![Page 1: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/1.jpg)
01
Ulf MattssonChief Technology OfficerProtegrity Corporation
Ulf . mattsson at protegrity . com
![Page 2: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/2.jpg)
02
![Page 3: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/3.jpg)
http://www.knowpci.com
Source of Information about PCI Research
![Page 4: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/4.jpg)
PCI Requirements and Data Protection Options
Advanced Attacks on Cardholder Data
PCI Requirements
Data Protection Options
Data Protection Use Cases
A Risks Adjusted Data Protection Approach
Appendix: PCI Research and Resources
![Page 5: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/5.jpg)
Enterprise Data Flow – Cardholder Data• ‘Information in the wild’
- Short lifecycle / High risk
• Temporary information - Short lifecycle / High risk
• Operating information- Typically 1 or more year lifecycle- Broad and diverse computing and database environment
• Decision making information- Typically multi-year lifecycle- Homogeneous computing environment- High volume database analysis
• Archive -Typically multi-year lifecycle -Preserving the ability to retrieve the data in the future is important
POS e-commerce Branch
Aggregation
Operations
Analysis
Archive
Collection
![Page 6: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/6.jpg)
06
![Page 7: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/7.jpg)
07
NW
DMZ
Web Apps
TRUSTED SEGMENT
Server
Inte
rnet Load
Balancing
ProxyFW
ProxyFW
EnterpriseApps
NetworkDevices
Server
SAN,NAS,Tape
InternalUsers
DB Server
ProxyFW
TRANSACTIONS
IDS/IPS
End-point
Wire-less
DBA ATTACK
MALWARE /TROJAN
OS ADMINFILE ATTACK
SQL INJECTION
MEDIA ATTACK
SNIFFER ATTACK
Data Level Attacks on the Enterprise Data Flow
![Page 8: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/8.jpg)
Data Protection Challenges
Actual protection is not the challengeManagement of solutions
• Key management• Reporting• Policy
Minimizing impact on business operations• Performance v. security
Minimizing impact (and costs)• Changes to applications• Impact on downstream systems
Time
8
![Page 9: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/9.jpg)
Addressing Data Protection Challenges
Full mapping of sensitive data flow• Where is the data• Where does it need to be
Identify what data is needed for processing in which applications
• What are the performance SLAsUnderstand the impact of changing/removing data
• Will it break legacy systemsAddress PCI, strategize for the larger security issue
![Page 10: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/10.jpg)
The Goal: Good, Cost Effective Security
The goal is to deliver a solution that is a balance between security, cost, and impact on the current business processes and user community
Security plan - short term, long term, ongoingHow much is ‘good enough’Security versus compliance
• Good Security = Compliance• Compliance ≠ Good Security
010
![Page 11: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/11.jpg)
PCI DSS 1.2 Applicability Information & PII Aspects
11
![Page 12: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/12.jpg)
Discussion of Data Protection for PCI DSSBuild and maintain a secure network.
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data. 3. Protect stored data4. Encrypt transmission of cardholder data
and sensitive information across public networks
Maintain a vulnerability management program.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures.
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy.
12. Maintain a policy that addresses information security
12
![Page 13: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/13.jpg)
PCI – Compensating Controls
13
![Page 14: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/14.jpg)
Data Protection Layers
Data Protection - Wrapping• How sensitive data is rendered unreadable
Data Access Control - Path• How the data is presented to the end user and/or
application
014
![Page 15: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/15.jpg)
Data Protection Options
Data Stored As• Clear – actual value is readable• Hash – unreadable, not reversible• Encrypted – unreadable, reversible, binary/text• Replacement value (tokens) – unreadable, reversible
Partial encryption/replacement – unreadable, reversible
015
![Page 16: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/16.jpg)
Data in the ClearControl the Access Path
• Reporting and alerting• Display masking• Data usage control
Advantages• Low impact on existing applications• Performance• Time to deploy
Considerations• Underlying data exposed• Discover breach after the fact• PCI aspects
016
![Page 17: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/17.jpg)
HashNon – reversible
• Strong protection if …• Keyed hash (HMAC) or salt
Advantages• None really for PCI and PII data
Considerations• Size and type• Transparency• Key rotation for keyed hash
017
![Page 18: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/18.jpg)
Traditional Strong EncryptionIndustry Standard
• Algorithms & modes - AES CBC, 3DES CBC …• Approved by NIST (National Institute of
Standards and Technology) Advantages
• Widely deployed• Compatibility• Performance
Considerations• Storage and type• Transparency to applications• Key rotation
018
![Page 19: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/19.jpg)
Format Controlling Encryption (FCE)
Newer Data Protection Options
![Page 20: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/20.jpg)
Application Databases(e.g. Marketing, Loss Prevention, POS)
FCE Security Model
Example of Formatted Encryption
1234 1234 1234 4560
Key ManagerOriginal Credit Card Number
![Page 21: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/21.jpg)
What Is FCE?Where did it come from?• Before 2000 – Different approaches, some are based
on block ciphers (AES, 3DES …)• Before 2005 – Used to protect data in transit within
enterprises What exactly is it?• Secret key encryption algorithm operating in a new
mode• Cipher text output can be restricted to same as input
code page – some only supports numeric data• The new modes are not approved by NIST
![Page 22: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/22.jpg)
FCE Selling Points
Ease of deployment -- limits the database schema changes that are required. Reduces changes to downstream systemsApplicability to data in transit – provides a strict/known data format that can be used for interchangeStorage space – does not require expanded storageTest data – partial protectionOutsourced environments & virtual servers
![Page 23: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/23.jpg)
FCE Considerations
Unproven level of security – makes significant alterations to the standard AES algorithmEncryption overhead – significant CPU consumption is required to execute the cipherKey management – is not able to attach a key ID, making key rotation more complex - SSNSome implementations only support certain data (based on data size, type, etc.)Support for “big iron” systems – is not portable across encodings (ASCII, EBCDIC)Transparency – some applications need full clear text
![Page 24: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/24.jpg)
FCE Use CasesSuitable for lower risk dataCompliance to NIST standard not neededDistributed environmentsProtection of the data flowAdded performance overhead can be accepted Key rollover not needed – transient dataSupport available for data size, type, etc.Point to point protection if “big iron” mixed with Unix or WindowsPossible to modify applications that need full clear text – or database plug-in available
![Page 25: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/25.jpg)
025
Text Data
Applications are Sensitive to the Data Format
Binary (Hash) -
Binary (Encryption) -
Alphanum (FCE, Token) -
Numeric (FCE, Token) -
Numeric (Clear Text) -
DataField
Length
Data Type
IOriginal
ILonger
All Applications
Most Applications
Many Applications
Few Applications
No Applications
This is a generalized example
Increased intrusiveness:
- Application changes- Limitations in functionality- Limitations in data search- Performance issues
BinData
![Page 26: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/26.jpg)
Tokenization
Newer Data Protection Options
![Page 27: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/27.jpg)
Token Server
$%.>/$&#Cipher TextToken
Key Manager
Tokenization Data Security Model
Example of Token format:1234 1234 1234 4560
ApplicationDatabases
(e.g. Marketing, Loss Prevention, POS)
Original Credit Card Number
![Page 28: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/28.jpg)
What Is Data Tokenization?
