Successfully reported this slideshow.
Choosing From 3 Core PCI-DSS Tokenization Models                                                           A. Tokenize 100...
Today’s Agenda • Basic tokenization flows- recap • Differing tokenization needs based on volume &   merchant type • Pros/c...
Presents Tokenization Use CasesAdrian Lane, CTOalane@securosis.comTwitter: @AdrianLane
About Securosis
One key question:Why use tokenization?
•       Tokenization means:    -    Fewer controls    -    Less complexity    -    Reduced audit scope    -    Fewer syste...
To save time ...
And to save money.• Fewer      security products for fewersystems• Fewer   reports• Auditors   have less to do
How does it work?
•   By removing confidential data         •   Replace with low value token         •   Reduce CC#/PAN access         •   R...
2 Minute Tokenization       Primer:•   Tokenization replaces sensitive data with a    random value.•   Sensitive data is k...
The Tokens•   Should be random or semi-random.•   Same format as original value (e.g. 16    digits, passes LUHN check).•  ...
Basic Architecture
Integration Options•   Application API Calls•   Proxy Agents•   Database Queries•   Back-office Systems
Non-CDE                      Cardholder Data Environment                                            Token                 ...
Failover & Performance             •   Distributed             •   Replicated             •   Code books
You can’t steal what’s not          there!
PCI Security StandardsCouncil on Tokenization
Is it right for me?•       Answer: It depends    •    Your type of business    •    Your application         environment  ...
Deployment Models•In-house software/hardware•Edge tokenization•Tokenization-aaS•FPE
Use Case #1:    Big Box Retail Chain•   Web and retail locations•   Huge transaction volume•   POS, Card-swipe and web pay...
In-house Tokenization
Use Case #1:        Buying Decision•   Per-transaction cost overriding factor•   Worried about modifying existing applicat...
Use Case #2:Small Service Provider•   Small transaction volume•   Handful of retail locations•   POS & Web site•   Need to...
Tokenization-aaS
Use Case #2:        Buying Decision•   Have no idea what PCI is but must comply as    credit cards are key to their busine...
Use Case #3     Giant Web Retailer•   No physical stores•   Huge transaction volume•   Multiple payment providers, promoti...
Edge/Proxy Tokenization
Use Case #3        Buying Decision•   Very minor software upgrade•   Dramatically reduced audit scope•   Far less chance o...
Use Case #4    Mid-sized merchant•   All in-store sales, small web presence•   Sizable POS investment•   Highly cost-consc...
Tokenization with FPE
Encryption vs. Tokenization          Encryption           Key + Algorithm          Tokenization          Tokenization Server
Use Case #4        Buying Decision•   Did not require application modifications•   FPE built into existing infrastructure•...
Buying decisions ...•   How much are transaction costs?•   How costly to integrate into my apps?•   Does it reduce PCI sco...
Selection Process
Summary•   Reduces security risks•   Reduces complexity•   Minimal IT systems impact•   Reduces compliance costs•   Securo...
Adrian Lane                Securosis, L.L.C.alane@securosis.com                 Twitter: AdrianLane
Cloud Service Broker Capabilities      Reduce PCI Scope, Lower Costs         & Protect Cardholder Data          Blake Dour...
Tokenization Strategies                                           // Input data to be                                     ...
Tokenization StrategiesType               Strategy                    Key Challenges              Key Benefits         Exa...
Typical Retail Architecture                                     Settlement                                      Engine   R...
Typical PCI DSS Scope                                     Settlement                                      Engine   Retail ...
Scope with Expressway Tokenization Broker                                     Settlement                                  ...
Product Details                  45
Intel® Expressway Tokenization Broker – V2 (1H, 2012)          Hardware or Software Broker          • Tamper resistant app...
Goal: E-Commerce Order Processing   Manual Invoice Processing                                                            P...
Goal: E-Commerce Order Processing   Manual Invoice Processing                                                            P...
Goal: Bill Processing, Consolidation, Printing      Financial Statement Processor                                         ...
Goal: Bill Processing, Consolidation, Printing      Financial Statement Processor                                         ...
For Additional Information, go to: www.intel.com/go/identity                                         Download Eval        ...
Upcoming SlideShare
Loading in …5
×

