Companies
 
Having the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should CareHaving the Cloud Conversation: Why the Business Architect Should Care
Having the Cloud Conversation: Why the Business Architect Should Care
 
Solving Compliance for Big Data
Solving Compliance for Big DataSolving Compliance for Big Data
Solving Compliance for Big Data
 
Peter Coffee at share2010seattle
Peter Coffee at share2010seattlePeter Coffee at share2010seattle
Peter Coffee at share2010seattle
 

Recently uploaded

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Recently uploaded (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Straight Talk on Data Tokenization for PCI & Cloud

  • 1. Straight Talk on Data Tokenization for PCI & Cloud PAN Data Tokens Presented by: Andy Thurai Intel® Application Security & Identity Products 1
  • 2. Tokenization and PCI • Tokenization: replacing a valuable piece of information with a surrogate value, or token - In a PCI context, replacing PAN data with random number strings • Why tokens? - Reduce PCI scope, cost of PCI compliance - Increase security 2
  • 3. Does it Apply to Me? “ PCI DSS compliance includes merchants and service providers who ACCEPT, CAPTURE, STORE, TRANSMIT or PROCESS credit and debit card data.” PCI DSS 2.0 standards became effective on January 1st. Is your organization prepared? 3
  • 4. The Case for Tokenization • Replace PAN with (random) number - token • Use that random number EVERYWHERE in your environment • Keep PAN and reference to token 4
  • 5. Tokenization Use Cases • PCI scope without tokenization - Everything is in PCI scope 5
  • 6. Tokenization Use Cases • Tokenization replaces primary account number (PAN) data with surrogate value, or “token” • Token engine and vault in scope, but post-payment applications may be out of scope 6
  • 7. Tokenization Use Cases • Tokenization can be outsourced: processor 7
  • 8. Tokenization Use Cases • Tokenization can be outsourced: 3rd party 8
  • 9. Tokenization • Construction - Tokens should be random • Options - Single- or multi-use - Format preserving (characteristics of a PAN) - Lifetime • Tokenization is not encryption - Encryption is reversible, tokens are not - Encryption has a role in token vault 9
  • 10. Tokenization and PCI Council • Tokens can reduce scope • “The level of PCI DSS scope reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.” • “High-value” tokens may be in scope, e.g.: • Used as a payment instrument” • Initiate a transaction 10
  • 11. Tokenization and PCI Council • What does it mean? - Guidance is, well, guidance - Tokenization can reduce PCI scope - High-value tokens require additional controls - High-value tokens used to initiate a transaction might be in scope • Remember - Token engine and vault always in scope - Access to token vault must be restricted 11
  • 12. Implementing Tokenization: Options Tokenization Option Advantages Disadvantages Internal, Home Grown Control Security a core strength? Time and cost to implement Internal, Package Control Cost Flexibility Time to implement Expertise/functionality 3rd Party, Processor Easy implementation Cost Good PCI scope reduction Limited flexibility Compatibility with apps Vendor lock-in 3rd Party, Token Vendor Easy implementation Cost Good PCI scope reduction Compatibility with apps Vendor lock-in Business risk (12.8) 12
  • 13. Implementing Tokenization: Options • Third-party solutions appeal to smaller (L3, L4) merchants - Ease - Cost • Internal hosting appropriate for larger (L1, L2) merchants and service providers - Control - Technical capabilities 13
  • 14. Implementing Tokenization: Security • The tokenization security tradeoff - Tokens are secure, but… - Any breach of token vault could be devastating • Protecting the token vault - Restricting and authenticating users and access - Segmenting network to isolate out of scope systems - Ensuring physical security - Managing PAN encryption and key management 14
  • 15. Internal vs. External Tokenization External Tokenization: Internal Tokenization: • BIG Vision! • Easier to Implement • Solves BIG Problems! • Solves URGENT Problems! • Involves processors, brands, • Only involves YOUR 3rd parties organization Example: Example: Cybersource/VISA model 15
  • 16. Intel Application Security and Identity Products • Review of what is available today • On-premise software, hardware or virtual machines for • (1) Lightweight ESB, transformation, integration • (2) Edge Security – Perimeter defense, Cloud API management, authentication, throttling, metering, auditing • (3) Tokenization – PCI DSS, format preserving tokenization for service calls, documents, files and databases 16
  • 17. Data Tokenization for Cloud or PCI Tokenization enables faster searching for data vs encryption 17
  • 18. Expressway PCI Scope Reduction with Internal Tokenization Hosted Payment Payment Gateways Processors Payment Applications Customer Internet Data Warehouse Retail / Card Swipe / Chip Reader Store / Keypad Server Point of Sale Environment (POS) CRM Order Applications Processing Applications Point of Sale Environment PCI Scope Complete Merchant PCI Scope Merchant Data Center Reduced or Removed PCI Scope 18
  • 19. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment Processor E-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 19
  • 20. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment Processor E-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 20
  • 21. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Customer Customized Bills Billing Information and Statements Documents Large Data with original PAN Feeds with PAN data Data Connected App. Databases Portals IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 21
  • 22. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Data w/ Tokens Customer Customized Bills Billing Information and Statements Documents Large Data with original PAN Edge Security + Tokenization Feeds with PAN data Data Connected App. Databases Portals Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 22
  • 23. Typical Retail Architecture Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Browser E-Commerce Website Engine 23
  • 24. Typical PCI DSS Scope Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend: Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 24
