1

Straight Talk on Data Tokenization for PCI & Cloud

Presented by:

Andy ThuraiIntel® Application Security & Identity Products

PAN Data Tokens

2

Tokenization and PCI

• Tokenization: replacing a valuable piece of information with a surrogate value, or token- In a PCI context, replacing PAN data with random number

strings• Why tokens?

- Reduce PCI scope, cost of PCI compliance- Increase security

3

Does it Apply to Me?

“ PCI DSS compliance includes merchants and service providers who ACCEPT, CAPTURE, STORE, TRANSMIT or PROCESS credit and debit card data.”

PCI DSS 2.0 standards became effective on

January 1st. Is your organization prepared?

4

The Case for Tokenization

• Replace PAN with (random) number - token

• Use that random number EVERYWHERE in your environment

• Keep PAN and reference to token

5

Tokenization Use Cases

• PCI scope without tokenization- Everything is in PCI scope

6

Tokenization Use Cases

• Tokenization replaces primary account number (PAN) data with surrogate value, or “token” • Token engine and vault in scope, but post-payment

applications may be out of scope

7

Tokenization Use Cases

• Tokenization can be outsourced: processor

8

Tokenization Use Cases

• Tokenization can be outsourced: 3rd party

9

Tokenization

• Construction- Tokens should be random

• Options - Single- or multi-use - Format preserving (characteristics of a PAN) - Lifetime

• Tokenization is not encryption - Encryption is reversible, tokens are not- Encryption has a role in token vault

10

Tokenization and PCI Council

• Tokens can reduce scope• “The level of PCI DSS scope

reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.”

• “High-value” tokens may be in scope, e.g.:• Used as a payment instrument”• Initiate a transaction

11

Tokenization and PCI Council

• What does it mean?- Guidance is, well, guidance- Tokenization can reduce PCI scope- High-value tokens require additional controls- High-value tokens used to initiate a transaction might be in

scope• Remember

- Token engine and vault always in scope- Access to token vault must be restricted

12

Implementing Tokenization: Options

Tokenization Option Advantages Disadvantages

Internal, Home Grown Control Security a core strength?Time and cost to implement

Internal, Package ControlFlexibility Time to implementExpertise/functionality

Cost

3rd Party, Processor Easy implementation Good PCI scope reduction

CostLimited flexibility Compatibility with appsVendor lock-in

3rd Party, Token Vendor Easy implementation Good PCI scope reduction

CostCompatibility with appsVendor lock-inBusiness risk (12.8)

13

Implementing Tokenization: Options

• Third-party solutions appeal to smaller (L3, L4) merchants- Ease - Cost

• Internal hosting appropriate for larger (L1, L2) merchants and service providers- Control- Technical capabilities

14

Implementing Tokenization: Security

• The tokenization security tradeoff - Tokens are secure, but…- Any breach of token vault could be devastating

• Protecting the token vault - Restricting and authenticating users and access- Segmenting network to isolate out of scope systems- Ensuring physical security- Managing PAN encryption and key management

15

External Tokenization:• BIG Vision!• Solves BIG Problems!• Involves processors, brands,

3rd parties

Example: Cybersource/VISA model

Internal Tokenization: • Easier to Implement • Solves URGENT Problems!• Only involves YOUR

organization

Example:

Internal vs. External Tokenization

16

Intel Application Security and Identity Products

• Review of what is available today• On-premise software, hardware or virtual machines for

• (1) Lightweight ESB, transformation, integration• (2) Edge Security – Perimeter defense, Cloud API management,

authentication, throttling, metering, auditing• (3) Tokenization – PCI DSS, format preserving tokenization for service

calls, documents, files and databases

17

Data Tokenization for Cloud or PCI

Tokenization enables faster searching for data vs encryption

18

Expressway PCI Scope Reduction with Internal Tokenization

Retail / Card Swipe / Chip Reader / Keypad

Store Server

Payment Applications

Customer Data WarehouseInternet

CRM Applications

Order Processing Applications

Hosted Payment Gateways

PaymentProcessors

Reduced or Removed PCI Scope

Point of SaleEnvironment

(POS)

Merchant Data Center

Point of Sale Environment PCI Scope

Complete Merchant PCI Scope

19

Manual Invoice Processing

Merchant Data Center

BPM System

Goal: E-Commerce Order Processing

Problem: Exception cases require manual review, bringing additional systems into scope

