SlideShare a Scribd company logo

6 ways reduce pci dss audit scope tokenizing cardholder data

Download as DOCX, PDF
R
Richard Thompson

6 ways reduce pci dss audit scope tokenizing cardholder data

Technology
1 of 10
Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data Enterprises are seeking ways to simplify and reduce the scope of the Payment Card industry's data security standard (PCi dss) compliance by shrinking the footprint where cardholder data is located throughout their organization. By reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCi dss compliance and significantly increase the chance of audit success. Compliance with the PCi dss is a combination of documented best practices and technology solutions that protect ca... Copyright SANS Institute Author Retains Full Rights AD
A NUBRIDGES WHITE PAPER Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data Enterprises are seeking ways to simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) compliance by shrinking the footprint where cardholder data is located throughout their organization. By reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCI DSS compliance and signi cantly increase the chance of audit success. Compliance with the PCI DSS is a combination of documented best practices and technology solutions that protect cardholder data across the enterprise. This paper explores the use of tokenization as a best practice in improving the security of credit card transactions, while at the same time minimizing the cost and complexity of PCI DSS compliance by reducing audit scope.
A NUBRIDGES WHITE PAPER Introduction The scope of PCI DSS compliance for any organization is signi cant both in terms of e ort and cost. In a PCI DSS audit, all systems, applications and processes that have access to credit card information, whether encrypted or unencrypted, are considered in scope. The October 2008 update of the PCI DSS documentation (version 1.2) states that companies can reduce the PCI DSS audit scope using network segmentation to isolate the cardholder data in a secure segment. From an application perspective, tokenization functions similarly to network segmentation. These are complementary, not “either/or” approaches for organizations to consider as they map out their data protection and compliance strategies. The Payment Card Industry Data Security Standard, Version 1.2 “Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a flat network), the entire network is in scope of the PCI DSS assessment.” Tokenization Unwrapped With traditional encryption, when a database or application needs to store sensitive data, those values are encrypted and the resulting cipher text is returned to the original location. With tokenization, a token - or surrogate value - is returned and stored in place of the original data. The token is a reference to the actual cipher text, which is stored in a central data vault. Tokens can be safely used by any le, application, database, or backup medium throughout the organization, minimizing the risk of exposing the actual sensitive data, and allowing business and analytical applications to work without modi cation. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 2 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER Organizations that must meet the requirements of PCI DSS are increasingly embracing the compliance bene ts of tokenization. Let’s take a look at requirement 3.1, which mandates that businesses keep payment data in a minimum number of locations. That is precisely what the tokenization model accomplishes. By using tokenization, businesses are reducing the number of locations where they are retaining cardholder information. Requirements 3.5.1 and 3.5.2 mandate that access to keys be restricted to the fewest number of custodians and that keys be stored securely in the fewest possible locations. With tokenization, encryption is performed centrally when credit card values are tokenized, and keys are central- ized on a secure server, optimally addressing these requirements. Tokenization Model White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 3 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER Six Ways to Reduce PCI DSS Audit Scope #1: Centralized data vault Under the tokenization model, encrypted payment card data (called cipher text) is stored only in a central data vault and tokens replace the credit card values in applications or databases. Risk is reduced since credit cards, even in their encrypted state, are not available outside of the data vault, except when originally captured at the beginning of a transaction or, later, accessed from the data vault by authorized and authenticated applications and/or users. Let’s look at how the centralized data value works in a typical tokenization scenario. When a credit card is used for a purchase, the number is transmitted in real-time to the token server. A token representing that data is generated and returned to the calling application and takes the place of the credit card number in that application and all downstream uses of the data (for example, CRM systems, backup copies of the applicaton, exports to data warehouses and exports to fraud detection applications). Meanwhile, the credit card number is encrypted and stored in the central data vault. The clear text value is not stored anywhere. If the need to access the actual value arises (for instance, to process a merchandise return), the value can be decrypted in response to a request by those users or applications with proper authority, and then only for as long as it is needed to complete a transaction. This “round trip” protection limits the risk to the credit card data and ensures that it is never stored in the clear, and that the encrypted cipher-text version of the card data only resides within the secure data vault and in its corresponding back-up/disastaer recover instances. The data vault is never exposed to any applications other than the token server. #2: Tokens act as data surrogates With traditional encryption, when an application or database needs to store credit card data, the values are encrypted and cipher text is saved in the original location. With tokenization, a