Where did it come from?• Found in Vatican archives dating from the 1300s• In 1988 IBM introduced the Application System/400 with
shadow files to preserve data length • In 2005 vendors introduced tokenization of account
numbersWhat exactly is it?• It IS NOT an encryption algorithm or logarithm. • It generates a random replacement value which can be
used to retrieve the actual data later (via a lookup)• Still requires strong encryption to protect the lookup
table(s)
![Page 29: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/29.jpg)
Tokenization Selling PointsProvides an alternative to masking – in production, test and outsourced environmentsLimits schema changes that are required. Reduces impact on downstream systemsCan be optimized to preserve pieces of the actual data in-place – smart tokens Greatly simplifies key management and key rotation tasksCentrally managed, protected – reduced exposureEnables strong separation of dutiesRenders data out of scope for PCI
![Page 30: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/30.jpg)
Tokenization ConsiderationsTransparency – not transparent to downstream systems that require the original dataPerformance & availability – imposes significant overhead from the initial tokenization operation and from subsequent lookupsPerformance & availability – imposes significant overhead if token server is remote or outsourced Security vulnerabilities of the tokens themselves – randomness and possibility of collisionsSecurity vulnerabilities typical in in-house developed systems – exposing patterns and attack surfaces
![Page 31: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/31.jpg)
Suitable for high risk data – payment card dataWhen compliance to NIST standard neededLong life-cycle dataKey rollover – easy to manageCentralized environmentsSuitable data size, type, etc.Support for “big iron” mixed with Unix or WindowsPossible to modify the few applications that need full clear text – or database plug-in available
Tokenization Use Cases
![Page 32: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/32.jpg)
Evaluation CriteriaPerformance
• Impact on operations - end users, data processing windows
Storage• Impact on data storage requirements
Security• How secure Is the data at rest• Impact on data access – separation of duties
Transparency• Changes to application(s)• Impact on supporting utilities and processes
032
![Page 33: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/33.jpg)
Evaluating Data Protection Options
Storage Performance Storage Security Transparency
Clear
Strong Encryption
Format Controlling Encryption
Token
Hash
033
Best Worst
![Page 34: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/34.jpg)
Enterprise View of Different Protection Options
Evaluation Criteria Strong Encryption
Formatted Encryption
Token
Disconnected environments
Distributed environments
Performance impact when loading data
Transparent to applications
Expanded storage size
Transparent to databases schema
Long life-cycle data
Unix or Windows mixed with “big iron” (EBCDIC)
Easy re-keying of data in a data flow
High risk data
Security - compliance to PCI, NIST
034
![Page 35: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/35.jpg)
Application Transparency – Encryption, Tokens & Hashing
High
Low
Database
Operation
Transparency level
Hashing
Smart Tokens
Database Encryption
I
Look-up
I
Range
Search
I
Process
Clear-values
![Page 36: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/36.jpg)
Data Protection Options-
Use Cases
036
![Page 37: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/37.jpg)
Token Server$%.>/
$&#Cipher TextToken
Key Manager
Data Protection Options in the EnterpriseApplication Databases
(CCN, SSN …)
Strong EncryptionKjh3409)(*&@$%^&
Formatted Encryption1234 1234 1234 4560
Token1234 1234 1234 4560
037
![Page 38: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/38.jpg)
Partial Encryption/Tokenizing - Example
Application
Application
ApplicationApplicationApplicationApplicationApplication
ApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplicationApplication
Few applications• Full clear data
Many applications/tools • Moving data aroundSome applications
• Partial clear data
Decryption
123456 777777 1234
![Page 39: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/39.jpg)
Data Protection Options – 3 Use Cases
Application 3
Application 2
Application 1
Can use stored protected value:
1234 1234 1234 4560Or
Kjh3409)(*&@$%^&
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
039
![Page 40: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/40.jpg)
Token Server
$%.>/$&#Cipher TextToken
Key Manager
ApplicationDatabases
(CCN, SSN …)
Application 3
Application 2
Application 1
Strong EncryptionKjh3409)(*&@$%^&
Formatted Encryption1234 1234 1234 4560
Token1234 1234 1234 4560
Can use stored protected value:
1234 1234 1234 4560Or
Kjh3409)(*&@$%^&
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
Token Cipher 040
How will different Protection Options Impact Applications?