Solution: Internal tokenization

Invoice with

Credit Card NumberWeb Server

E-CommerceWebsite

PaymentApplication

PaymentProcessor

Supply Chain App

Manual review of invoice and re-entry

Order Exception

Supply Chain App

AdditionalPost-Payment Applications

Portal Data Store

…

PCI Scope

20

Manual Invoice Processing

Merchant Data Center

BPM System

Goal: E-Commerce Order Processing

Problem: Exception cases require manual review, bringing additional systems into scope

Solution: Internal tokenization

Invoice with

Credit Card NumberWeb Server

E-CommerceWebsite

PaymentApplication

PaymentProcessor

Supply Chain App

Manual review of invoice and re-entry

Order Exception

Supply Chain App

AdditionalPost-Payment Applications

Portal Data Store

…

PCI Scope

21

Financial Statement Processor

Service ProviderData Center

Goal: Bill Processing, Consolidation, Printing

Problem: Non-payment processing applications contain PAN information, increasing scoping costs

Solution: Internal tokenization

IBM WebSphere Middleware

PCI Scope

CustomerBilling Information

Large Data Feeds with PAN

Data

ConnectedDatabases

App. Portals

Invoicing, Bill PaymentBank Statement Customization

and Consolidation

Bill Production and Printing

Customized Billsand Statements

Documentswith original PAN

data

22

Financial Statement Processor

Service ProviderData Center

Goal: Bill Processing, Consolidation, Printing

Problem: Non-payment processing applications contain PAN information, increasing scoping costs

Solution: Internal tokenization

Edge Security + Tokenization

PCI Scope

CustomerBilling Information

Large Data Feeds with PAN

Data

ConnectedDatabases

App. Portals

Invoicing, Bill PaymentBank Statement Customization

and Consolidation

Bill Production and Printing

Customized Billsand Statements

Documentswith original PAN

data

Data w/ Tokens

23

Typical Retail Architecture

Retail POS

Syndication Channels (Amazon)

Website

Browser

AuthZ Engine

Settlement

Engine

E-Commerce

Engine

24

Typical PCI DSS Scope

Retail POS

Syndication Channels (Amazon)

Website

Browser

AuthZ Engine

Settlement

Engine

E-Commerce

Engine

Legend:Outside of RetailerIn PCI DSS ScopeOut of PCI DSS Scope

25

Scope with Expressway Tokenization Broker

Retail POS

Syndication Channels (Amazon)

Website

Browser

AuthZ Engine

Settlement

Engine

E-Commerce

Engine

Legend:Outside of RetailerIn PCI DSS ScopeOut of PCI DSS Scope

26

Hardware or Software Broker• Tamper resistant appliance• Software on Linux AS5-64

Sample Tokenization Application• Token Exchange• Token Management

Secure Token Vault• HQSQL Starter Token Vault• Production Database

Schemas

Intel® Services Designer • Policy Design and Deployment• Token Exchange / Management

Actions

Web Interface • Policy Deployment & Monitoring

Intel® Expressway Tokenization Broker:Product Components

27

Addressing PCI DSS Requirements with Tokenization Broker

Requirement Intel® Expressway TokenizationBroker Capabilities

Build/ Maintain Secure Network

• Application-level security proxy & firewall.

Protect Cardholder Data• Protects credit card data stored at rest/ in transit . • Supports tokenization for reduced PCI scope.

Maintain VulnerabilityManagement Program

• Integrates with on-premise virus scanning servers• Reduces threat of malicious attachments.

Implement Strong AccessControl Measures

• Supports strong access control.• Integrates with existing identity management investments.• Improves physical security for tokenization through tamper-resistant form-factor.

Regularly Monitor & Test Networks

• Tracks, monitors & logs authorization requests from merchant to card processor. • Offers regular testing & alerts in case of server failures.

Maintain InformationSecurity Policy

• Maintains auditable security policies in hardened form-factor. • Allows for convenient review & change control.

Review our QSA Assessors Guide, which shows how Tokenization Broker addresses more than 200 PCI compliance requirements.