  • 25. Scope with Expressway Tokenization Broker Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend: Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 25
  • 26. Intel® Expressway Tokenization Broker: Product Components Hardware or Software Broker • Tamper resistant appliance • Software on Linux AS5-64 Sample Tokenization Application • Token Exchange • Token Management Secure Token Vault • HQSQL Starter Token Vault • Production Database Schemas Intel® Services Designer • Policy Design and Deployment • Token Exchange / Management Actions Web Interface • Policy Deployment & Monitoring 26
  • 27. Addressing PCI DSS Requirements with Tokenization Broker Intel® Expressway Tokenization Requirement Broker Capabilities Build/ Maintain Secure • Application-level security proxy & firewall. Network • Protects credit card data stored at rest/ in transit . Protect Cardholder Data • Supports tokenization for reduced PCI scope. Maintain Vulnerability • Integrates with on-premise virus scanning servers Management Program • Reduces threat of malicious attachments. • Supports strong access control. Implement Strong Access • Integrates with existing identity management investments. Control Measures • Improves physical security for tokenization through tamper-resistant form-factor. • Tracks, monitors & logs authorization requests from merchant to card Regularly Monitor & Test processor. Networks • Offers regular testing & alerts in case of server failures. Maintain Information • Maintains auditable security policies in hardened form-factor. Security Policy • Allows for convenient review & change control. Review our QSA Assessors Guide, which shows how Tokenization Broker addresses more than 200 PCI compliance requirements. 27
  • 28. Intel® Expressway Tokenization Broker: Features & Benefits Feature Summary Benefit Summary • Flexible Software Appliance  Reduce or remove payment Form Factor applications and databases from • Secure Appliance Form Factor PCI scope • Tokenization  Own and manage PAN data on-premise with a secure hardware • Token Vault appliance • Authentication & Access Control  Easily Choose tokenization scheme • High Performance, optimized appropriate for your business for Intel® Multi-Core  High performance operation ensures low-latency document processing  Leverage existing Enterprise identity management investments  Avoid token migration challenges  Minimize change to existing applications compared to E2E Encryption 28
  • 29. For Additional Information, go to: www.intel.com/go/identity Download Eval Data Sheet PCI White Paper Assessors Guide E-mail: intelsoainfo@intel.com 29
  • 30. Cloud Service Broker Capabilities Technology Enablement 30
  • 31. Market Shifts to Brokers to Solve Cloud Consumption Complexity Functions: Service API: Security/Governance, Billing, Integration, Support, Process Provider • Apps • SaaS, PaaS, IaaS • IdM 3rd Party IT Broker Service Broker • B2B • Legacy Consumption Provider • App Mashups Enterprise • Mobile CSB Platform CSB Platform Private Cloud Public Cloud Provider CSB is a role in which a 3 Broker Types company or other entity adds • Aggregation - Distributor/Solution Provider Unify access via service bundling value to one or more cloud • Integration - System Integrator services on behalf of 1-n New functions via data/process integration consumers of those services • Customization - ISV New functions via service enhancement Do-it-yourself IT and/or 3rd Party Consumption Models Software and Services Group 31
  • 32. Specialty Focus on Cloud Access & Security Brokerage Identity & Services Brokers IT Private IT Cloud Provider 3rd Party Cloud Public/Hybrid Bundled Service Access Platform Functions Policy Enforce Authentication & Orchestrate ID Integration Compliance IID Context Federation Transport AuthZ Enabling Technology Strong Auth Access Data Security Gov & Integration Form Factor Cloud Security Platform • Adaptive • SSO • Tokenization • API Mgt • Soft, hardware, • Client aware • Provisioning PII, PHI, PAN • Edge Threats VM appliance • Soft token • XACML • Encryption • Meter • Multi-tenant as- • Hard token • STS Token • DLP • Orchestrate a service • OOB Signing Mapping • SIEM • Transform • Mobile Browser • IdM Connectors • Logs-Data, • Protocol & Native User, Apps Intel & McAfee are CSB platform technology providers 32
  • 33. Cloud Access Broker Vision: Example IT as a Broker IT Private Supports “mix and match” of capabilities Cloud “Broker” IaaS and PaaS Applications per internal/external tenant Identity HTTP, Trusted Internal Network Broker REST Tenant #1 Apps, IDM and SaaS Applications Middleware PII M2M Service Tokenization Call Tenant #2 HTTP Departments 1-n Browser and Mobile External Enterprise Employees, Applications Administrators API Mgt Browser and Mobile Tenant 3 Applications Portal/Browser Strong HTTP, Request Auth REST Transform & Orchestrate Tennant 4 Partner Apps & 3rd Party Brokers HTTP, REST/SOAP • Extends security policy to cloud • Complete visibility & audit • Enables aggregation of services • Protects PII data stored in cloud • Up-levels security posture of providers with strong auth overlay 33
  • 34. Use Model: Cloud Security Gateway & API Security • Perimeter Security API/Service • Authentication Proxy • Quality of Service • Policy Control • API Versioning SOAP/REST • Auditing On premise Enterprise applications Service Clients Mobile Clients See detailed back up for All Use Case Diagrams 34
  • 35. Expressway provides API Security for vCloud Non-vCloud Partner (SOAP) REST API Security • SSL/TLS Termination • SOAP to REST Mediation • Authentication • HTTP Inspection • Message Throttling • Audit Logging • API Masking • API Versioning •Strong Authentication •Code Injection Protection • Threat detection / AV scanning in OVF files Intel® Expressway can provide full API protection and mediation for vCloud 35
  • 36. Case Study Hybrid Cloud Bursting (PaaS) 2. Local Authentication Enterprise 4. AWS Credential Mapping Private Cloud and Data Retrieval IdM or Active Directory Amazon EC2 Storage Service Gateway Public Cloud Portal Application The Gateway mediates access to public cloud services •Perimeter Security 1. Enterprise Portal Login •Seamless User Experience •Preserve existing IDM investments •Abstract cloud providers •Data Control 3. Resource Request 36