![Page 41: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/41.jpg)
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
041
Application Impact with Different Protection OptionsTransparency
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
Security
![Page 42: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/42.jpg)
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
042
Application Impact with Different Protection Options
Performance and scalability
Type of Application Strong Encryption
Formatted Encryption
Token
Can operate on the stored protected value (few)
Need partial information in clear (many)
Need full clear text information (few)
Availability
![Page 43: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/43.jpg)
Token Server
$%.>/$&#Cipher TextToken
Key Manager
Data Protection in the Enterprise – Implementation Example
Can use stored protected value:
1234 1234 1234 4560
Need partial Informationin clear:
1234 1234 1234 4560
Need full Informationin clear:
55 49 9437 0789 4560
POS e-commerce Branch
Aggregation
Operations
Analysis
Archive
Collection
Token Cipher
043
![Page 44: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/44.jpg)
Data Protection Implementation Layers
Data Protection Options are not mutually exclusiveData Protection Layers
• Application • Database• File System
Data Protection Topologies• Remote services• Local service
Data Security Management• Central management of keys, policy and
reporting044
![Page 45: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/45.jpg)
045
File System
Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
123456 123456 1234
DataEntry
File System
@$%$^D&^YTOIUO*^
Database Database
Backup (Tape)
Storage (Disk)
Data Protection Implementation - Enforcement Points
Application Application Application
![Page 46: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/46.jpg)
Generalization: Encryption at Different System Layers
EncryptionLayer
Ease of Deployment
(Transparency)
IApplication
Layer
High
LowI
Database Layer
IFile System
Layer
Separation of Duties
(Security Level)
IStorage Layer
SAN/NAS…
![Page 47: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/47.jpg)
Topology Performance Scalability Security
Local Service
Remote Service
047
Data Protection Implementation Layers
System Layer Performance Transparency Security
Application
Database
File System
Best Worst
![Page 48: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/48.jpg)
Data Loading (Batch)
10 000 000 –
1 000 000 –
100 000 –
10 000 –
1 000 –EncryptionTopology
Rows Per Second
Data WarehousePlatforms
MainframePlatforms
Unix Platforms
Windows Platforms
Queries (Data Warehouse & OLTP)
Column Encryption Performance - Different Topologies
INetwork Attached
Encryption (SW/HW)
ILocal
Encryption (SW/HW)
![Page 49: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/49.jpg)
A Few Comments on PCI Compliance
Formatted encryption is NOT for PCI• When PCI refers to encryption, it must be
“strong”• PCI provides high-level examples of what
constitutes strong encryption, then refers to NIST for more details
• NIST publishes a list of acceptable ciphers and operating modes
• NIST has been considering new operating modes related to formatted encryption since 2000
Tokenization• PCI refers to this as an “index pad”• The pad needs to be protected with strong
encryption
![Page 50: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/50.jpg)
Main Takeaways
Formatted encryption and tokenization are two very different techniquesThey are good solutions for particular use casesEnterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance
050
![Page 51: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/51.jpg)
Central Key Manager
Data Protection and Encryption in the Enterprise
HardwareSecurity Module
RACFApplications
DB2
Files
ICSFEncryptionSolution
Mainframe z/OS
DB2 UDB
Informix
System i
Oracle…
HardwareSecurity Module
Integrated Cryptographic Service Facility (ISCF) Resource Access Control Facility (RACF)
![Page 52: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/52.jpg)
052
CPACF - CP Assist for Cryptographic Functions
CP = Central Processor
![Page 53: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/53.jpg)
Vendors Providing Encryption on IBM Mainframe
Supported Feature Vendor A
Vendor B
Vendor C
Vendor D
Native
Column level encryption (fieldproc)
Row level encryption using (editproc)
Application API (VSAM and more)
Encryption utility for flat files
Direct CPACF hardware (not ICSF or LE)
Formatted encryption(FCE)
RACF security control
Local caching/storing of keys
Enterprise Key Management
Cross platform solution
053
Best Worst
![Page 54: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/54.jpg)
Data Protection and Encryption on z/OS – PCI DSS
HardwareSecurity Module
RACFApplications
DB2
Files
ICSF
EncryptionSolution
API
Fieldproc,Editproc,
UDF
Utility
Mainframe z/OS
![Page 55: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/55.jpg)
Evaluation of Encryption Options for DB2 on z/OS
Encryption Interface
Performance PCI DSS Security Transparency
API
UDF DB2 V7 & V8
UDF DB2 V9
Fieldproc
Editproc
055
Best Worst
![Page 56: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/56.jpg)
Central Key Manager
Application CryptoSolution
Mainframe z/OS DB2
File
CryptoSolutionApplication
File
File
Windows,Unix,Linux,iSeries
…
Field Encryption – Protecting the Data Flow
Encrypt
Decrypt
Application
Fields
Fields
![Page 57: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/57.jpg)
Central Key Manager
Application
File
CryptoSolution
Mainframe z/OS
Utility
DB2
File
CryptoSolution
Application
Database
File
Windows,Unix,Linux,iSeries
…
Transparent Encryption – No Application ChangesEncrypt
Encrypt
Decrypt
Fields
Fields
Fields
![Page 58: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/58.jpg)
Main Takeaways
DB2 for z/OS has good data protection options. Often data and use cases may require additional protection options, including better protection granularity
• Data protection approaches – transparency vs. security
• Different topologies for data protection solutions – performance, scalability and availability
• Enterprise management – keys, policy and reporting
Enterprises should carefully evaluate these techniques against their use cases, adjusting for factors such as risk, cost, and compliance
058
![Page 59: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/59.jpg)
Vendors Providing Data Protection
Supported Feature Vendor A
Vendor B
Vendor C
Vendor D
IBM
WAF – SQL injection
Formatted encryption
Data tokenization
DB integrated tokenization
Database Activity Monitoring
059
Best Worst
![Page 60: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/60.jpg)
Protecting Data in the Enterprise Data Flow
Passive Approaches +
