Choosing From 3 Core PCI-DSS Tokenization Models A. Tokenize 100% of cardholder data by modifying all applications to use tokens instead of real data. B. Modify some applications to use tokens instead of real data while keeping other applications unchanged. C. Implement a proxy or gateway that intercepts cardholder data in transit and tokenizes it before sending to applications without modifying the applications.

1. Choosing From 3 Core PCI-DSS Tokenization Models
A. Tokenize 100%
B. Modify Apps
C. Proxy-data in transit
Adrian Lane – Securosis PCI-DSS Analyst
Blake Dournaee, Intel Application Security & Identity Products
1

2. Today’s Agenda
• Basic tokenization flows- recap
• Differing tokenization needs based on volume &
merchant type
• Pros/cons outsource vs on-prem
• Proxy & encryption models Scope
• 3 core solution deployment patterns Reduction
• Use cases
Application Security and Identity Products 2

3. Presents
Tokenization Use Cases
Adrian Lane, CTO
alane@securosis.com
Twitter: @AdrianLane

4. About Securosis

5. One key question:
Why use tokenization?

6. • Tokenization means:
- Fewer controls
- Less complexity
- Reduced audit scope
- Fewer systems to review
To make data security easier ...

7. To save time ...

8. And to save money.
• Fewer
security products for fewer
systems
• Fewer reports
• Auditors have less to do

9. How does it work?

10. • By removing confidential data
• Replace with low value token
• Reduce CC#/PAN access
• Reducing system
interdependence
• Fewer checks, controls and
reports
Here’s how:

11. 2 Minute Tokenization
Primer:
• Tokenization replaces sensitive data with a
random value.
• Sensitive data is kept encrypted in a data vault.
• The real data is only exposed when absolutely
necessary.
• Applications function as normal as token
preserves format and data type.

12. The Tokens
• Should be random or semi-random.
• Same format as original value (e.g. 16
digits, passes LUHN check).
• Some characteristics may carry-over (e.g. last 4
digits of a credit card number).
• Single or multi-use.

13. Basic Architecture

14. Integration Options
• Application API Calls
• Proxy Agents
• Database Queries
• Back-office Systems

15. Non-CDE Cardholder Data Environment
Token
Database
Token Server
Authorized
Tokenized Application
databases out
Tokenized
of scope
systems in
De-tokenization request scope

16. Failover & Performance
• Distributed
• Replicated
• Code books

17. You can’t steal what’s not
there!

18. PCI Security Standards
Council on Tokenization

19. Is it right for me?
• Answer: It depends
• Your type of business
• Your application
environment
• The size of your business
• Your goals

20. Deployment Models
•In-house software/hardware
•Edge tokenization
•Tokenization-aaS
•FPE

21. Use Case #1:
Big Box Retail Chain
• Web and retail locations
• Huge transaction volume
• POS, Card-swipe and web payment options
• Tightly integrated back office systems
• Full PCI Audits

22. In-house Tokenization

23. Use Case #1:
Buying Decision
• Per-transaction cost overriding factor
• Worried about modifying existing applications
• Want to reduce audit costs
• Want reduced complexity, and scope reduction
through reduced card storage

24. Use Case #2:
Small Service Provider
• Small transaction volume
• Handful of retail locations
• POS & Web site
• Need to comply with self-assessment
• No in-house security staff

25. Tokenization-aaS

26. Use Case #2:
Buying Decision
• Have no idea what PCI is but must comply as
credit cards are key to their business
• Accept higher per-transaction costs for removal of
all PAN/Mag stripe data
• Provider supports repayments/remediation
• Minimal modification to existing applications

27. Use Case #3
Giant Web Retailer
• No physical stores
• Huge transaction volume
• Multiple payment providers, promotions
• Web payment and shopping cart applications
• Data and IT security expertise
• COTS applications with customizations

28. Edge/Proxy Tokenization

29. Use Case #3
Buying Decision
• Very minor software upgrade
• Dramatically reduced audit scope
• Far less chance of data breach
• Supports multiple payment providers via single
shopping cart application
• Maintains customer relationship

30. Use Case #4
Mid-sized merchant
• All in-store sales, small web presence
• Sizable POS investment
• Highly cost-conscious
• COTS applications, no in-house software
• No in-house IT security
• Worried about liability, CC# theft

31. Tokenization with FPE

32. Encryption vs. Tokenization
Encryption
Key + Algorithm
Tokenization
Tokenization Server

33. Use Case #4
Buying Decision
• Did not require application modifications
• FPE built into existing infrastructure
• Reduced scope through highly restricted key
access and key management
• Moderate per-transaction service fees

34. Buying decisions ...
• How much are transaction costs?
• How costly to integrate into my apps?
• Does it reduce PCI scope?
• Does it work with my systems?
• Is it reliable? Is it fast?
• Have I reduced my risk?