28

Intel® Expressway Tokenization Broker:Features & Benefits

• Flexible Software ApplianceForm Factor

• Secure Appliance Form Factor• Tokenization• Token Vault• Authentication & Access Control• High Performance, optimized

for Intel® Multi-Core

Feature Summary Benefit Summary

Reduce or remove payment applications and databases fromPCI scope

Own and manage PAN data on-premise with a secure hardware appliance

Easily Choose tokenization scheme appropriate for your business

High performance operation ensures low-latency document processing

Leverage existing Enterprise identity management investments

Avoid token migration challengesMinimize change to existing

applications compared to E2E Encryption

29

Download Eval

Data Sheet

PCI White Paper

E-mail: intelsoainfo@intel.com

For Additional Information, go to: www.intel.com/go/identity

Assessors Guide

30

Cloud Service Broker Capabilities

Technology Enablement

31Software and Services Group

Market Shifts to Brokers to Solve Cloud Consumption Complexity

• Apps• IdM • Legacy• Mobile

• SaaS, PaaS, IaaS• B2B• App Mashups

Private Cloud

Provider

Provider

Provider

Do-it-yourself IT and/or 3rd Party Consumption Models

3 Broker Types• Aggregation - Distributor/Solution Provider Unify access via service bundling

• Integration - System Integrator New functions via data/process integration

• Customization - ISV New functions via service enhancement

CSB is a role in which a company or other entity adds value to one or more cloud services on behalf of 1-n consumers of those services

IT Broker

Functions: Service API: Security/Governance, Billing, Integration, Support, Process

3rd Party Broker Service

Consumption

Public Cloud

Enterprise CSB PlatformCSB Platform

32

Specialty Focus on Cloud Access & Security Brokerage

Identity & Services Brokers

IT Private Cloud

IT Public/Hybrid

Cloud ProviderBundled

3rd PartyService

Access Platform Functions

Strong Auth• Adaptive• Client

aware• Soft token• Hard token• OOB

Signing

Enabling Technology

Access• SSO• Provisioning• XACML• STS Token

Mapping • IdM

Connectors

Data Security•

TokenizationPII, PHI, PAN• Encryption• DLP• SIEM• Logs-Data,

User, Apps

Gov & Integration• API Mgt• Edge Threats• Meter• Orchestrate• Transform• Protocol

Form Factor• Soft,

hardware, VM appliance

• Multi-tenant as-a service

• Mobile Browser & Native

Au

the

ntic

atio

n

Po

licy

En

forc

e

Fe

de

ratio

n

Au

thZ

Co

mp

lian

ce

Tra

nsp

ort

&

Orc

he

stra

te

IID

Co

nte

xt

ID I

nte

gra

tion

Cloud Security Platform

Intel & McAfee are CSB platform technology providers

33

Partner Apps & 3rd Party Brokers

External Enterprise Browser and Mobile

Applications

SaaS Applications

IaaS and PaaS Applications

Browser and MobileApplications

Departments 1-nEmployees,

Administrators

Apps, IDM andMiddleware

HTTP, REST

HTTP

HTTP, REST

HTTP, REST/SOAP

Identity Broker

Tenant #1

PII Tokenization

Tenant #2

API Mgt Tenant 3

Transform & OrchestrateTennant 4

IT Private Cloud “Broker”Supports “mix and match” of capabilities

per internal/external tenant

• Extends security policy to cloud• Complete visibility & audit• Enables aggregation of services• Protects PII data stored in cloud• Up-levels security posture of providers

with strong auth overlay

Trusted Internal Network

Strong Auth

M2M Service Call

Portal/Browser Request

Cloud Access Broker Vision: Example IT as a Broker

34

Enterprise

Use Model: Cloud Security Gateway & API Security

On premise applications

Service Clients Mobile Clients

SOAP/REST

• Perimeter Security

• Authentication• Quality of Service• Policy Control• API Versioning• Auditing

API/Service Proxy

See detailed back up for All Use Case Diagrams

35

Expressway provides API Security for vCloud

REST API Security

• SSL/TLS Termination• SOAP to REST

Mediation• Authentication • HTTP Inspection • Message Throttling• Audit Logging• API Masking• API Versioning • Strong Authentication• Code Injection

Protection• Threat detection / AV

scanning in OVF files

Non-vCloud Partner(SOAP)

Intel® Expressway can provide full API protection and mediation for vCloud

36

IdM or Active Directory

Portal Application

Enterprise

2. Local Authentication

Service Gateway

Private Cloud

3. Resource Request

1. Enterprise Portal Login

Amazon EC2 Storage

Public Cloud

4. AWS Credential Mapping and Data Retrieval

• Perimeter Security• Seamless User Experience• Preserve existing IDM investments• Abstract cloud providers• Data Control

The Gateway mediates access to publiccloud services

Hybrid Cloud Bursting (PaaS)Case Study