Active Approaches =
End-To-End Protection
![Page 61: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/61.jpg)
Protecting Data in the Enterprise Data Flow
Database Server
Database Activity Monitoring /
Data Loss Prevention
Web Application Firewall
TablespaceDatafiles
Database Log Files
Applications
DatabaseColumns
Database Activity
Monitoring
Passive ApproachesActive ApproachesPassive Approaches and Active Approaches = End-To-End Protection
![Page 62: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/62.jpg)
Passive Data Protection Approaches
Web Application Firewall• Protects against malicious attacks by inspecting
application trafficData Loss Prevention
• Tags and monitors movement of sensitive assets• Protects against the unintentional outbound leakage of
sensitive assetsDatabase Activity Monitoring
• Inspects , monitors, and reports database traffic into and out of databases
• Can block malicious activity; seldom used due to false positives
Database Log Mining• Mines log files that are created by databases for good
or bad activity
![Page 63: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/63.jpg)
Active Data Protection ApproachesApplication Protection
• Utilizes crypto APIs to protect sensitive assets in applications
• This approach helps you protect data as it enters your business systems
Column Level Protection• Protects data inside the database at the column
level• Can be deployed in a transparent approach to
minimizes changes to your environment• Considered to be the most secure approach to
protect sensitive assetsDatabase file protection
• Protects the data by encrypting the entire database file
![Page 64: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/64.jpg)
Passive Database Protection Approaches
Database Protection Approach
Performance Storage Security Transparency Separation of Duties
Web Application Firewall
Data Loss Prevention
Database Activity Monitoring
Database Log Mining
Best Worst
Operational Impact Profile
![Page 65: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/65.jpg)
Active Database Protection Approaches
Database Protection Approach
Performance Storage Security Transparency Separation of Duties
Application Protection - API
Column Level Encryption; FCE, AES, 3DES
Column Level Replacement; Tokens
Tablespace - Datafile Protection
Best Worst
Operational Impact Profile
![Page 66: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/66.jpg)
Risk Adjusted Data Protection
066
Assign value to your dataAssess exposureDetermine riskUnderstand which Data Protection solutions are available to youEstimate costsChoose most cost effective method
![Page 67: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/67.jpg)
Assign Value to Your Data
067
Identify sensitive data• If available, utilize data classification project• Rank what is sensitive on its own (think PCI)• Consider what is sensitive in combination (think
Privacy)How valuable is the data to (1) your company and (2) to a thief
• Corporate IP, Credit Card numbers, Personally Identifiable Information
Assign a numeric value: high=5, low=1
![Page 68: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/68.jpg)
Assess Exposure and ProbabilityLocate the sensitive data
• Applications, databases, files, data transfers across internal and external networks
Location on network• Segmented• External or partner facing application
Access• How many users have access to the sensitive data?• Who is accessing sensitive data?• How much and how frequently data is being
accessed?Assign a numeric value: high=5, low=1
068
![Page 69: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/69.jpg)
Determine “Risk” – A Simplified Model
Data Security Risk=Data Value * Exposure
069
Data Field Value Exposure Risk LevelCredit Card Number 5 5 25Social Security Number 5 4 20CVV 5 4 20Customer Name 3 4 12Secret Formula 5 2 10Employee Name 3 3 9Employee Health Record 3 2 6Zip Code 1 3 3
Enables prioritizationGroups data for potential solutions
![Page 70: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/70.jpg)
Matching Data Protection Solutions with Risk Level
070
Risk Solutions
Monitor
Monitor, mask, access control limits, format control encryptionReplacement, strong encryption
Low Risk (1-5)
At Risk (6-15)
High Risk (16-25)
Data Field Risk LevelCredit Card Number 25Social Security Number 20CVV 20Customer Name 12Secret Formula 10Employee Name 9Employee Health Record 6Zip Code 3
Select risk-adjusted solutions for costing
![Page 71: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/71.jpg)
Estimate Costs
Cost = Solution Cost + Operations CostSolution Cost = cost to license or develop, install and maintainOperations Cost = cost to change applications, impact on downstream systems, meeting SLAs, user experience
071
![Page 72: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/72.jpg)
Operation Cost Factors
Performance• Impact on operations - end users, data
processing windowsStorage
• Impact on data storage requirementsSecurity
• How secure Is the data at rest• Impact on data access – separation of duties
Transparency• Changes to application(s)• Impact on supporting utilities and processes
072
![Page 73: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/73.jpg)
Operation Cost Factors
Solution should be able to change with the environment
• Progress from less to more secure solution, or the reverse
• Add new defenses for future threats• Plug into existing infrastructure, integrate with
other systems
073
![Page 74: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/74.jpg)
How to Protect the Weak Links in your Data Flow
074
Review Risk & Determine Protection Approach
• Analyze the Data Flow• Identify Assets and Assign Business Value to each• Identify Vulnerabilities for each Asset• Identify potential Attack Vectors & Attackers• Assess the Risk• Compliance Aspects• Select Data Protection Points & Protection Methods
Assess Total Impact• Functionality Limitations• Performance & Scalability• Application Transparency• Platform Support & Development Life Cycle Support• Key Management, Administration & Reporting• Deployment Cost, Time & Risk
Adjust
![Page 75: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/75.jpg)
Cost Effective Data Protection
Uses Risk as an adjusting factor for determining a Data Protection strategyRisk=Data Value*ExposureDetermines solutions that fit the risk level, then determines costCost=Solution Cost + Operational CostPrepare for the future
075
![Page 76: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/76.jpg)
Use of production data in a test systemProduction data is in many cases needed to ensure quality in system testing Key data fields that can be used to identify an individual or corporation need to be cleansed to depersonalize the informationCleansed data needs to be easily restored (for downstream systems and feeding systems), at least in the early stages of implementation