Tokenization Webinar featuring Securosis - Intel

1,621 views

Published on

Published in: Technology, Business
  • Be the first to comment

Tokenization Webinar featuring Securosis - Intel

  1. 1. Choosing From 3 Core PCI-DSS Tokenization Models A. Tokenize 100% B. Modify Apps C. Proxy-data in transitAdrian Lane – Securosis PCI-DSS AnalystBlake Dournaee, Intel Application Security & Identity Products 1
  2. 2. Today’s Agenda • Basic tokenization flows- recap • Differing tokenization needs based on volume & merchant type • Pros/cons outsource vs on-prem • Proxy & encryption models Scope • 3 core solution deployment patterns Reduction • Use cases Application Security and Identity Products 2
  3. 3. Presents Tokenization Use CasesAdrian Lane, CTOalane@securosis.comTwitter: @AdrianLane
  4. 4. About Securosis
  5. 5. One key question:Why use tokenization?
  6. 6. • Tokenization means: - Fewer controls - Less complexity - Reduced audit scope - Fewer systems to reviewTo make data security easier ...
  7. 7. To save time ...
  8. 8. And to save money.• Fewer security products for fewersystems• Fewer reports• Auditors have less to do
  9. 9. How does it work?
  10. 10. • By removing confidential data • Replace with low value token • Reduce CC#/PAN access • Reducing system interdependence • Fewer checks, controls and reportsHere’s how:
  11. 11. 2 Minute Tokenization Primer:• Tokenization replaces sensitive data with a random value.• Sensitive data is kept encrypted in a data vault.• The real data is only exposed when absolutely necessary.• Applications function as normal as token preserves format and data type.
  12. 12. The Tokens• Should be random or semi-random.• Same format as original value (e.g. 16 digits, passes LUHN check).• Some characteristics may carry-over (e.g. last 4 digits of a credit card number).• Single or multi-use.
  13. 13. Basic Architecture
  14. 14. Integration Options• Application API Calls• Proxy Agents• Database Queries• Back-office Systems
  15. 15. Non-CDE Cardholder Data Environment Token Database Token Server Authorized Tokenized Applicationdatabases out Tokenized of scope systems in De-tokenization request scope
  16. 16. Failover & Performance • Distributed • Replicated • Code books
  17. 17. You can’t steal what’s not there!
  18. 18. PCI Security StandardsCouncil on Tokenization
  19. 19. Is it right for me?• Answer: It depends • Your type of business • Your application environment • The size of your business • Your goals
  20. 20. Deployment Models•In-house software/hardware•Edge tokenization•Tokenization-aaS•FPE
  21. 21. Use Case #1: Big Box Retail Chain• Web and retail locations• Huge transaction volume• POS, Card-swipe and web payment options• Tightly integrated back office systems• Full PCI Audits
  22. 22. In-house Tokenization
  23. 23. Use Case #1: Buying Decision• Per-transaction cost overriding factor• Worried about modifying existing applications• Want to reduce audit costs• Want reduced complexity, and scope reduction through reduced card storage
  24. 24. Use Case #2:Small Service Provider• Small transaction volume• Handful of retail locations• POS & Web site• Need to comply with self-assessment• No in-house security staff
  25. 25. Tokenization-aaS
  26. 26. Use Case #2: Buying Decision• Have no idea what PCI is but must comply as credit cards are key to their business• Accept higher per-transaction costs for removal of all PAN/Mag stripe data• Provider supports repayments/remediation• Minimal modification to existing applications
  27. 27. Use Case #3 Giant Web Retailer• No physical stores• Huge transaction volume• Multiple payment providers, promotions• Web payment and shopping cart applications• Data and IT security expertise• COTS applications with customizations
  28. 28. Edge/Proxy Tokenization
  29. 29. Use Case #3 Buying Decision• Very minor software upgrade• Dramatically reduced audit scope• Far less chance of data breach• Supports multiple payment providers via single shopping cart application• Maintains customer relationship
  30. 30. Use Case #4 Mid-sized merchant• All in-store sales, small web presence• Sizable POS investment• Highly cost-conscious• COTS applications, no in-house software• No in-house IT security• Worried about liability, CC# theft
  31. 31. Tokenization with FPE
  32. 32. Encryption vs. Tokenization Encryption Key + Algorithm Tokenization Tokenization Server
  33. 33. Use Case #4 Buying Decision• Did not require application modifications• FPE built into existing infrastructure• Reduced scope through highly restricted key access and key management• Moderate per-transaction service fees
  34. 34. Buying decisions ...• How much are transaction costs?• How costly to integrate into my apps?• Does it reduce PCI scope?• Does it work with my systems?• Is it reliable? Is it fast?• Have I reduced my risk?
  35. 35. Selection Process
  36. 36. Summary• Reduces security risks• Reduces complexity• Minimal IT systems impact• Reduces compliance costs• Securosis Whitepaper’s for more details
