Tokenization is the latest data protection method, but does it help or hinder cybersecurity—this is the current debate. This session will look at who, what, where, when, how and why of using tokens. (Source: RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Sandra Lambert
Cybersecurity vs. Tokenization
PDAC-R02
CEO
Lambert & Associates
ANSI X9F4 Workgroup Vice Chair
Jeff Stapleton
Security Architect
Wells Fargo
ANSI X9F4 Workgroup Chair

2. #RSAC
Cybersecurity vs. Tokenization - Agenda
2
Tokenization Fundamentals
Top Four Controversial Implementation Issues
Payment vs. Non-Payment Tokens
Tokenization vs. Detokenization
System Isolation Requirements
Cryptographic Hardware vs. Software – a Very Contentious Topic
Conclusions

3. #RSAC
Tokenization Fundamentals

4. #RSAC
Who Wants Tokenization and Where?
4
Definition of Tokenization
PCI: Tokenization is a process by which the Primary Account Number (PAN) is
replaced with a surrogate value called a token.
— Index Token is a cryptographic token that replaces the PAN, based on a given index for an
unpredictable value
ANSI X9: The process of mapping a plaintext value (i.e., the underlying sensitive
value) to an existing or newly-generated surrogate value (i.e., a token). A token is a
surrogate value used in place of the original value in certain, well-defined
situations, but that is not used in place of the original value in every way that the
original value is used.
EMV: A process by which the Primary Account Number (PAN) is replaced with a
surrogate value called a Payment Token. Tokenization may be undertaken to
enhance transaction efficiency, improve transaction security, increase service
transparency, or to provide a method for third-party enablement.
Conflicting definitions, so, what is a token?

5. #RSAC
What is Tokenization and Why Do It?
5
Tokenization
PAN
SSN
Name
123
ABC
789
Random
Encryption
Table
MAC
4400 1111 1111 1113
Alice Smith
USV* Token
*Underlying Sensitive Value – protecting data

6. #RSAC
When Can It Be Used?
6
• For example: primary account number (PAN)
• Token 1: middle 6 digits, note check digit
• Token 2: whole PAN, ignore check digit
• Any 16-digits might be a legitimate PAN somewhere
• Same issues for SSN or other things
PAN 4 80801 000000 000 5
Token 1 4 80801 123456 000 4
Token 2 9 21456 332157 278 3
Backwards compatibility
Separate channel
Issues
• Format
• Length
• Syntax
Check digit

7. #RSAC
What is Detokenization? Encryption Method
7
Encryption
Decryption
USV Token
Cryptographic
Key
Tokenization
Detokenization
Tokenization Service

8. #RSAC
What is Detokenization? MAC Method
8
MAC
USV Token
Cryptographic
Key
Tokenization
Detokenization
USV Û Token
Tokenization Service
Verification
Detokenization
controversial
Verification
acceptable

9. #RSAC
What is Detokenization? Random Method
9
Random
USV Token
Tokenization
Detokenization
USV Û Token
RNG
Tokenization Service

10. #RSAC
What is Detokenization? Table Method
10
Table
USV Token
Tokenization
Detokenization
PRNGRNG
Tokenization Service
Table

11. #RSAC
Implementation Issue:
Payment vs. Non-Payment Tokens

12. #RSAC
EMV Payment Tokenization
12
4400 1111 1111 1113
Alice Smith
TSP
Issuer
Wallet
PAN
EMV EMV
PAN
Merchant
EMV
Post-auth tokens are
non-payment tokens
EMV tokens can
only be used for
authorization
Step 1: Issuer issues card to cardholder
Brick & Mortar
Merchant
EMV
Chip
Card
Step 3: Cardholder
shops online
AMEX
Visa MasterCard
Discover
Acquirer
PAN Û EMV
Step 2: Cardholder
gets EMV token
EMV
EMV
PAN
EMV
PAN
Authorization to
Issuer is EMV or PAN

13. #RSAC
Non-Payment Tokenization
13
Tokenization
Requesting
Interface
(TRI)
Tokenization
Service
(TS)
USV
Token
Tokenization System
• Encryption
• MAC
• Random
• Table
Requesting
Entity
RE
RE
USV Û Token
Token ¹ EMV
Post Authorization (Payment Related) Applications
Non-Payment
Applications
Storage
• Tokenization
• Detokenization