token – or surrogate value – is stored in place of the original data. The token is a reference to the actual cipher text, which is stored in a central data vault. Encrypted data usually takes up more space than the original values, which requires changes to the applica- tions and/or databases. Tokens can be engineered to preserve the length and format of the original data, so they are almost completely non-invasive to databases and applications; requiring no changes to database schemas, application screens, business processes, etc. This signi cantly reduces the IT and business impact associated with PCI DSS compliance. #3: Tokens are surrogates for masked data Tokens can be generated to preserve parts of the original data values. A typical pattern in PCI DSS scenarios is generating the tokens to maintain the original rst two and last four digits of the credit card. A“Token Strategy” provides the exibility to de ne the format of the tokens including what part, if any, of the original value to preserve. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 4 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER Frequently there are applications within the enterprise that need only the last four digits of a credit card to validate credentials. It’s this scenario where the use of a format-preserving token allows users to perform their job, validating the last four digits of the credit card. Since the application does not contain credit card information - not even in an encrypted format - the entire application is removed from PCI DSS scope. A word of caution - proper network segmentation is still required. For example, suppose you call to nd out the status of an order you recently placed. The operator, after requesting your name and address, asks you for the last four digits of the credit card you used to make the purchase. He or she veri es what you tell them from the credit card information in their order status application - in this case they see a token, with the last four digits preserved, which appears like a regular credit card. If the data had been stored as cipher text, the application would have had to decrypt in order to present the masked value and it would still be considered part of the PCI DSS audit scope. #4: One-to-one token/data relationship Certain types of tokenization can ensure that there is always a one-to-one relationship between the credit card number and the token that is generated so that you maintain referential integrity across multiple systems. For example, when a retailer needs to understand the buying patterns of consumers they sometimes push transaction data into a data warehouse for analysis. One day a consumer buys a stapler, staples and a notebook using a credit card. A week later that same consumer, using the same credit card, buys staples, paper and notebook tabs. The fact that the consumer bought a stapler followed by staples and a notebook followed by paper is important, and the only way these purchases were linked was through the same credit card number (the credit card number is the “primary key” linking the two). Maintaining referential integrity allows the data warehouse to perform transaction analysis with tokens, rather than credit card numbers, thus removing it from scope. Once again, network segmentation is also important, but done properly, the scope of the PCI DSS audit is reduced. And the consequences of a breach of the data warehouse have been minimized because any unauthorized acccess to the data ware- house only yields tokens and not actual credit card numbers. (It should be noted that under certain circumstances localized encryption can be enabled to preserve the one-to-one relationship, generating the same cipher text from the same credit card number. But typi- cally this will limit your ability to introduce randomization into your encryption strategy - in some security scenarios this is not acceptable.) When you combine #2, #3 and #4, you solve an important security problem for today’s IT-depen- dent enterprises: You eliminate the need to use production data for development and test environ- ments. Often, when application changes are required, testing must be performed across the entire system. Today most enterprises allow developers to use production data, in this case real credit card White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 5 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER numbers, or go through great lengths to obfuscate the data to make it unrecognizable. The same ap- plies to companies that use o shore development labs that don’t want to provide production data to them. With the use of tokens, most application testing can take place without having to access real credit card numbers. This reduces the operational e ort needed to test applications and can reduce the scope for PCI DSS compliance for applications that only use the format-preserving tokens. #5: No relationship between tokens and data values With tokenization there is no mathematical relationship between a token and data value – the only relation- ship is referential. This is not the case when using encryption or hashing where an algorithm mathematically derives the output cipher text or hash based on the input data. Tokens can be passed around the network between applications, databases and business processes safely, all the while leaving the encrypted data it represents securely stored in a central data vault. Authorized applications that need access to encrypted data can only retrieve it from the tokenization engine, providing an extra layer of protection for credit card data and shrinking the “risk footprint” that needs to be managed and monitored by your security team. #6: Centralized key management As mentioned in the introduction, Section 3.5 of the PCI DSS states that keys should be stored “securely in the fewest possible locations and forms.” With the use of tokenization, keys are limited to use by the centralized token manager, keeping the distribution of the keys to a minimum. This helps to minimize the scope of PCI DSS compliance and reduce the risk of a key compromise. Use Case. Cable Company Adopts Tokenization to Reduce PCI DSS Audit Scope A cable company