• This requires two-way processing. The restoration process should be limited to situations for which there is no alternative to using production data (interface testing with a third party or for firefighting situations, for example).Authorization to use this process must be limited and controlled. In some situations, business rules must be maintained during any cleansing operation (addresses for processing, dates of birth for age processing, names for gender distinction). There should also be the ability to set parameters, or to select or identify fields to be scrambled, based on a combination of business rules. A solution must be based on secure encryption, robust key management, separation of duties, and auditing.076
![Page 77: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/77.jpg)
077
Data Masking – One-way vs. Two-way
InformationLife Cycle
I I I I I I IDevelopment Testing Staging Production Operational Analytics Archive
High –
Low –
Data Quality & Exposed Details
Protected sensitive information
Unprotected sensitive information:
PartnerInterface
Data Entry3rd PartyInterfaceTesting
FireFighting
Two-WayMaskingTwo-Way
Masking
One-WayMasking
One-WayMasking
![Page 78: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/78.jpg)
Business Value vs. Ease of Compliance
I I I I Deleting Data Masking One-way Masking-Two-Way Clear Data
Ease of Compliance
High
Low
BusinessValue
Lost Data Reusable Data
SimpleMasking
Hashing
Tokenizing
Encryption
![Page 79: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/79.jpg)
Data Security Management
An integral part of technical and business processSecurity Policy
• Centralized control of security policy• Consistent enforcement of protection• Separation of duties
Reporting and Auditing• Compliance reports• Organization wide security event reporting• Alerting• Integration with SIM/SEM
Key Management079
![Page 80: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/80.jpg)
Central Management of Security Policy,
Reporting,Encryption Keys, And Data Tokens
Managing Data Security in the Enterprise
Mainframe z/OS
DB2 UDB
Informix
iSeries
Oracle,SQL Server
…
![Page 81: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/81.jpg)
How about Native Database Encryption?Advantages
• Available from most database vendors • Enables you to get started quickly
Disadvantages• Mostly non-transparent solutions • Some vendors do not protect the Data Encryption
Keys well enough• Lack of secure interoperability between instances
of the same vendor• No secure interoperability with databases from
other vendors• No centralization of policy, key management, and
audit reporting
![Page 82: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/82.jpg)
http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf
![Page 83: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/83.jpg)
Protecting the Data Flow:Case Studies
083
![Page 84: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/84.jpg)
WebApps
Polling Server
Partners(Financial
Institutions)
Data Protection in the Enterprise Data Flow
Archive
HQ
Branches/Stores
Store Back OfficePoints of collection
T-Logs,Journals
Store Back Office
ApplicationsStoreDB
RetailLocales
Multiplexing Platform
ERP
`
Manager
$%&# $%&#$%&# $%&#
$%&#
$%&#
Policy
$%^& *@K$
7ks##@
PolicyPolicyPolicyPolicyPolicyPolicy
Log
Log Log
Log
Reports
Collection
Aggregation
Operations
Tactical
Detailed Analytical
Focused / Summary Analytical
Active Access / Alerting
Analytics
![Page 85: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/85.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144290
![Page 86: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/86.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481
![Page 87: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/87.jpg)
Case StudiesOne of the most widely recognized credit and debit card brands in the world
• Their volume of data is in the multiple billions of rows and needed a solution that would not degrade performance.
Major financial institution • Protecting high-worth clients financial information.• Central key management and separation of duties were of the utmost
importance. One of the world largest retailers
• Protecting the flow of sensitive credit card information from the store, through to back office systems and into the data warehouse and storage.
• The central key management and ability to support thousands of stores was critical for this success.
• Transparent to exiting applications. • Protect sensitive information in their Teradata data warehouse. iSeries
(AS/400), zSeries (mainframe), Oracle and MS SQL Server, and to protect files that reside across platforms including Unix and z/Series.
087
![Page 88: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/88.jpg)
Case 1: Goal – PCI Compliance & Application Transparency
FileEncryptionWindows
DatabaseEncryption:
DB2 (zOS, iSeries),Oracle,
SQL Server
Application
LocalStore Location
(Branch)
Application
FTP
FileEncryption
Central HQ Location
FileEncryption:Windows,
UNIX,Linux,zOS
FinancialInstitution
CreditCardEntry
SettlementBatch
![Page 89: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/89.jpg)
089
Case 1: File Encryption & FTP
File System (Memory)
POS Application
FTPApplication
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
@$%$^D&^YTOIUO*^
123456 123456 1234
@$%$^D&^YTOIUO*^
123456 123456 1234
Attacker
CreditCardEntry
Attacker
![Page 90: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/90.jpg)
090
Case 1: From Encrypted File to Encrypted Database
Database
Application
FTP Application
Network
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
Attacker
Attacker
@$%$^D&^YTOIUO*^
@$%$^D&^YTOIUO*^
123456 123456 1234
FileFile
![Page 91: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/91.jpg)
Case 2a: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
(Branch)
Application FTP
Central HQ Location
FinancialInstitution
CreditCardEntry
SettlementFTP
ApplicationEncryption
Decryption
Continuously encrypted computing:
protection of sensitive data fields
FileEncryptionWindows
DatabaseEncryption:
DB2Oracle
SQL Server
FileEncryption:Windows,
UNIX,Linux,zOS
![Page 92: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/92.jpg)
092
Case 2a: Application Encryption to Encrypted DatabasePoint
Of DataAcquisition
File System
Database
POSApplication Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 777777 1234
123456 123456 1234
![Page 93: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/93.jpg)
Case 2b: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
Application
FTP
Central HQ Location
CreditCardEntry
Continuously encrypted computing:
