Descoping a data environment by decreasing the amount of PCI traversing it is one of the simplest and most effective ways of complying with the PCI DSS. By outsourcing the handling of sensitive payment information to security experts, organizations can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach. Tokenization is especially effective at this due to its ability to remove sensitive data from an environment and store it in a secure, cloud-based token vault. In this deck you will learn: PCI controls for organizations that handle card information Which controls can be removed from scope How cloud-based tokenization outsources PCI compliance to a tokenization provider Additional strategies and best practices for achieving PCI compliance

1. PCI Descoping:
How to Reduce Controls & Streamline
Compliance
T H U R S D A Y , F E B R U A R Y 2 1 , 2 0 1 9

2. Today’s Speakers
John Noltensmeyer
ISA, CISSP, CIPP/E/US
Head of Privacy & Compliance Solutions, TokenEx
jnoltensmeyer@tokenex.com
Trevor Axiak
QSA, CISA, ISO27001 Lead Auditor, SSCP
Director, Kyte
trevor@kyteconsultants.com
Alex Pezold
Former QSA
CEO, TokenEx
apezold@tokenex.com

3. SET T ING T HE STAG E
Single Most Important Task: Scoping
Some PCI Misconceptions
Assessing the Scope of the Scope
Encryption vs. Tokenization
Tokenization Landscape
Descoping Ecommerce Payments
Tokenization for Pseudonymization

4. SING LE MO ST IMPO RTANT TASK: SCO PING
“All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment….”
Objective: Reduce the Scope
• Reduce complexity
• Reduce risk
• Reduce cost
Reducing Scope
• Segmenting networks
• Firewalls
• ACL
• Routers
• VLANs
• Working with tokenized/sanitized/truncated data
• Selecting most suitable entry points for client systems
• Reducing logical access to what is necessary
• Do not store data
Network Segmentation
Payment Card Industry (PCI) Data Security Standard, v3.2.1, Page 9

5. SO ME PCI MISCO NCEPT IO NS
• Encrypting data removes it from scope.
• Third parties are not my responsibility.
• I do not store card data, so I don’t need to be PCI compliant.
• I outsourced everything, so I don’t need to be PCI compliant.
• I use a hosted payment page and a PCI DSS–compliant gateway, so I
don’t need to be PCI compliant.
• We are a small company, so many requirements don’t apply.
• Our POS devices are supplied by the bank, so I don’t need to be PCI
compliant.
• I use a payment application, so I need to be PA-DSS compliant.
• PCI DSS does not apply to card data on paper.

6. ASSESSING T HE SCO PE O F T HE SCO PE
“Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not
a PCI DSS requirement. However, it is strongly recommended….”
• The PCI DSS applies to all system components
included in or connected to the cardholder data
environment (CDE).
• The CDE consists of people, processes, and
technologies that store, process, or transmit cardholder
data.
• Segmentation = no connectivity
• Controlled access systems are still in scope.
• Out of scope = security not reviewed = untrusted
• Encryption ≠ out of scope
Impact
security
Provide
security
Provide
segmentation
Connected
to
CDE:
Store / Process /
Transmit
Payment Card Industry (PCI) Data Security Standard, v3.2.1, Page 10

7. ASSESSING T HE SCO PE O F T HE SCO PE
Guidance for PCI DSS Scoping and Network Segmentation • December 2016, Page 17
• How many applications store, process, or transmit
cardholder data (CHD)?
• Which databases support the in-scope applications?
• Which servers make up the CDE?
• What OSs are used (MS, UNIX, Linux, AS400, etc.)?
• Is there segmentation between the CDE and the rest of
the network? How?
• How many entry points to the network are there?

8. ASSESSING T HE SCO PE O F T HE SCO PE
• Is wireless technology in use on the network?
• Is CHD transmitted over wireless devices at any point?
• Are credit card numbers stored on the POS systems for
any length of time?
• How many data centers store, process, or transmit
CHD?
• How many call centers store, process, or transmit
CHD?
• Is any part of the environment outsourced?
• Are there third parties, outsourcers, or business
partners connected to the network?
Guidance for PCI DSS Scoping and Network Segmentation • December 2016, Page 17