recently began tokenizing payment card information to reduce the PCI DSS audit process by taking as many systems out of scope as possible. The company stores a bank account number or credit card number for every customer that opts for automatic payment. Various individuals in the company need access to customer records to perform their jobs, but only the nance department needs to be able to use a bank account or credit card number for monthly billings. For example, a tech support representative needs to be able to see the last four digits of a customer’s credit card number to verify the identity of the caller, but not the entire value. The company adopted a tokenization model whereby the technical support department is a spoke in the hub and spoke model, as are the sales call center, the nance department, business services and instal- lation departments. Using tokenization, where tokens replace sensitive data in customer les, only those employees who need access to con dential customer information have access to cipher text and have the authority to decrypt it. Employees in other departments only see format-preserving tokens in place of cipher text, removing the risk of unauthorized personnel decrypting and using this information. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 6 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER In this case, the last four digits of each credit card number are preserved so that the tech support department can verify customer identities. The remaining digits are tokenized, and when combined with the preserved last four digits, form tokens that are stored in the application. Unlike cipher text that takes up more room than clear text, in this case tokens take the same amount of room as the clear text credit card value they replace. The use of format-preserving tokens alleviated the need to modify the a ected applications. When a customer wants to change the credit card on le, the tech support representative now simply transfers the customer to the billing department instead of taking the number. Only billing department employees have the authority to record a credit card number. When a replacement credit card number is taken, it is immediately encrypted and stored in the central data vault. The token server then generates a new token for the new credit card number, and returns the token to the billing system for future use as well as to the customer record that is used by other departments. As a result, the applications and systems that contain tokens instead of clear text or encrypted credit card information no longer have to be au- dited. They are rendered out of scope for PCI DSS compliance. Introducing a New Tokenization Model Lightening the load of PCI DSS compliance, while ensuring best practice protection of cardholder information, is at the core of nuBridges’ mission. Long a leader in data protection software solutions, nuBridges has taken its o erings to a whole new level by adding nuBridges Protect™ Token Manager to its portfolio. It is the industry’s rst data protection software solution that combines universal Format Preserving Tokenization™, strong encryption and uni ed key management in one platform-agnostic package. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 7 © 2009 nuBridges, Inc. All rights reserved.
A NUBRIDGES WHITE PAPER About nuBridges, Inc. nuBridges is a leading provider of software and services to protect sensitive data at rest and in transit, and to transfer data internally or externally with end-to-end security, control and visibility. nuBridges’ encryption, key management, managed le transfer and B2B integration solutions are used to comply with security mandates and to digitally integrate business processes among enterprises, systems, applications and people. Over 3,000 customers depend on nuBridges secure eBusiness solutions to encrypt millions of credit cards, exchange billions of dollars in B2B transactions and enable countless business-critical le transfers, including Wal-Mart, Amazon.com, Timberland, American Eagle Out tters, Costco, Belk, Bon Ton, Wachovia, Sun Trust, AIG, CheckFree and Verizon. nuBridges is headquartered in Atlanta, Georgia, USA. More information is available at www.nubridges.com. U.S. HEADQUARTERS EMEA HEADQUARTERS 1000 Abernathy Road, Suite 250 Lakeside House, 1 Furzeground Way Atlanta, GA 30328 Stockley Park, Uxbridge p: +1 770 730 3600 Middlesex, UB11 1BD United Kingdom p: +44 (0) 20 8622 3841 White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 8 © 2009 nuBridges, Inc. All rights reserved.
Last Updated: October 17th, 2012 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Chicago 2012 Chicago, ILUS Oct 27, 2012 - Nov 05, Live Event 2012 SANS South Africa 2012 Johannesburg, ZA Oct 29, 2012 - Nov 06, Live Event 2012 SANS Bangalore 2012 Bangalore, IN Oct 29, 2012 - Nov 03, Live Event 2012 SANS Tokyo Autumn 2012 Tokyo, JP Nov 05, 2012 - Nov 10, Live Event 2012 SANS Korea 2012 Seoul, KR Nov 05, 2012 - Nov 13, Live Event 2012 FOR526 Beta Denver, COUS Nov 05, 2012 - Nov 09, Live Event 2012 SANS San Diego 2012 San Diego, CAUS Nov 12, 2012 - Nov 17, Live Event 2012 SANS Sydney 2012 Sydney, AU Nov 12, 2012 - Nov 20, Live Event 2012 SANS London 2012 London, GB Nov 26, 2012 - Dec 03, Live Event 2012 SANS San Antonio 2012 San Antonio, TXUS Nov 27, 2012 - Dec 02, Live Event 2012 European SCADA and Process Control System Security Barcelona, ES Dec 05, 2012 - Dec 11, Live Event Summit 2012 SANS 2012 Cyber Defense Initiative 2012 Washington, DCUS Dec 07, 2012 - Dec 16, Live Event 2012 SANS Egypt 2012 Cairo, EG Dec 08, 2012 - Dec 20, Live Event 2012 Mobile Device Security Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, Live Event 2013 Virtualization and Cloud Computing Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, Live Event 2013 SEC528: SANS Training Program for the CompTIA New Washington, DCUS Jan 07, 2013 - Jan 11, Live Event Advanced Security Practitioner Certification 2013 SANS Security East 2013 New Orleans, LAUS Jan 16, 2013 - Jan 23, Live Event 2013 SANS South Africa 2012 - Cape Town OnlineZA Oct 26, 2012 - Oct 27, Live Event 2012 SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced

Recommended

Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperBen Rothke
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24David Ricketts
 
KYC Blockchain in Insurance Industry
KYC Blockchain in Insurance IndustryKYC Blockchain in Insurance Industry
KYC Blockchain in Insurance IndustryNitin Patidar
 
Common Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsCommon Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsMatheson Law Firm
 
How Blockchain Can Reinvigorate Facultative Reinsurance Contract Management
How Blockchain Can Reinvigorate Facultative Reinsurance Contract ManagementHow Blockchain Can Reinvigorate Facultative Reinsurance Contract Management
How Blockchain Can Reinvigorate Facultative Reinsurance Contract ManagementCognizant
 
Microsoft Accelerator event- Maria's Legal presentation
Microsoft Accelerator event- Maria's Legal presentation Microsoft Accelerator event- Maria's Legal presentation
Microsoft Accelerator event- Maria's Legal presentation Hila Bar
 
A Study on Applications of Blockchain
A Study on Applications of BlockchainA Study on Applications of Blockchain
A Study on Applications of Blockchainijtsrd
 

Recommended

Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?EMC
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperBen Rothke
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24David Ricketts
 
KYC Blockchain in Insurance Industry
KYC Blockchain in Insurance IndustryKYC Blockchain in Insurance Industry
KYC Blockchain in Insurance IndustryNitin Patidar
 
Common Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsCommon Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsMatheson Law Firm
 
How Blockchain Can Reinvigorate Facultative Reinsurance Contract Management
How Blockchain Can Reinvigorate Facultative Reinsurance Contract ManagementHow Blockchain Can Reinvigorate Facultative Reinsurance Contract Management
How Blockchain Can Reinvigorate Facultative Reinsurance Contract ManagementCognizant
 
Microsoft Accelerator event- Maria's Legal presentation
Microsoft Accelerator event- Maria's Legal presentation Microsoft Accelerator event- Maria's Legal presentation
Microsoft Accelerator event- Maria's Legal presentation Hila Bar
 
A Study on Applications of Blockchain
A Study on Applications of BlockchainA Study on Applications of Blockchain
A Study on Applications of Blockchainijtsrd
 
GDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and EvaluationGDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and EvaluationSteven Meister
 
Understanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect DataUnderstanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect DataGoose & Gander
 
A. Blockchain
A. BlockchainA. Blockchain
A. BlockchainAaron Tennant
 
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)Ulf Mattsson
 
Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0 Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0 Amin Shawki
 
Whitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse PosWhitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse PosNamirial GmbH
 
Blockchain in human resource
Blockchain in human resourceBlockchain in human resource
Blockchain in human resourceCeline George
 
Blockchain Solutions for HR
Blockchain Solutions for HRBlockchain Solutions for HR
Blockchain Solutions for HREdward Lange
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
Information Security Managementfinal
Information Security ManagementfinalInformation Security Managementfinal
Information Security ManagementfinalGary Brogan
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 
10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And Certifications10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And CertificationsBlockchain Council
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the CloudCourtney Fisk
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Distributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazilDistributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazilmustafa sarac
 
Decrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through BlockchainDecrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through BlockchainCognizant
 
Ulf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pciUlf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pciUlf Mattsson
 
Blockchain for Enterprise
Blockchain for EnterpriseBlockchain for Enterprise
Blockchain for EnterpriseJoe Tawfik
 
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...Srini Karlekar
 
Ethereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App FactoryEthereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App Factoryveronicaroyce
 
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 

More Related Content

What's hot

GDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and EvaluationGDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and EvaluationSteven Meister
 
Understanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect DataUnderstanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect DataGoose & Gander
 
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)Ulf Mattsson
 
Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0 Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0 Amin Shawki
 
Whitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse PosWhitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse PosNamirial GmbH
 
Blockchain in human resource
Blockchain in human resourceBlockchain in human resource
Blockchain in human resourceCeline George
 
Blockchain Solutions for HR
Blockchain Solutions for HRBlockchain Solutions for HR
Blockchain Solutions for HREdward Lange
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
 
Information Security Managementfinal
Information Security ManagementfinalInformation Security Managementfinal
Information Security ManagementfinalGary Brogan
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Denodo
 
10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And Certifications10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And CertificationsBlockchain Council
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the CloudCourtney Fisk
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Ulf Mattsson
 
Distributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazilDistributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazilmustafa sarac
 
Decrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through BlockchainDecrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through BlockchainCognizant
 
Ulf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pciUlf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pciUlf Mattsson
 
Blockchain for Enterprise
Blockchain for EnterpriseBlockchain for Enterprise
Blockchain for EnterpriseJoe Tawfik
 
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...Srini Karlekar
 
Ethereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App FactoryEthereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App Factoryveronicaroyce
 

What's hot (20)

GDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and EvaluationGDPR BigDataRevealed Readiness Requirements and Evaluation
GDPR BigDataRevealed Readiness Requirements and Evaluation
 
Understanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect DataUnderstanding GDPR Compliance and How to Easily Protect Data
Understanding GDPR Compliance and How to Easily Protect Data
 
A. Blockchain
A. BlockchainA. Blockchain
A. Blockchain
 
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
Thought leaders in big data ulf mattsson, cto of protegrity (part 2)
 
Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0 Customer Experience Digital Data Layer 1.0
Customer Experience Digital Data Layer 1.0
 
Whitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse PosWhitepaper E-Signing at the Inhouse Pos
Whitepaper E-Signing at the Inhouse Pos
 
Blockchain in human resource
Blockchain in human resourceBlockchain in human resource
Blockchain in human resource
 
Blockchain Solutions for HR
Blockchain Solutions for HRBlockchain Solutions for HR
Blockchain Solutions for HR
 
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
 
Information Security Managementfinal
Information Security ManagementfinalInformation Security Managementfinal
Information Security Managementfinal
 
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
Data Virtualization for Accelerated Digital Transformation in Banking and Fin...
 
10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And Certifications10 Best Professional Blockchain Courses And Certifications
10 Best Professional Blockchain Courses And Certifications
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the Cloud
 
Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011 Protecting Your Data in the Cloud - CSO - Conference 2011
Protecting Your Data in the Cloud - CSO - Conference 2011
 
Distributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazilDistributed ledger technical research in central bank of brazil
Distributed ledger technical research in central bank of brazil
 
Decrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through BlockchainDecrypting Insurance Broking through Blockchain
Decrypting Insurance Broking through Blockchain
 
Ulf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pciUlf mattsson the standardization of tokenization and moving beyond pci
Ulf mattsson the standardization of tokenization and moving beyond pci
 
Blockchain for Enterprise
Blockchain for EnterpriseBlockchain for Enterprise
Blockchain for Enterprise
 
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
SmartQuora - Learn to build a Smart Contract application on Hyperledger Block...
 
Ethereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App FactoryEthereum Smart contracts - Blockchain App Factory
Ethereum Smart contracts - Blockchain App Factory
 

Similar to 6 ways reduce pci dss audit scope tokenizing cardholder data

6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage- Mark - Fullbright
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataCognia
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...IRJET Journal
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentat MicroFocus Italy ❖✔
 
First Data Trans Armor
First Data Trans ArmorFirst Data Trans Armor
First Data Trans ArmorJoshua Willis
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET Journal
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 

Similar to 6 ways reduce pci dss audit scope tokenizing cardholder data (20)

6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery Process
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Tokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data StorageTokenization Payment Data Out Securing Payment Data Storage
Tokenization Payment Data Out Securing Payment Data Storage
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance services
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card Data
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessment
 
First Data Trans Armor
First Data Trans ArmorFirst Data Trans Armor
First Data Trans Armor
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup PerformanceIRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 