protection of sensitive data fields
DatabaseEncryption:
DB2 zOS
DatabaseEncryption:SQL Server
![Page 94: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/94.jpg)
094
Case 2b: From Encrypted Database to File & FTP
File
ExtractionApplication FTP Application
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
PointOf Data
Acquisition
OrderApplication
aVdSaH 1F4hJ5 1D3a
123456 123456 1234
Database aVdSaH 1F4hJ5 1D3a
aVdSaH 1F4hJ5 1D3a
![Page 95: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/95.jpg)
095
Case 2b: From Selectively Encrypted File to Encrypted Database
File
Database
Application
FTP Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 123456 1234
aVdSaH 1F4hJ5 1D3aaVdSaH 1F4hJ5 1D3a
![Page 96: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/96.jpg)
Case 3: Goal – Addressing Advanced Attacks & PCI
Application
LocalStore Location
(Branch)
CentralHQ Location
FinancialInstitution
CreditCardEntry
AuthorizationTransaction Online
DecryptingGateway
Continuously encrypted computing:
protection of sensitive data fields
EncryptingGateway Application
DatabasesFiles
![Page 97: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/97.jpg)
097
Case 3: Gateway Encryption
File System
Database
Encrypting Gateway
Applications
Network
Backup (Tape)
Storage (Disk)
Protected sensitive information
Unprotected sensitive information:
123456 777777 1234
123456 123456 1234
123456 777777 1234
123456 123456 1234
Attacker
Decrypting Gateway
Attacker
![Page 98: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/98.jpg)
098 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287
![Page 99: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/99.jpg)
Different ‘Tokenizing’ Approaches & Topologies
ASPCentralTokenizer
On-siteLocalTokenizer
Token&
EncryptedCCN
Token&
EncryptedCCN
Home Office / HQ
Branch Office / Stores
Outsourced / ASP
On-siteCentralTokenizer
Token&
EncryptedCCN
AlgorithmicTokenizer
‘Encryption’Algorithm
Application
Token
CCN
123456 123456 1234
ABCDEF GHIJKL 1234
Network
Network
`
Token
![Page 100: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/100.jpg)
How to Protect the Data Flow Against Advanced Attacks
0100
Point Of Data Acquisition
PaymentAuthorizatio
n
Settlement &Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow
Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
![Page 101: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/101.jpg)
How to Protect the Data Flow Against Advanced Attacks
0101
Point Of Data Acquisition
PaymentAuthorizatio
n
Settlement &Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow
Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
![Page 102: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/102.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466
![Page 103: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/103.jpg)
0103 http://www.quest-pipelines.com/newsletter-v7/0706_C.htm
![Page 104: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/104.jpg)
0104
![Page 105: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/105.jpg)
Protegrity Solutions
0105
Protecting dataProtecting web
applicationsManaging data security
![Page 106: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/106.jpg)
Data Security ManagementAn integral part of technical and business processSecurity Policy
• Centralized control of security policy• Consistent enforcement of protection• Separation of duties
Reporting and Auditing• Compliance reports• Organization wide security event reporting• Alerting• Integration with SIM/SEM
Key Management
0106
![Page 107: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/107.jpg)
The Protegrity Defiance© Suite
Data Protection System (DPS)• Encryption, monitoring, masking• Database, file and application level
Threat Management System (TMS)• Web application firewall
Enterprise Security Administrator• Security policy• Key management• Alerting, reporting, and auditing
107
![Page 109: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/109.jpg)
0109
APPENDIX
![Page 110: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/110.jpg)
Current Discussion of Data Protection for PCI DSS
110
PCI SSC is currently studying the effect on the standard by different technologies (i.e. End to end encryption, tokenization, chip and pin etc.)
• Bob Russo (GM) & PCI SSC is currently are working in Europe with the European Payment Council (EPC) .
Protegrity:Participating Organization
https://www.pcisecuritystandards.org
![Page 111: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/111.jpg)
PCI Security Standards Council about Data in TransitThe PCI Security Standards Council (https://www.pcisecuritystandards.org/) manages the PCI DSS standards
• End-to-end encryption is likely to be a central focus as the council seeks input on how this might best be achieved in the payment-card environment through different technologies.
• If that is accomplished, it might result in a decidedly new PCI standard in the future for card-data protection, PCI Security Standards Council says in http://www.networkworld.com/news/2008/100108-pci-credit-card.html?page=2 .
• "Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally," PCI Security Standards Council says.
"But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging.
• Maybe you wouldn’t have to do that. So we'll be looking at that in 2009." 0111
![Page 112: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/112.jpg)
the PCI Knowledge Base (www.KnowPCI.com)
-Based on Over 450 Hours of 100% Anonymous Interviews
– Not a Survey
![Page 113: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/113.jpg)
0113
![Page 114: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/114.jpg)
The Major Features of the PCI Knowledge Base (www.KnowPCI.com)
YOU WON’T SEE THE “KNOWLEDGE BASE” UNTIL YOU ARE LOGGED IN
WE HOST A WEEKLY PCI RESEACH WEBINAR SERIES
LATEST PCI NEWS FEEDS
IT IS FREE TO REGISTER
SEARCH OUR DATABASE OF OVER 3000 BEST PRACTICES FROM MERCHANTS, PCI ASSESSORS, BANKS, CARD PROCESSORS AND MANY OTHERS.
ASK QUESTIONS OF PEERS AND ASSESSORS IN OUR FREE PCI DISCUSSION FORUMS
INTERACT WITH OUR PANEL OF 85+ PCI EXPERTS
PURCHASE OUR LATEST RESEARCH REPORTS & TREND ANALYSIS
WE’VE CONDUCTED 300 HOURS OF ANONYMOUS INTERVIEWS AND HAVE 1800+ MEMBERS
![Page 115: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/115.jpg)
Based on Over 450 Hours of 100% Anonymous Interviews – Not a Survey
F1000 Retailers
SME Retailers
QSAs
Payment Processors
Banks
Retail Consultants
IT Providers
E-Comm Retailers
Hospitality
Other Merchants
Interviews with retailers focus on best practices, experiences, QSA and vendor feedback, budgets and priorities.
Interviews with QSAs, consultants and IT providers focused on vulnerabilities, risks and technology adoption trends.
