What the PCI Taskforce Didn't SayPresentation Transcript
What the PCI Task Force Didnt Say
What is Tokeniza3on?
A token is a surrogate value which is subs2tuted for the ctual data (e.g. credit card) while the actual data is encrypted and stored securely. t’s not the same as the ‘token’ used for two-‐factor uthen2ca2on t’s not the ‘token’ used for lexical analysis (crea2ng a programming language)
PCI DSS compliance – Reducing scope as part of PCI DSS compliance – Reducing annual / ongoing PCI DSS audit costs Reducing risk within and outside the enterprise – Limi2ng exposure to sensi2ve data – Credit card numbers – Personally Iden2ﬁable Informa2on (PII) – Protected Health Informa2on (PHI) imi2ng applica2on changes – Encryp2ng data enlarges ﬁeld sizes – Tokens, as we’ll see, do not require ﬁeld sizes to be increased
Encryption TokenizationCipher text is binary and typically Tokens are same type and length aslarger than original data original dataCipher text retains none of the Tokens can contain portion oforiginal data; even when allowed original data; e.g. first six and last four of CC number, yet still be secureCipher text changes each time the Tokens maintain a 1-to-1same original data is encrypted relationship with the original data; tokens may be used as primary/ foreign keysCipher text exposed in more places, Cipher text maintained in secureand key management is more vault, and key management isdifficult simplified.Typically requires more application Typically requires fewer applicationchanges changesDistributed logging and auditing Centralized logging and auditingSystems remain “in scope” Many systems taken “out of scope”
Original data values cannot be mathema2cally derived from toke – Tokens can be safely passed to databases, applica2ons, mobile devices, etc. olves the age-‐old problem of data for evelopment and tes2ng!
ns can be formaEed to: eserve the format (length and data type) 3752 5712250 3125 3752 4333906 3125 Original data head body tail eserve a number of leading and trailing characters 3752 5712250 3125 3752 X4mbAdLQ 3125 Original data head body tail ask a por2on of the token when a full value is not needed desirable 3752 5712250 3125 3752 ******* 3125 Original data head body tail Tokens that maintain the length and format of the original data
ormaWed tokens can be used wherever masked credit card nforma2on is required SING CREDIT CARD NUMBER USING TOKEN 3752 5712250 3125 3752 4333906 3125 Determines card type – Last 4 digits r standard, private label, confirmation gift cardherefore systems are removed from PCI DSS scope wherever okenized data suﬃces
ormaWed tokens can be used wherever masked personally en3ﬁable informa3on is required SOCIAL SECURITY NUMBER USING TOKEN 375-57-2125 433-39-2125 Last 4 digits retain confirmation info “What are the last 4 digits of your Social Security Number?” herefore wherever tokenized data suﬃces, risk is reduced
ame token value is consistent for same data across en2re enterp aintains referen3al integrity across applica2ons ata analysis can be performed using token – g. data warehouse Before using credit card number After using token Transaction: 1 Transaction: 1 CC#: 3752 5712250 3125 CC#: 3716 4136820 3125 Item: Paper Item: Paper Item: Stapler Item: Stapler Item: Staples Item: Staples Transaction: 2 Transaction: 2 CC#: 3752 5712250 3125 CC#: 3716 4136820 3125 Item: Paper Item: Paper Item: Notebook Item: Notebook Item: Staples Item: Staples
Presents Tokenization and Addressing PCI-DSSdrian Lane
utline Tokenization Paper ization Guidance Fail of TokenizationCase Overview
Objectivity Disclaimer This webcast is sponsored by Liaison, but all of the content is developed independently and represents Securosis objective research positions. For more information about our Totally Transparent Research process, visit: https://securosis.com/about/totally- transparent-research
PCI Security Standards
Tokenization Supplement The GoodAugust 2011 the PCI Council released a supplement onokenizationDescribed tokenization, how tokenization is used to replace redit card data, and discussed some deployment models provides a security guide for token vaults describes new risks unique to tokensSuggest scope reduction and reduced complexity is goal
Tokenization Supplement The Bad • Failed to define how tokenization simplifies compliance • Failed to discuss potential for improved security • Failed to demonstrate scope reduction • Stated tokenization does not change PCI-DSS • Failed to update SAQ or PCI-DSS
okenization Supplement The Ugly• Section called ‘maximizing scope reduction’ does not specify a method to reduce scope• Failed to define testing procedures for merchants• Failed to QSAs on what to audit or how assessments w change• No change in merchant liability even when CC#s are n present
Understanding how the supplementails to provide guidance is important a it frames the discussion on scope reduction and audit requirements.
et s reviewokenization
Tokenization:• Tokenization replaces the sensitive data with a random value.• Sensitive data is kept encrypted in a highly protected server or database.• The token then replaces the sensitive data nearly everywhere and is used for internal systems.• The real data is only exposed when absolutely necessary – or not at all.
Token Database Token Server Retailkenized databases Application out of scope Tokenized syste scope De-tokenization request
You can t steal what s not there!
Token Database Token ServerReduction In Controls Retail Application
ut wait, there’sore
Other Use Cases• 3rd Party Tokenization Services• Tokenization of PII• Tokenization for Health Care Information
• By removing confidential data • Replace with low value token • Not accessing token server • Reducing system interdependence • Fewer checks, controls and reportscope Reduction Summary:
Reduce Audit Costs • Fewer systems • Fewer services • Fewer controls • Fewer reports • Less complexity
Jim Taylor email@example.comTo view this webinar on demand:http://liaison.com/resource-center/webcasts/what-the-pci-task-force-didnt-say-registration • Solutions • Multinational • Cloud EAI / Data Transformation • Global headquarters in Atlanta • Cloud B2B Integration Services • European offices in Finland, • BPM Consulting Services Netherlands, Sweden, UK • SaaS Master Data Management • More than 6000 customers worl • Web based, Hosted EDI in over 35 countries