35. Selection Process

36. Summary
• Reduces security risks
• Reduces complexity
• Minimal IT systems impact
• Reduces compliance costs
• Securosis Whitepaper’s for more details

37. Adrian Lane
Securosis, L.L.C.
alane@securosis.com Twitter: AdrianLane

38. Cloud Service Broker Capabilities
Reduce PCI Scope, Lower Costs
& Protect Cardholder Data
Blake Dournaee, Product Management
Application Security and Identity Products 39

39. Tokenization Strategies
// Input data to be
tokenized.
String inputData = new
String("1234 5678 9012
3456");
// Get new instance of
tokenization server
TS server = new
TokenizationServer(“192.
167.1.1”, “443);
// Tokenize data, and
catch exceptions
try {
String token
=Server.tokenize(inputDa
ta);
} catch (Exception e) {
Monolithic “Big Bang” Tokenization API or SDK Tokenization Proxy Tokenization
(Modify Everything) (Modify Point Applications) (Modify In Data in Transit)
Costs reduced by rip and replace Costs reduced by point Costs reduced by altering
of entire architecture application changes data online with minimal
application changes
40

40. Tokenization Strategies
Type Strategy Key Challenges Key Benefits Example
Monolithic Strive to take the entire Time to value, requires Eventually results RSA/FirstData, Verifone, Voltage
Tokenization datacenter out of scope POS retail upgrades, in cost savings (P2P Encryption+Tokenization)
(Big Bang) bank/payment processor
lock-in; inflexible to
change
API or SDK Remove individual Each application requires Results in modest Protegrity, nuBridges, Safenet,
Tokenization applications from scope code changes, usually scope and risk Voltage
through an SDK or agent; reduction
structured vault is
difficult to scale; each
application changed
must be assessed
Modular or Proxy Remove data flows Applications must Faster time to Intel Expressway Tokenization
Tokenization from scope using a redirect data flows to a value, Requires Broker
proxy new IP address fewer application
changes; data is
tokenized on the
wire; massive
scalability;
assessment is
centralized to a
security gateway
41

41. Typical Retail Architecture
Settlement
Engine
Retail POS
AuthZ
Engine
Syndication
Channels
(Amazon)
Browser
E-Commerce
Website Engine
42

42. Typical PCI DSS Scope
Settlement
Engine
Retail POS
AuthZ
Engine
Syndication
Channels
(Amazon)
Legend:
Browser Outside of Retailer
In PCI DSS Scope
Out of PCI DSS Scope
E-Commerce
Website Engine
43

43. Scope with Expressway Tokenization Broker
Settlement
Engine
Retail POS
AuthZ
Engine
Syndication
Channels
(Amazon)
Legend:
Browser Outside of Retailer
In PCI DSS Scope
Out of PCI DSS Scope
E-Commerce
Website Engine
44

44. Product Details
45

45. Intel® Expressway Tokenization Broker – V2 (1H, 2012)
Hardware or Software Broker
• Tamper resistant appliance with redundant, solid state storage
• Software on Linux AS5-64
Sample Tokenization Application
• Token Exchange
• Token Management
• User-defined credit card lengths, including 19 digit cards
SQL databases are fundamentally non-
scalable, and there is no magical pixie
Secure Token Vault
dust that we, or anyone, can sprinkle on
• Clustered, high performance secure vault with unlimited token capacity
them to suddenly make them scale.
• Base configuration supports 300M tokens
-Adam Wiggins, Founder of Heroku
Highly Scalable “NoSQL” Vault (Cloud APaaS, Acquired by Salesforce.com)
• Horizontal scalability increases performance for each additional node
• High availability provided by N-to-N/Active-Active HA Clustering
• Full back-up and restore capabilities
Hitless Key Rotation
•Change vault encryption keys with zero downtime
•Addresses PCI-DSS 3.6.4 without stopping a single transaction
Intel® Services Designer & Web Interface
• Policy Design and Deployment
• Token Exchange / Management Actions
• Policy Deployment & Monitoring
Application Security and Identity Products 46

46. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
47

47. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
48

48. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Feeds with PAN data
Data
Connected App.
Databases Portals
IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
49

49. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Data w/ Tokens
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Edge Security + Tokenization
Feeds with PAN data
Data
Connected App.
Databases Portals
Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
50

50. For Additional Information, go to: www.intel.com/go/identity
Download Eval
Data Sheet
PCI White Paper
Assessors Guide
E-mail: intelsoainfo@intel.com 51