Straight Talk on Data Tokenization for PCI & Cloud

2,719 views

Published on

Published in: Technology, Business
0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,719
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
111
Comments
0
Likes
6
Embeds 0
No embeds

No notes for slide
  • Visa: “Knowing only the token, the recovery of the original PAN must not be computationally feasible” see page 18
  • Intel Expressway Tokenization Broker enables an organization to tokenize sensitive data such as credit card information so that back end enterprise systems or cloud based environments do not store or handle the data directly. This has an added benefit of taking systems out of scope for PCI-DSS audits. Tokenization produces faster searches of data vs encrypting and decrypting data.
  • Editor’s Note: Once again, match the product components/benefits on this slide with the customer’s specific needs.
  • EAMSoftware Appliance Form FactorRed Hat AS5-64 bit, Solaris 10 64 bit, SLES 11, Windows 2003Secure Appliance Form FactorPhysical Tripwire, Secure Boot and BIOSSnooping protection, Seamless Disk EncryptionHardware Random Number GenerationTokenizationFormat preserving tokens based on secure random number generationToken VaultAutomatic encryption of PAN data (AES/3DES)Includes starter token vault Supports Oracle, MySQL, SQL ServerAuthentication and Access ControlIntegrates with identity management systems for secure PAN data retrievalPerformanceBuilt on Intel’s high-performance service gateway platform optimized for Intel® Multi-CoreCustomers’ benefits include: Reducing or removing payment applications and databases from PCI scopeOwning and managing PAN data on-premise with a secure hardware applianceEasilyChoosing the tokenization scheme appropriate for theirbusinesses High performance operation that ensures low-latency document processing Leveraging existing Enterprise identity management investmentsAvoiding token migration challengesMinimizing changes to existing applications compared to E2E Encryption
  • Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)
  • While many varying definitions of a Cloud Service Brokerage exist, in general they follow the same value propositions. Gartner defines a CSB as a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services. This can be further segmented into 3 broker types: An Aggregation brokerage that unifies service access for consumers through service bundling, unified billing, and is responsible for overall SLAs- today this is a common- for instance there are CSBs that say aggregate licensing, support, reporting, migration kits, etc for google apps. Many other examples exist.Integration Brokerages go one step further by organizing services, integrating multiple on-prem & cloud data service providers to create a complete product offering generally around a vertical industry or community business process. An example of this are many of the large B2B supply chain oriented exchanges that have connected vertical industries for years like GHX in healthcare or Covisint in automotive supply chain management. This role will go beyond the narrow B2B role to service any community business process. To run an integration brokerage with people & connected processes will require an experise on security, integration/translation, service governance & API management to name a few. Security is such an important & complex area that may evolve to specialized security brokerage providers that Integration brokerages leverage. Customization Brokerages actually create brand new value added services that may tailored uniquely for the Enterprise cloud consumer. In the CSB realm there is a role for 3rd party broker operators and a role where IT creates a brokerage for a certain set of services it wishes to maintain under its control as it manages consumption by internal departments. Many IT departments are already planning for a unified cloud access layer in their enterprise architectures to be operated in a private cloud. Bottom line CSBs- help simplify sourcing, technical consumption, increase time to market and add value with a better ROI.
  • Straight Talk on Data Tokenization for PCI & Cloud