Editor's Notes

  1. Visa: “Knowing only the token, the recovery of the original PAN must not be computationally feasible” see page 18
  2. Intel Expressway Tokenization Broker enables an organization to tokenize sensitive data such as credit card information so that back end enterprise systems or cloud based environments do not store or handle the data directly. This has an added benefit of taking systems out of scope for PCI-DSS audits. Tokenization produces faster searches of data vs encrypting and decrypting data.
  3. Editor’s Note: Once again, match the product components/benefits on this slide with the customer’s specific needs.
  4. EAMSoftware Appliance Form FactorRed Hat AS5-64 bit, Solaris 10 64 bit, SLES 11, Windows 2003Secure Appliance Form FactorPhysical Tripwire, Secure Boot and BIOSSnooping protection, Seamless Disk EncryptionHardware Random Number GenerationTokenizationFormat preserving tokens based on secure random number generationToken VaultAutomatic encryption of PAN data (AES/3DES)Includes starter token vault Supports Oracle, MySQL, SQL ServerAuthentication and Access ControlIntegrates with identity management systems for secure PAN data retrievalPerformanceBuilt on Intel’s high-performance service gateway platform optimized for Intel® Multi-CoreCustomers’ benefits include: Reducing or removing payment applications and databases from PCI scopeOwning and managing PAN data on-premise with a secure hardware applianceEasilyChoosing the tokenization scheme appropriate for theirbusinesses High performance operation that ensures low-latency document processing Leveraging existing Enterprise identity management investmentsAvoiding token migration challengesMinimizing changes to existing applications compared to E2E Encryption
  5. Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)
  6. While many varying definitions of a Cloud Service Brokerage exist, in general they follow the same value propositions. Gartner defines a CSB as a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services. This can be further segmented into 3 broker types: An Aggregation brokerage that unifies service access for consumers through service bundling, unified billing, and is responsible for overall SLAs- today this is a common- for instance there are CSBs that say aggregate licensing, support, reporting, migration kits, etc for google apps. Many other examples exist.Integration Brokerages go one step further by organizing services, integrating multiple on-prem & cloud data service providers to create a complete product offering generally around a vertical industry or community business process. An example of this are many of the large B2B supply chain oriented exchanges that have connected vertical industries for years like GHX in healthcare or Covisint in automotive supply chain management. This role will go beyond the narrow B2B role to service any community business process. To run an integration brokerage with people & connected processes will require an experise on security, integration/translation, service governance & API management to name a few. Security is such an important & complex area that may evolve to specialized security brokerage providers that Integration brokerages leverage. Customization Brokerages actually create brand new value added services that may tailored uniquely for the Enterprise cloud consumer. In the CSB realm there is a role for 3rd party broker operators and a role where IT creates a brokerage for a certain set of services it wishes to maintain under its control as it manages consumption by internal departments. Many IT departments are already planning for a unified cloud access layer in their enterprise architectures to be operated in a private cloud. Bottom line CSBs- help simplify sourcing, technical consumption, increase time to market and add value with a better ROI.