Recently uploaded

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

6 ways reduce pci dss audit scope tokenizing cardholder data

  • 1. Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data Enterprises are seeking ways to simplify and reduce the scope of the Payment Card industry's data security standard (PCi dss) compliance by shrinking the footprint where cardholder data is located throughout their organization. By reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCi dss compliance and significantly increase the chance of audit success. Compliance with the PCi dss is a combination of documented best practices and technology solutions that protect ca... Copyright SANS Institute Author Retains Full Rights AD
  • 2. A NUBRIDGES WHITE PAPER Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data Enterprises are seeking ways to simplify and reduce the scope of the Payment Card Industry’s Data Security Standard (PCI DSS) compliance by shrinking the footprint where cardholder data is located throughout their organization. By reducing the scope, these enterprises can dramatically lower the cost and anxiety of PCI DSS compliance and signi cantly increase the chance of audit success. Compliance with the PCI DSS is a combination of documented best practices and technology solutions that protect cardholder data across the enterprise. This paper explores the use of tokenization as a best practice in improving the security of credit card transactions, while at the same time minimizing the cost and complexity of PCI DSS compliance by reducing audit scope.
  • 3. A NUBRIDGES WHITE PAPER Introduction The scope of PCI DSS compliance for any organization is signi cant both in terms of e ort and cost. In a PCI DSS audit, all systems, applications and processes that have access to credit card information, whether encrypted or unencrypted, are considered in scope. The October 2008 update of the PCI DSS documentation (version 1.2) states that companies can reduce the PCI DSS audit scope using network segmentation to isolate the cardholder data in a secure segment. From an application perspective, tokenization functions similarly to network segmentation. These are complementary, not “either/or” approaches for organizations to consider as they map out their data protection and compliance strategies. The Payment Card Industry Data Security Standard, Version 1.2 “Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement. However, it is recommended as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Without adequate network segmentation (sometimes called a flat network), the entire network is in scope of the PCI DSS assessment.” Tokenization Unwrapped With traditional encryption, when a database or application needs to store sensitive data, those values are encrypted and the resulting cipher text is returned to the original location. With tokenization, a token - or surrogate value - is returned and stored in place of the original data. The token is a reference to the actual cipher text, which is stored in a central data vault. Tokens can be safely used by any le, application, database, or backup medium throughout the organization, minimizing the risk of exposing the actual sensitive data, and allowing business and analytical applications to work without modi cation. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 2 © 2009 nuBridges, Inc. All rights reserved.
  • 4. A NUBRIDGES WHITE PAPER Organizations that must meet the requirements of PCI DSS are increasingly embracing the compliance bene ts of tokenization. Let’s take a look at requirement 3.1, which mandates that businesses keep payment data in a minimum number of locations. That is precisely what the tokenization model accomplishes. By using tokenization, businesses are reducing the number of locations where they are retaining cardholder information. Requirements 3.5.1 and 3.5.2 mandate that access to keys be restricted to the fewest number of custodians and that keys be stored securely in the fewest possible locations. With tokenization, encryption is performed centrally when credit card values are tokenized, and keys are central- ized on a secure server, optimally addressing these requirements. Tokenization Model White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 3 © 2009 nuBridges, Inc. All rights reserved.
  • 5. A NUBRIDGES WHITE PAPER Six Ways to Reduce PCI DSS Audit Scope #1: Centralized data vault Under the tokenization model, encrypted payment card data (called cipher text) is stored only in a central data vault and tokens replace the credit card values in applications or databases. Risk is reduced since credit cards, even in their encrypted state, are not available outside of the data vault, except when originally captured at the beginning of a transaction or, later, accessed from the data vault by authorized and authenticated applications and/or users. Let’s look at how the centralized data value works in a typical tokenization scenario. When a credit card is used for a purchase, the number is transmitted in real-time to the token server. A token representing that data is generated and returned to the calling application and takes the place of the credit card number in that application and all downstream uses of the data (for example, CRM systems, backup copies of the applicaton, exports to data warehouses and exports to fraud detection applications). Meanwhile, the credit card number is encrypted and stored in the central data vault. The clear text value is not stored anywhere. If the need to access the actual value arises (for instance, to process a merchandise return), the value can be decrypted in response to a request by those users or applications with proper authority, and then only for as long as it is needed to complete a transaction. This “round trip” protection limits the risk to the credit card data and ensures that it is never stored in the clear, and that the encrypted cipher-text version of the card data only resides within the secure data vault and in its corresponding back-up/disastaer recover instances. The data vault is never exposed to any applications other than the token server. #2: Tokens act as data surrogates With traditional encryption, when an application or database needs to store credit card data, the