Source: PCI Knowledge Base, July 2009
450+Hours
![Page 116: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/116.jpg)
Why is Tokenization Such a Hot Issue for PCI Compliance?Lowers Security Cost – Tokenization reduces or eliminates “sensitive” data from your systems. The less data you have to protect, the less it costs to secure it.
Reduces Compliance Scope – Only systems that store, process or transmit cardholder data are in PCI scope. By eliminating card data from most or all of your systems, the number of systems that have to be assessed and secured is greatly reduced.
Lowers Breach Risk – Tokenization replaces data that has “black market” value with data that has no value. If thieves know that you have no valuable data, they have no reason to try to break into your systems.
Source: PCI Knowledge Base, July 2009
![Page 117: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/117.jpg)
Why is Tokenization Such a Hot Issue
for PCI Compliance?
Source: PCI Knowledge Base, July 2009
![Page 118: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/118.jpg)
Secure Data Storage, Mgmt & Retrieval
BUYER 1
ISO /Processor
AcquiringBank
Multi-Channel Issues: Is One Tokenization Solution Possible?
PaymentGateway
(Virtual)POS
CallCenter
ShoppingCart
BUYER 2 BUYER 3
FRONT OFFICE APPLICATIONS
GL / AR / AP LossPrevention
SalesAudit
BACK OFFICE APPLICATIONS
PAYMENT PROCESSING
“Real” Data “Fake” Data
Source: PCI Knowledge Base, July 2009
![Page 119: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/119.jpg)
Proving Tokenization Works: Is it Being Used Beyond Pilots / Trials?
3%10%15%
5%15%20% 20%
35%40% 45%
25%10%
27%15%15%
0%
20%
40%
60%
80%
100%
Enterprise POS Trial Considering No Plans Unaware
Jun-08 Dec-08 Jun-09
Since June 2008, our interview data has shown a major shift in how merchants, payment processors and PCI assessors view tokenization.
In our anonymous discussions, we find that more merchants are aware of tokenization, and most are now planning to implement it, or at least considering tokenization.
Source: PCI Knowledge Base, July 2009
![Page 120: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/120.jpg)
Cost: How to Compare Tokenization Costs vs PCI Compliance Costs?
Encryption
Source: PCI Knowledge Base, May 2009
PW Vaulting
Access Controls
Logging
PaymentTerminal
Encryption
PW Vaulting
Access Controls
Logging
POSServer
Encryption
PW Vaulting
Access Controls
Logging
PollingServer
E2E Encryption & Enterprise Key Management, A Needed, but Complex Dependency
Encryption
PW Vaulting
Access Controls
Logging
WebStore
Encryption
PW Vaulting
Access Controls
Logging
CallCenter
Encryption
PW Vaulting
Access Controls
Logging
FraudMgmt
ISSUE: The cost savings due to tokenization vs the cost of all PCI controls, not just encryption.
Temp FTP
ISSUE: E2E encryption will also reduce costs long term, but the up front costs are likely to be higher
![Page 121: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/121.jpg)
Token Options: How and When Can Tokens be Generated & Managed?
Source: PCI Knowledge Base, July 2009
E-CommerceWeb Host
Call CenterApplications
In-StorePOS Apps
Most Webor POS
ApplicationsProcessor
Token Mgmt
Card #
Token
Card #
Token
OPTION #2
ERPApplication
HospitalityApplications
Card #
Token
IndustryToken Mgmt
OPTION #1
OPTION #3
Token
Token
The best token generation & management may vary depending on business needs. Hospitality has different transaction timeframes than most retail, for example.
Example: Homegrown tokenization
![Page 122: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/122.jpg)
Vendor Decisions: How to Choose Among the Tokenization Options?
Source: PCI Knowledge Base, January 2009
ISSUE: How to best reduce the number of data repositories and ensure that “encrypt / decrypt / re-encrypt” cycles are eliminated, so the
vulnerabilities can be eliminated or reduced?
Payment Terminal
Card Swipe
POS Terminalw/Payment SW
Store Serverw/Payment SW
In-House PaymentGateway /
Switch
ISSUE: Who is best positioned to manage end-to-end encryption?
PED / POSVendors
(Encrypt from Swipe to Acquirer)
CorporationsHomegrown tokens (e.g.,
Hashes)
Processors(Outsourced
Payment MgmtSolutions)
Encryption SW
Encryption & Key Mgmt SW that generates
tokens
![Page 123: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/123.jpg)
Getting the Most Value from Tokenization SolutionsScalability: The more data repositories and systems that store,
process or transmit cardholder (or other confidential) data, the more value you will receive from tokenization. Consider these examples:
E-CommerceWebsite
Call CenterApplications
In-StorePOS Apps
OperationsApplications
Fraud / LossPrevention
Sales AuditSystem
Single ChannelSingle App
POS + MOTO Sales Channels+ Some Tracking Apps
Multi-Channel Business + Internal Data Stores + Service Providers for Sales Analysis, etc.
Value added:1. Data Mgmt2. Reduce Risk3. Part of data outsourcing
Value added:1. Reduces data redundancy2. Reduces unauthorized access by employees3. May be homegrown
Value added:1. Major PCI scope and cost reductions2. Identifies risky data flows & processes3. Offered as a service by processors or other third parties
SMEs Mid-Tier Merchants F1000 Level Merchants
Source: PCI Knowledge Base, July 2009MOTO = Mail Order / Telephone Order
![Page 124: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/124.jpg)
Integrating Tokenization: How to Make it “Part of” Applications?
ISSUE: The average Level 1 or large Level 2 merchant has 4-6 different encryption systems. Complete replacement is not an option for most of them, and enterprise-wide encryption can cost > $1M
ISSUE: The movement of card data among systems creates dozens of different intermediate processes & data stores, greatly increasing risk, and process re-design can take years.
ISSUE: The debit & credit settlement process often means that ERP, CRM and SCM apps are in PCI scope, and rewriting them is far more costly than PCI compliance.