    1. 1. Straight Talk on Data Tokenization for PCI & Cloud PAN Data TokensPresented by: Andy Thurai Intel® Application Security & Identity Products 1
    2. 2. Tokenization and PCI• Tokenization: replacing a valuable piece of information with a surrogate value, or token - In a PCI context, replacing PAN data with random number strings• Why tokens? - Reduce PCI scope, cost of PCI compliance - Increase security 2
    3. 3. Does it Apply to Me?“ PCI DSS compliance includes merchants and service providers who ACCEPT, CAPTURE, STORE, TRANSMIT or PROCESS credit and debit card data.” PCI DSS 2.0 standards became effective on January 1st. Is your organization prepared? 3
    4. 4. The Case for Tokenization• Replace PAN with (random) number - token• Use that random number EVERYWHERE in your environment• Keep PAN and reference to token 4
    5. 5. Tokenization Use Cases• PCI scope without tokenization - Everything is in PCI scope 5
    6. 6. Tokenization Use Cases• Tokenization replaces primary account number (PAN) data with surrogate value, or “token”• Token engine and vault in scope, but post-payment applications may be out of scope 6
    7. 7. Tokenization Use Cases• Tokenization can be outsourced: processor 7
    8. 8. Tokenization Use Cases• Tokenization can be outsourced: 3rd party 8
    9. 9. Tokenization• Construction - Tokens should be random• Options - Single- or multi-use - Format preserving (characteristics of a PAN) - Lifetime• Tokenization is not encryption - Encryption is reversible, tokens are not - Encryption has a role in token vault 9
    10. 10. Tokenization and PCI Council• Tokens can reduce scope • “The level of PCI DSS scope reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.”• “High-value” tokens may be in scope, e.g.: • Used as a payment instrument” • Initiate a transaction 10
    11. 11. Tokenization and PCI Council• What does it mean? - Guidance is, well, guidance - Tokenization can reduce PCI scope - High-value tokens require additional controls - High-value tokens used to initiate a transaction might be in scope• Remember - Token engine and vault always in scope - Access to token vault must be restricted 11
    12. 12. Implementing Tokenization: Options Tokenization Option Advantages DisadvantagesInternal, Home Grown Control Security a core strength? Time and cost to implementInternal, Package Control Cost Flexibility Time to implement Expertise/functionality3rd Party, Processor Easy implementation Cost Good PCI scope reduction Limited flexibility Compatibility with apps Vendor lock-in3rd Party, Token Vendor Easy implementation Cost Good PCI scope reduction Compatibility with apps Vendor lock-in Business risk (12.8) 12
    13. 13. Implementing Tokenization: Options• Third-party solutions appeal to smaller (L3, L4) merchants - Ease - Cost• Internal hosting appropriate for larger (L1, L2) merchants and service providers - Control - Technical capabilities 13
    14. 14. Implementing Tokenization: Security• The tokenization security tradeoff - Tokens are secure, but… - Any breach of token vault could be devastating• Protecting the token vault - Restricting and authenticating users and access - Segmenting network to isolate out of scope systems - Ensuring physical security - Managing PAN encryption and key management 14
    15. 15. Internal vs. External TokenizationExternal Tokenization: Internal Tokenization:• BIG Vision! • Easier to Implement• Solves BIG Problems! • Solves URGENT Problems!• Involves processors, brands, • Only involves YOUR 3rd parties organizationExample: Example:Cybersource/VISA model 15
    16. 16. Intel Application Security and Identity Products• Review of what is available today • On-premise software, hardware or virtual machines for • (1) Lightweight ESB, transformation, integration • (2) Edge Security – Perimeter defense, Cloud API management, authentication, throttling, metering, auditing • (3) Tokenization – PCI DSS, format preserving tokenization for service calls, documents, files and databases 16
    17. 17. Data Tokenization for Cloud or PCI Tokenization enables faster searching for data vs encryption 17
    18. 18. Expressway PCI Scope Reduction with Internal Tokenization Hosted Payment Payment Gateways Processors Payment Applications Customer Internet Data Warehouse Retail / Card Swipe / Chip Reader Store / Keypad Server Point of Sale Environment (POS) CRM Order Applications Processing Applications Point of Sale Environment PCI Scope Complete Merchant PCI Scope Merchant Data Center Reduced or Removed PCI Scope 18
    19. 19. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 19
    20. 20. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 20
    21. 21. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Feeds with PAN data Data Connected App. Databases Portals IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 21
    22. 22. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Data w/ Tokens Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Edge Security + Tokenization Feeds with PAN data Data Connected App. Databases Portals Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 22
    23. 23. Typical Retail Architecture Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon)Browser E-Commerce Website Engine 23
    24. 24. Typical PCI DSS Scope Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 24
    25. 25. Scope with Expressway Tokenization Broker Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 25
    26. 26. Intel® Expressway Tokenization Broker:Product Components Hardware or Software Broker • Tamper resistant appliance • Software on Linux AS5-64 Sample Tokenization Application • Token Exchange • Token Management Secure Token Vault • HQSQL Starter Token Vault • Production Database Schemas Intel® Services Designer • Policy Design and Deployment • Token Exchange / Management Actions Web Interface • Policy Deployment & Monitoring 26