values are encrypted and cipher text is saved in the original location. With tokenization, a token – or surrogate value – is stored in place of the original data. The token is a reference to the actual cipher text, which is stored in a central data vault. Encrypted data usually takes up more space than the original values, which requires changes to the applica- tions and/or databases. Tokens can be engineered to preserve the length and format of the original data, so they are almost completely non-invasive to databases and applications; requiring no changes to database schemas, application screens, business processes, etc. This signi cantly reduces the IT and business impact associated with PCI DSS compliance. #3: Tokens are surrogates for masked data Tokens can be generated to preserve parts of the original data values. A typical pattern in PCI DSS scenarios is generating the tokens to maintain the original rst two and last four digits of the credit card. A“Token Strategy” provides the exibility to de ne the format of the tokens including what part, if any, of the original value to preserve. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 4 © 2009 nuBridges, Inc. All rights reserved.
  • 6. A NUBRIDGES WHITE PAPER Frequently there are applications within the enterprise that need only the last four digits of a credit card to validate credentials. It’s this scenario where the use of a format-preserving token allows users to perform their job, validating the last four digits of the credit card. Since the application does not contain credit card information - not even in an encrypted format - the entire application is removed from PCI DSS scope. A word of caution - proper network segmentation is still required. For example, suppose you call to nd out the status of an order you recently placed. The operator, after requesting your name and address, asks you for the last four digits of the credit card you used to make the purchase. He or she veri es what you tell them from the credit card information in their order status application - in this case they see a token, with the last four digits preserved, which appears like a regular credit card. If the data had been stored as cipher text, the application would have had to decrypt in order to present the masked value and it would still be considered part of the PCI DSS audit scope. #4: One-to-one token/data relationship Certain types of tokenization can ensure that there is always a one-to-one relationship between the credit card number and the token that is generated so that you maintain referential integrity across multiple systems. For example, when a retailer needs to understand the buying patterns of consumers they sometimes push transaction data into a data warehouse for analysis. One day a consumer buys a stapler, staples and a notebook using a credit card. A week later that same consumer, using the same credit card, buys staples, paper and notebook tabs. The fact that the consumer bought a stapler followed by staples and a notebook followed by paper is important, and the only way these purchases were linked was through the same credit card number (the credit card number is the “primary key” linking the two). Maintaining referential integrity allows the data warehouse to perform transaction analysis with tokens, rather than credit card numbers, thus removing it from scope. Once again, network segmentation is also important, but done properly, the scope of the PCI DSS audit is reduced. And the consequences of a breach of the data warehouse have been minimized because any unauthorized acccess to the data ware- house only yields tokens and not actual credit card numbers. (It should be noted that under certain circumstances localized encryption can be enabled to preserve the one-to-one relationship, generating the same cipher text from the same credit card number. But typi- cally this will limit your ability to introduce randomization into your encryption strategy - in some security scenarios this is not acceptable.) When you combine #2, #3 and #4, you solve an important security problem for today’s IT-depen- dent enterprises: You eliminate the need to use production data for development and test environ- ments. Often, when application changes are required, testing must be performed across the entire system. Today most enterprises allow developers to use production data, in this case real credit card White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 5 © 2009 nuBridges, Inc. All rights reserved.
  • 7. A NUBRIDGES WHITE PAPER numbers, or go through great lengths to obfuscate the data to make it unrecognizable. The same ap- plies to companies that use o shore development labs that don’t want to provide production data to them. With the use of tokens, most application testing can take place without having to access real credit card numbers. This reduces the operational e ort needed to test applications and can reduce the scope for PCI DSS compliance for applications that only use the format-preserving tokens. #5: No relationship between tokens and data values With tokenization there is no mathematical relationship between a token and data value – the only relation- ship is referential. This is not the case when using encryption or hashing where an algorithm mathematically derives the output cipher text or hash based on the input data. Tokens can be passed around the network between applications, databases and business processes safely, all the while leaving the encrypted data it represents securely stored in a central data vault. Authorized applications that need access to encrypted data can only retrieve it from the tokenization engine, providing an extra layer of protection for credit card data and shrinking the “risk footprint” that needs to be managed and monitored by your security team. #6: Centralized key management As mentioned in the introduction, Section 3.5 of the PCI DSS states that keys should be stored “securely in the fewest possible locations and forms.” With the use of tokenization, keys are limited to use by the centralized token manager, keeping the distribution of the keys to a minimum. This helps to minimize the scope of PCI DSS compliance and reduce the risk of a key compromise. Use Case. Cable Company Adopts Tokenization to Reduce