  37. 37. Adrian Lane Securosis, L.L.C.alane@securosis.com Twitter: AdrianLane
  38. 38. Cloud Service Broker Capabilities Reduce PCI Scope, Lower Costs & Protect Cardholder Data Blake Dournaee, Product Management Application Security and Identity Products 39
  39. 39. Tokenization Strategies // Input data to be tokenized. String inputData = new String("1234 5678 9012 3456"); // Get new instance of tokenization server TS server = new TokenizationServer(“192. 167.1.1”, “443); // Tokenize data, and catch exceptions try { String token =Server.tokenize(inputDa ta); } catch (Exception e) {Monolithic “Big Bang” Tokenization API or SDK Tokenization Proxy Tokenization (Modify Everything) (Modify Point Applications) (Modify In Data in Transit) Costs reduced by rip and replace Costs reduced by point Costs reduced by altering of entire architecture application changes data online with minimal application changes 40
  40. 40. Tokenization StrategiesType Strategy Key Challenges Key Benefits ExampleMonolithic Strive to take the entire Time to value, requires Eventually results RSA/FirstData, Verifone, VoltageTokenization datacenter out of scope POS retail upgrades, in cost savings (P2P Encryption+Tokenization) (Big Bang) bank/payment processor lock-in; inflexible to changeAPI or SDK Remove individual Each application requires Results in modest Protegrity, nuBridges, Safenet,Tokenization applications from scope code changes, usually scope and risk Voltage through an SDK or agent; reduction structured vault is difficult to scale; each application changed must be assessedModular or Proxy Remove data flows Applications must Faster time to Intel Expressway TokenizationTokenization from scope using a redirect data flows to a value, Requires Broker proxy new IP address fewer application changes; data is tokenized on the wire; massive scalability; assessment is centralized to a security gateway 41
  41. 41. Typical Retail Architecture Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon)Browser E-Commerce Website Engine 42
  42. 42. Typical PCI DSS Scope Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 43
  43. 43. Scope with Expressway Tokenization Broker Settlement Engine Retail POS AuthZ Engine Syndication Channels (Amazon) Legend:Browser Outside of Retailer In PCI DSS Scope Out of PCI DSS Scope E-Commerce Website Engine 44
  44. 44. Product Details 45
  45. 45. Intel® Expressway Tokenization Broker – V2 (1H, 2012) Hardware or Software Broker • Tamper resistant appliance with redundant, solid state storage • Software on Linux AS5-64 Sample Tokenization Application • Token Exchange • Token Management • User-defined credit card lengths, including 19 digit cards SQL databases are fundamentally non- scalable, and there is no magical pixie Secure Token Vault dust that we, or anyone, can sprinkle on • Clustered, high performance secure vault with unlimited token capacity them to suddenly make them scale. • Base configuration supports 300M tokens -Adam Wiggins, Founder of Heroku Highly Scalable “NoSQL” Vault (Cloud APaaS, Acquired by Salesforce.com) • Horizontal scalability increases performance for each additional node • High availability provided by N-to-N/Active-Active HA Clustering • Full back-up and restore capabilities Hitless Key Rotation •Change vault encryption keys with zero downtime •Addresses PCI-DSS 3.6.4 without stopping a single transaction Intel® Services Designer & Web Interface • Policy Design and Deployment • Token Exchange / Management Actions • Policy Deployment & Monitoring Application Security and Identity Products 46
  46. 46. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 47
  47. 47. Goal: E-Commerce Order Processing Manual Invoice Processing Problem: Exception cases require manual review, bringing additional systems into scope Solution: Internal tokenization Payment ProcessorE-Commerce Invoice with Payment BPM Supply Web Server Supply Website Credit Card Number Application System Chain App Chain App Order Exception Manual review of invoice and re-entry Portal Additional … Data Store Post-Payment Applications PCI Scope Merchant Data Center 48
  48. 48. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Feeds with PAN data Data Connected App. Databases Portals IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 49
  49. 49. Goal: Bill Processing, Consolidation, Printing Financial Statement Processor Problem: Non-payment processing applications contain PAN information, increasing scoping costs Solution: Internal tokenization Data w/ Tokens Customer Customized BillsBilling Information and Statements Documents Large Data with original PAN Edge Security + Tokenization Feeds with PAN data Data Connected App. Databases Portals Invoicing, Bill Payment Bill Production and Printing Bank Statement Customization and Consolidation PCI Scope Service Provider Data Center 50
  50. 50. For Additional Information, go to: www.intel.com/go/identity Download Eval Data Sheet PCI White Paper Assessors Guide E-mail: intelsoainfo@intel.com 51

×