Source: PCI Knowledge Base, May 2009
![Page 125: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/125.jpg)
Why Keep Card Data at All? When to Outsource Payment Processing
1%30%
85%
20%35%
15%
55%
34%
0%25%
15% 0%0%
20%
40%
60%
80%
100%
Now FullyOutsourced
Partial Outsourced ConsideringOutsourcing
No Plans toOutsource
F1000sSMEsE-Comms
One of the biggest changes we have seen in the last year is the growth in the consideration of outsourcing. Mostly, this is among firms that have been running their own payment gateway across their divisions.
Source: PCI Knowledge Base, May 2009
![Page 126: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/126.jpg)
Adopt “Secure Tokenization” to Remove Card Data But Retain Analytics
85%
15%
40%
10%0%
20%
40%
60%
80%
100%
F1000 SME
Potential AdoptionUse as of 4Q08
A few leading retailers are using secure tokenization systems. But some of the first generation tools and in-house projects are not sufficiently secure and will need to be replaced before they will pass.
Source: PCI Knowledge Base, January 2009
Current vs Potential Use of Secure Tokenization
Best Practice Description
Use “secure” tokenization tools or services to create a centralized, encrypted repository of card data and use surrogate and/or partially masked data to validate transaction records for sales audit and marketing analysis. How tokens are created and managed is key to this best practice.
Level of Investment
$5,000 – 40,000 in SW licensing and increased transaction costs.
Potential Savings
$10,000 – 100,000 in reduced assessment costs and security control cost avoidance costs.
Best forF1000 retailers who cannot segment networks and have card data throughout the enterprise.
Primary Dept Owner
IT Infrastructure, with support from CFO on switching processors.
PCI Reqmts Met
3, 4
![Page 127: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/127.jpg)
The Bottom Line: Tokenization is an Enterprise Strategy1. Tokenization is a strategy when it is applied as a way to centralize
and improve the management of confidential data, enterprise-wide.
2. Tokenization’s value is not in the “substitution” process but in the management of confidential data.
3. Tokenization drives the discovery (and removal) of confidential data from potentially hundreds or thousands of files and DBs across the enterprise.
4. Tokenization has tactical value for PCI compliance, because it can greatly reduce the scope of PCI assessment as well as PCI compliance costs.
5. Tokenization, at an enterprise level, must not impact system and process performance by making “real” data retrieval impossible or cumbersome.
6. Tokenization as an enterprise strategy must be capable of supporting a multi-channel sales and service environment.
7. Tokenization does not necessarily require that confidential data be removed from all enterprise systems, but the fewer systems that contain this data, the lower the risk.
8. Tokenization providers must be thoroughly vetted, both technically and as service providers, as they become mission critical partners.
Data Breach Survey, Ponemon Institue, 2006
Source: PCI Knowledge Base, July 2009
![Page 128: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/128.jpg)
0128
![Page 129: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/129.jpg)
0129
![Page 130: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/130.jpg)
PCI Research
0130
![Page 131: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/131.jpg)
0131
![Page 132: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/132.jpg)
0132
![Page 133: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/133.jpg)
0133
![Page 134: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/134.jpg)
0134
![Page 135: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/135.jpg)
0135
![Page 136: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/136.jpg)
0136
![Page 137: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/137.jpg)
0137
![Page 138: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/138.jpg)
0138
![Page 139: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/139.jpg)
0139
![Page 140: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/140.jpg)
Data Protection Formats
0140
![Page 141: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/141.jpg)
0141
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ5 1D3a
!@#$%a^&*B()_+!@4#$2%p^&*
Text Data
Preserving the Data Format
Hash -
Encryption -
Alphanumeric –
Encoding –
Partial Enc–
Clear Text - DataField
Length
Data Type
IOriginalLength
ILonger
!@#$%a^&*B()_+!@
This is a generalized example
666666 777777 8888 Token /Encoding
BinaryData
Numeric
![Page 142: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/142.jpg)
Field Level Data Protection Methods vs. Time
Time
Plain Hash
(SHA-1 on CCN)
High
Medium
Tokenized Data
ProtectionLevel
Strong Encryption
(AES CBC)
Keyed Hash
(HMAC)
Format Controlling
Encryption
(AES FCE)
Key
Rotation
![Page 143: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/143.jpg)
Format Controlling Encryption vs. Time
Time
High
Medium
Tokenized Data
ProtectionLevel
AES FCE
(numeric & IV)
AES FCE
(alphanumeric & fix IV)
![Page 144: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/144.jpg)
Field Level Data Protection Methods vs. Time
Time
High
Medium
Tokenized Data
ProtectionLevel
AES ECB
AES CBC (rotating IV)
AES CBC (fix IV, short data)
AES CBC (fix IV, long data)
![Page 145: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/145.jpg)
Application Transparency
High
Low
Security
Level
Transparency level
Plain Hash
(SHA-2)
Key basedHash
(HMAC)
Tokens
DatabaseFile Encryption
SmartTokens
3rd Party DatabaseColumn Encryption
Native DatabaseColumn Encryption
![Page 146: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/146.jpg)
PCI DSS
Testing Procedures
![Page 147: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/147.jpg)
PCI 3.1 Keep cardholder data storage to a minimum.
147
![Page 148: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/148.jpg)
PCI 3.2 Do not store sensitive authentication data
148
![Page 149: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/149.jpg)
PCI 3.3 Mask PAN when displayed
149
![Page 150: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/150.jpg)
PCI 3.4 Render PAN unreadable anywhere it is stored
150
![Page 151: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/151.jpg)
PCI 3.5 Protect cryptographic keys
151
![Page 152: ISSA Boston - PCI and Beyond: A Cost Effective Approach to Data Protection](https://reader033.vdocuments.us/reader033/viewer/2022051521/54277bb88d7f7264408b61b0/html5/thumbnails/152.jpg)
PCI 3.6 Fully document and implement all key-managementprocesses and procedures
152