9. ENCRYPT IO N VS. TO KENIZ AT IO N
Tokenization is the process of replacing a sensitive data element, such as a credit card PAN, with a nonsensitive equivalent.
Tokenization Reduces PCI Scope
• Network segmentation can be difficult and expensive.
• Tokens are not in scope for PCI DSS.
• It increases the likelihood of maintaining PCI compliance between annual
assessments.
Tokens are Flexible
• Length- and format-preserving
• No key management, unlike encryption
• Enables business-as-usual processes
Tokenization Does Not
• Take you completely out of PCI DSS scope
• Make you less responsible for your data
• Stop network breaches

10. ENCRYPT IO N VS. TO KENIZ AT IO N
What is the difference?
• Encryption – a data security measure using
mathematic algorithms to generate rule-based
values in place of original data
• Tokenization – a data security measure using
mathematic algorithms to generate randomized
values in place of original data
Tokens are versatile.
• Format-preserving tokens can be utilized where
masked CC information or masked PII is required.
Encryption alone is not a full solution.
• With encryption, sensitive data remains in business
systems. With tokenization, sensitive data is
removed completely from business systems and
securely vaulted.

11. ENCRYPT IO N VS. TO KENIZ AT IO N
Encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
FAQ: How does Encrypted Cardholder Data Impact PCI DSS Scope?
https://blog.pcisecuritystandards.org/faq-how-does-encrypted-cardholder-data-impact-pci-dss-scope
Each of the following are in scope for PCI DSS:
• Systems performing encryption and/or decryption of CHD, as well as systems performing key-
management functions
• Encrypted CHD that is not segmented from the encryption, decryption, and key-management processes
• Encrypted CHD that resides within a system, environment, or media that also contains the decryption
key
• Encrypted CHD that is accessible to an entity that can also access the decryption key

12. TO KENIZ AT IO N LANDSCAPE
Futurex
CardConnect
HPE
Liaison
Protegrity First Data
CyberSource
Chase Paymentech
Paymetric
Shift4
Thales Intel
Tokenization Implementation Considerations
On-premise/Appliance Tokenization
• Requires a card data environment (CDE)
• High cost of maintenance (hardware, staff, support)
• Risk still resident in the environment
• Tokens are often the intellectual property of the vendor
Processor Tokenization
• Tokens are processor-specific
• Tokens are often the property of the processor
• Most processors won’t let you detokenize
• Limited integration options
• Only tokenizes PCI data and not other sensitive data sets
Cloud-Based Tokenization
• Removes sensitive data from the environment, reducing risk
• Provides points of integration outside the environment, reducing if not eliminating CHD
controls from PCI DSS scope
• Shifts liability to the service provider

13. TO KENIZ AT IO N LANDSCAPE
Network/Payment Tokens Data Security Tokens
Typically issued by a payment service provider
Issued by a third-party provider, appliance, or custom
tokenization solution
Multiple payment processors means managing multiple
token sets
Tokens can be used with multiple processors or third-parties.
Often single-use or “low-value” tokens Usually persistent or “high-value” tokens
Intended almost exclusively for use in payment
transactions
Can be used to protect any data set—PHI, PII or NPI—in
addition to credit card PANs
Network/Payment Tokens vs. Security Tokens

14. DESCO PING ECO MMERCE PAYMENT S
PCI DSS Scope Reduction
Merchants with an e-commerce web site can dramatically reduce their PCI scope for this acceptance channel by outsourcing the capture, processing and storage of
CHD to a validated service provider.
• Use a hosted iFrame or payments
page provided by a validated service
provider to capture and tokenize
CHD
• Do not transmit, process, or
store CHD via any other
acceptance channel
• Utilize payment services of
tokenization provider to process
transactions
• Maintain appropriate policies
and procedures

15. DESCO PING ECO MMERCE PAYMENT S

16. TO KENIZ AT IO N F O R PSEUDO NYMIZ AT IO N
Deidentification of Personal Data or PII
Within the EU’s General Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA), there are multiple references to
pseudonymization or deidentification as an appropriate mechanism for
protecting personal data.
CCPA §1798.140
“Pseudonymize” or “Pseudonymization” means the processing of personal
information in a manner that renders the personal information no longer
attributable to a specific consumer without the use of additional information,
provided that the additional information is kept separately. . . .
Pseudonymization (replacing identifying or sensitive data with
pseudonyms) is synonymous with tokenization (replacing identifying or
sensitive data with tokens).

17. TO KENIZ AT IO N F O R PSEUDO NYMIZ AT IO N
Using Tokenization for Pseudonymization

18. Q&A