    27. 27. Addressing PCI DSS Requirementswith Tokenization Broker Intel® Expressway Tokenization Requirement Broker Capabilities Build/ Maintain Secure • Application-level security proxy & firewall. Network • Protects credit card data stored at rest/ in transit . Protect Cardholder Data • Supports tokenization for reduced PCI scope. Maintain Vulnerability • Integrates with on-premise virus scanning servers Management Program • Reduces threat of malicious attachments. • Supports strong access control. Implement Strong Access • Integrates with existing identity management investments. Control Measures • Improves physical security for tokenization through tamper-resistant form-factor. • Tracks, monitors & logs authorization requests from merchant to card Regularly Monitor & Test processor. Networks • Offers regular testing & alerts in case of server failures. Maintain Information • Maintains auditable security policies in hardened form-factor. Security Policy • Allows for convenient review & change control. Review our QSA Assessors Guide, which shows how Tokenization Broker addresses more than 200 PCI compliance requirements. 27
    28. 28. Intel® Expressway Tokenization Broker:Features & Benefits Feature Summary Benefit Summary• Flexible Software Appliance  Reduce or remove payment Form Factor applications and databases from• Secure Appliance Form Factor PCI scope• Tokenization  Own and manage PAN data on-premise with a secure hardware• Token Vault appliance• Authentication & Access Control  Easily Choose tokenization scheme• High Performance, optimized appropriate for your business for Intel® Multi-Core  High performance operation ensures low-latency document processing  Leverage existing Enterprise identity management investments  Avoid token migration challenges  Minimize change to existing applications compared to E2E Encryption 28
    29. 29. For Additional Information, go to: www.intel.com/go/identity Download Eval Data Sheet PCI White Paper Assessors Guide E-mail: intelsoainfo@intel.com 29
    30. 30. Cloud Service Broker Capabilities Technology Enablement 30
    31. 31. Market Shifts to Brokers to Solve Cloud Consumption Complexity Functions: Service API: Security/Governance, Billing, Integration, Support, Process Provider • Apps • SaaS, PaaS, IaaS • IdM 3rd Party IT Broker Service Broker • B2B • Legacy Consumption Provider • App MashupsEnterprise • Mobile CSB Platform CSB Platform Private Cloud Public Cloud Provider CSB is a role in which a 3 Broker Types company or other entity adds • Aggregation - Distributor/Solution Provider Unify access via service bundling value to one or more cloud • Integration - System Integrator services on behalf of 1-n New functions via data/process integration consumers of those services • Customization - ISV New functions via service enhancement Do-it-yourself IT and/or 3rd Party Consumption Models Software and Services Group 31
    32. 32. Specialty Focus on Cloud Access & Security Brokerage Identity & Services Brokers IT Private IT Cloud Provider 3rd Party Cloud Public/Hybrid Bundled Service Access Platform Functions Policy Enforce Authentication & Orchestrate ID Integration Compliance IID Context Federation Transport AuthZ Enabling Technology Strong Auth Access Data Security Gov & Integration Form FactorCloud Security Platform • Adaptive • SSO • Tokenization • API Mgt • Soft, hardware, • Client aware • Provisioning PII, PHI, PAN • Edge Threats VM appliance • Soft token • XACML • Encryption • Meter • Multi-tenant as- • Hard token • STS Token • DLP • Orchestrate a service • OOB Signing Mapping • SIEM • Transform • Mobile Browser • IdM Connectors • Logs-Data, • Protocol & Native User, Apps Intel & McAfee are CSB platform technology providers 32
    33. 33. Cloud Access Broker Vision: Example IT as a Broker IT Private Supports “mix and match” of capabilities Cloud “Broker” IaaS and PaaS Applications per internal/external tenant Identity HTTP, Trusted Internal Network Broker REST Tenant #1 Apps, IDM and SaaS Applications Middleware PII M2M Service Tokenization Call Tenant #2 HTTP Departments 1-n Browser and Mobile External Enterprise Employees, Applications Administrators API Mgt Browser and Mobile Tenant 3 Applications Portal/Browser Strong HTTP, Request Auth REST Transform & Orchestrate Tennant 4 Partner Apps & 3rd Party Brokers HTTP, REST/SOAP • Extends security policy to cloud • Complete visibility & audit • Enables aggregation of services • Protects PII data stored in cloud • Up-levels security posture of providers with strong auth overlay 33
    34. 34. Use Model: Cloud Security Gateway & API Security • Perimeter Security API/Service • Authentication Proxy • Quality of Service • Policy Control • API Versioning SOAP/REST • Auditing On premise Enterprise applications Service Clients Mobile Clients See detailed back up for All Use Case Diagrams 34
    35. 35. Expressway provides API Security for vCloud Non-vCloud Partner (SOAP) REST API Security • SSL/TLS Termination • SOAP to REST Mediation • Authentication • HTTP Inspection • Message Throttling • Audit Logging • API Masking • API Versioning •Strong Authentication •Code Injection Protection • Threat detection / AV scanning in OVF files Intel® Expressway can provide full API protection and mediation for vCloud 35
    36. 36. Case StudyHybrid Cloud Bursting (PaaS) 2. Local Authentication Enterprise 4. AWS Credential Mapping Private Cloud and Data RetrievalIdM or Active Directory Amazon EC2 Storage Service Gateway Public Cloud Portal Application The Gateway mediates access to public cloud services •Perimeter Security 1. Enterprise Portal Login •Seamless User Experience •Preserve existing IDM investments •Abstract cloud providers •Data Control 3. Resource Request 36

    ×