14. #RSAC
Implementation Issue:
Tokenization vs. Detokenization

15. #RSAC
Tokenization Environments: Internal
15
Tokenization
Requesting
Interface
Tokenization
Service
USV
Token
Tokenization System
RE
RE
USV Û Token
Storage
RE
RE
Non-Tokenization Users
NT
NT
NT
Authorized Tokenization
Requesting Entity
Authorized Detokenization
Requesting Entity
NT
Write
Read

16. #RSAC
Tokenization Environments: External
16
TRI TS
USV
Token
Tokenization System
RE
RE
USV Û Token
RE
RE
NT
NT
NT
Authorized Tokenization
Requesting Entity
Authorized Detokenization
Requesting Entity
NT
Write
Read
Enterprise NetworkDMZ
TSP becomes Third Party (Cloud) Service Provider
API
RE
RE

17. #RSAC
Tokenization Environments: Multiple
17
Issues
Multi-tokenization systems interoperability
Multi-tokenization systems migration
Multi-tokenization systems backup and recovery
TRI TS USV Û Token
RE
RE
TRITSUSV Û Token
RE
RE
Tokenization System A Tokenization System B

18. #RSAC
Implementation Issue:
System Isolation Requirements

19. #RSAC
Organization’s Internal Network
Tokenization Isolation
19
Tokenization
Requesting
Interface
Tokenization
Service
USV
Token
Tokenization System
USV Û Token
Storage
FW
R
S
D
M
Z
Internet
NT
Other
Applications Cardholder Data Environment (CDE)

20. #RSAC
Implementation Issue:
Cryptographic Hardware vs. Software

21. #RSAC
Cryptography: Encryption Method
21
Encryption
Decryption
USV Token
Tokenization
Detokenization
Tokenization Service
HSM
HSMs are
typically
optional
Check with
vendor support

22. #RSAC
Cryptography: MAC Method
22
MAC
USV Token
Tokenization
USV Û Token
Tokenization Service
HSM
HSMs are
typically
optional
Check with
vendor support
Detokenization
Verification

23. #RSAC
Cryptography: Random Method
23
Random
USV Token
Tokenization
Detokenization
USV Û Token
Tokenization Service
RNG HSM
Random is
difficult to
achieve
Quantum
mechanics
Available
quantum
randomness
products

24. #RSAC
Cryptography: Table Method
24
Table
USV Token
Tokenization
Detokenization
Tokenization Service
Table
HSMs have
insufficient
memory to
store tables
HSMs have
insufficient
CPU to process
tables
Cryptographic
boundary is
software based
ISO 19790
Security Levels
1 and 2
are software
PRNGRNG

25. #RSAC
Conclusions

26. #RSAC
Apply What You’ve Learned Today…
26
Share your tokenization understanding
Determine your tokenization needs (if any)
EMV payments
PCI compliance
Cybersecurity control
Define your tokenization strategy
Plan your tokenization implementation
Where USV is tokenized
Where tokens are stored
Where tokens are processed
Where tokens are detokenized, recovering the USV
Implementations
Strategy
Needs

27. #RSAC
Conclusions
27
Tokenization can protect your underlying sensitive data
Tread carefully through the major cybersecurity issues
Payment vs. Non-Payment Tokens
Tokenization vs. Detokenization
System Isolation Requirements
Cryptographic Hardware vs. Software – including key management
Standards, specifications, and guidelines exist and are in development
Tokens are not a panacea; they’re not for everybody
Tokenization can affect database search functions
Tokenization is not interoperable, today
Tokenization controls need to be incorporated into your cybersecurity policies
and practices – including incident response plans

28. #RSAC
References
28
Accredited Standards Committee X9 www.x9.org
American National Standard X9.82 Random Number Generation (RNG) – multiple parts
American National Standard X9.119 Requirements for Protection of Sensitive Payment Card
Data – Part 2: Implementing Post-Authorization Tokenization Systems (in ballot)
American National Standard X9.137 Tokenization Management and Security (work in progress)
Payment Card Industry (PCI) Security Standards Council (SSC)
www.pcisecuritystandards.org
PCI Data Security Standard (DSS) Requirements and Security Assessment Procedures v3.2 April
2016
PCI Tokenization Product Security Guidelines v1.0 April 2015
PCI DSS Tokenization Guidelines v2.0 August 2011
Europay-MasterCard-Visa Company (EMVCo) www.emvco.com
EMVCo Payment Tokenisation Specification Technical Framework v1.0 March 2014