PCI DSS Audit Scope A cable company recently began tokenizing payment card information to reduce the PCI DSS audit process by taking as many systems out of scope as possible. The company stores a bank account number or credit card number for every customer that opts for automatic payment. Various individuals in the company need access to customer records to perform their jobs, but only the nance department needs to be able to use a bank account or credit card number for monthly billings. For example, a tech support representative needs to be able to see the last four digits of a customer’s credit card number to verify the identity of the caller, but not the entire value. The company adopted a tokenization model whereby the technical support department is a spoke in the hub and spoke model, as are the sales call center, the nance department, business services and instal- lation departments. Using tokenization, where tokens replace sensitive data in customer les, only those employees who need access to con dential customer information have access to cipher text and have the authority to decrypt it. Employees in other departments only see format-preserving tokens in place of cipher text, removing the risk of unauthorized personnel decrypting and using this information. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 6 © 2009 nuBridges, Inc. All rights reserved.
  • 8. A NUBRIDGES WHITE PAPER In this case, the last four digits of each credit card number are preserved so that the tech support department can verify customer identities. The remaining digits are tokenized, and when combined with the preserved last four digits, form tokens that are stored in the application. Unlike cipher text that takes up more room than clear text, in this case tokens take the same amount of room as the clear text credit card value they replace. The use of format-preserving tokens alleviated the need to modify the a ected applications. When a customer wants to change the credit card on le, the tech support representative now simply transfers the customer to the billing department instead of taking the number. Only billing department employees have the authority to record a credit card number. When a replacement credit card number is taken, it is immediately encrypted and stored in the central data vault. The token server then generates a new token for the new credit card number, and returns the token to the billing system for future use as well as to the customer record that is used by other departments. As a result, the applications and systems that contain tokens instead of clear text or encrypted credit card information no longer have to be au- dited. They are rendered out of scope for PCI DSS compliance. Introducing a New Tokenization Model Lightening the load of PCI DSS compliance, while ensuring best practice protection of cardholder information, is at the core of nuBridges’ mission. Long a leader in data protection software solutions, nuBridges has taken its o erings to a whole new level by adding nuBridges Protect™ Token Manager to its portfolio. It is the industry’s rst data protection software solution that combines universal Format Preserving Tokenization™, strong encryption and uni ed key management in one platform-agnostic package. White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 7 © 2009 nuBridges, Inc. All rights reserved.
  • 9. A NUBRIDGES WHITE PAPER About nuBridges, Inc. nuBridges is a leading provider of software and services to protect sensitive data at rest and in transit, and to transfer data internally or externally with end-to-end security, control and visibility. nuBridges’ encryption, key management, managed le transfer and B2B integration solutions are used to comply with security mandates and to digitally integrate business processes among enterprises, systems, applications and people. Over 3,000 customers depend on nuBridges secure eBusiness solutions to encrypt millions of credit cards, exchange billions of dollars in B2B transactions and enable countless business-critical le transfers, including Wal-Mart, Amazon.com, Timberland, American Eagle Out tters, Costco, Belk, Bon Ton, Wachovia, Sun Trust, AIG, CheckFree and Verizon. nuBridges is headquartered in Atlanta, Georgia, USA. More information is available at www.nubridges.com. U.S. HEADQUARTERS EMEA HEADQUARTERS 1000 Abernathy Road, Suite 250 Lakeside House, 1 Furzeground Way Atlanta, GA 30328 Stockley Park, Uxbridge p: +1 770 730 3600 Middlesex, UB11 1BD United Kingdom p: +44 (0) 20 8622 3841 White Paper: Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data | www.nubridges.com 8 © 2009 nuBridges, Inc. All rights reserved.
  • 10. Last Updated: October 17th, 2012 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Chicago 2012 Chicago, ILUS Oct 27, 2012 - Nov 05, Live Event 2012 SANS South Africa 2012 Johannesburg, ZA Oct 29, 2012 - Nov 06, Live Event 2012 SANS Bangalore 2012 Bangalore, IN Oct 29, 2012 - Nov 03, Live Event 2012 SANS Tokyo Autumn 2012 Tokyo, JP Nov 05, 2012 - Nov 10, Live Event 2012 SANS Korea 2012 Seoul, KR Nov 05, 2012 - Nov 13, Live Event 2012 FOR526 Beta Denver, COUS Nov 05, 2012 - Nov 09, Live Event 2012 SANS San Diego 2012 San Diego, CAUS Nov 12, 2012 - Nov 17, Live Event 2012 SANS Sydney 2012 Sydney, AU Nov 12, 2012 - Nov 20, Live Event 2012 SANS London 2012 London, GB Nov 26, 2012 - Dec 03, Live Event 2012 SANS San Antonio 2012 San Antonio, TXUS Nov 27, 2012 - Dec 02, Live Event 2012 European SCADA and Process Control System Security Barcelona, ES Dec 05, 2012 - Dec 11, Live Event Summit 2012 SANS 2012 Cyber Defense Initiative 2012 Washington, DCUS Dec 07, 2012 - Dec 16, Live Event 2012 SANS Egypt 2012 Cairo, EG Dec 08, 2012 - Dec 20, Live Event 2012 Mobile Device Security Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, Live Event 2013 Virtualization and Cloud Computing Summit 2013 Anaheim, CAUS Jan 07, 2013 - Jan 14, Live Event 2013 SEC528: SANS Training Program for the CompTIA New Washington, DCUS Jan 07, 2013 - Jan 11, Live Event Advanced Security Practitioner Certification 2013 SANS Security East 2013 New Orleans, LAUS Jan 16, 2013 - Jan 23, Live Event 2013 SANS South Africa 2012 - Cape Town OnlineZA Oct 26, 2012 - Oct 27, Live Event 2012 SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced