1. Choosing From 3 Core PCI-DSS Tokenization Models
A. Tokenize 100%
B. Modify Apps
C. Proxy-data in transit
Adrian Lane – Securosis PCI-DSS Analyst
Blake Dournaee, Intel Application Security & Identity Products
1
2. Today’s Agenda
• Basic tokenization flows- recap
• Differing tokenization needs based on volume &
merchant type
• Pros/cons outsource vs on-prem
• Proxy & encryption models Scope
• 3 core solution deployment patterns Reduction
• Use cases
Application Security and Identity Products 2
10. • By removing confidential data
• Replace with low value token
• Reduce CC#/PAN access
• Reducing system
interdependence
• Fewer checks, controls and
reports
Here’s how:
11. 2 Minute Tokenization
Primer:
• Tokenization replaces sensitive data with a
random value.
• Sensitive data is kept encrypted in a data vault.
• The real data is only exposed when absolutely
necessary.
• Applications function as normal as token
preserves format and data type.
12. The Tokens
• Should be random or semi-random.
• Same format as original value (e.g. 16
digits, passes LUHN check).
• Some characteristics may carry-over (e.g. last 4
digits of a credit card number).
• Single or multi-use.
14. Integration Options
• Application API Calls
• Proxy Agents
• Database Queries
• Back-office Systems
15. Non-CDE Cardholder Data Environment
Token
Database
Token Server
Authorized
Tokenized Application
databases out
Tokenized
of scope
systems in
De-tokenization request scope
21. Use Case #1:
Big Box Retail Chain
• Web and retail locations
• Huge transaction volume
• POS, Card-swipe and web payment options
• Tightly integrated back office systems
• Full PCI Audits
23. Use Case #1:
Buying Decision
• Per-transaction cost overriding factor
• Worried about modifying existing applications
• Want to reduce audit costs
• Want reduced complexity, and scope reduction
through reduced card storage
24. Use Case #2:
Small Service Provider
• Small transaction volume
• Handful of retail locations
• POS & Web site
• Need to comply with self-assessment
• No in-house security staff
26. Use Case #2:
Buying Decision
• Have no idea what PCI is but must comply as
credit cards are key to their business
• Accept higher per-transaction costs for removal of
all PAN/Mag stripe data
• Provider supports repayments/remediation
• Minimal modification to existing applications
27. Use Case #3
Giant Web Retailer
• No physical stores
• Huge transaction volume
• Multiple payment providers, promotions
• Web payment and shopping cart applications
• Data and IT security expertise
• COTS applications with customizations
29. Use Case #3
Buying Decision
• Very minor software upgrade
• Dramatically reduced audit scope
• Far less chance of data breach
• Supports multiple payment providers via single
shopping cart application
• Maintains customer relationship
30. Use Case #4
Mid-sized merchant
• All in-store sales, small web presence
• Sizable POS investment
• Highly cost-conscious
• COTS applications, no in-house software
• No in-house IT security
• Worried about liability, CC# theft
33. Use Case #4
Buying Decision
• Did not require application modifications
• FPE built into existing infrastructure
• Reduced scope through highly restricted key
access and key management
• Moderate per-transaction service fees
34. Buying decisions ...
• How much are transaction costs?
• How costly to integrate into my apps?
• Does it reduce PCI scope?
• Does it work with my systems?
• Is it reliable? Is it fast?
• Have I reduced my risk?
36. Summary
• Reduces security risks
• Reduces complexity
• Minimal IT systems impact
• Reduces compliance costs
• Securosis Whitepaper’s for more details
37. Adrian Lane
Securosis, L.L.C.
alane@securosis.com Twitter: AdrianLane
38. Cloud Service Broker Capabilities
Reduce PCI Scope, Lower Costs
& Protect Cardholder Data
Blake Dournaee, Product Management
Application Security and Identity Products 39
39. Tokenization Strategies
// Input data to be
tokenized.
String inputData = new
String("1234 5678 9012
3456");
// Get new instance of
tokenization server
TS server = new
TokenizationServer(“192.
167.1.1”, “443);
// Tokenize data, and
catch exceptions
try {
String token
=Server.tokenize(inputDa
ta);
} catch (Exception e) {
Monolithic “Big Bang” Tokenization API or SDK Tokenization Proxy Tokenization
(Modify Everything) (Modify Point Applications) (Modify In Data in Transit)
Costs reduced by rip and replace Costs reduced by point Costs reduced by altering
of entire architecture application changes data online with minimal
application changes
40
40. Tokenization Strategies
Type Strategy Key Challenges Key Benefits Example
Monolithic Strive to take the entire Time to value, requires Eventually results RSA/FirstData, Verifone, Voltage
Tokenization datacenter out of scope POS retail upgrades, in cost savings (P2P Encryption+Tokenization)
(Big Bang) bank/payment processor
lock-in; inflexible to
change
API or SDK Remove individual Each application requires Results in modest Protegrity, nuBridges, Safenet,
Tokenization applications from scope code changes, usually scope and risk Voltage
through an SDK or agent; reduction
structured vault is
difficult to scale; each
application changed
must be assessed
Modular or Proxy Remove data flows Applications must Faster time to Intel Expressway Tokenization
Tokenization from scope using a redirect data flows to a value, Requires Broker
proxy new IP address fewer application
changes; data is
tokenized on the
wire; massive
scalability;
assessment is
centralized to a
security gateway
41
45. Intel® Expressway Tokenization Broker – V2 (1H, 2012)
Hardware or Software Broker
• Tamper resistant appliance with redundant, solid state storage
• Software on Linux AS5-64
Sample Tokenization Application
• Token Exchange
• Token Management
• User-defined credit card lengths, including 19 digit cards
SQL databases are fundamentally non-
scalable, and there is no magical pixie
Secure Token Vault
dust that we, or anyone, can sprinkle on
• Clustered, high performance secure vault with unlimited token capacity
them to suddenly make them scale.
• Base configuration supports 300M tokens
-Adam Wiggins, Founder of Heroku
Highly Scalable “NoSQL” Vault (Cloud APaaS, Acquired by Salesforce.com)
• Horizontal scalability increases performance for each additional node
• High availability provided by N-to-N/Active-Active HA Clustering
• Full back-up and restore capabilities
Hitless Key Rotation
•Change vault encryption keys with zero downtime
•Addresses PCI-DSS 3.6.4 without stopping a single transaction
Intel® Services Designer & Web Interface
• Policy Design and Deployment
• Token Exchange / Management Actions
• Policy Deployment & Monitoring
Application Security and Identity Products 46
46. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
47
47. Goal: E-Commerce Order Processing
Manual Invoice Processing Problem: Exception cases require manual
review, bringing additional systems into scope
Solution: Internal tokenization
Payment
Processor
E-Commerce Invoice with Payment BPM Supply
Web Server Supply
Website Credit Card Number Application System Chain App Chain App
Order
Exception
Manual review of
invoice and re-entry
Portal Additional
…
Data Store Post-Payment
Applications
PCI Scope
Merchant
Data Center
48
48. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Feeds with PAN data
Data
Connected App.
Databases Portals
IBM WebSphere Middleware Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
49
49. Goal: Bill Processing, Consolidation, Printing
Financial Statement Processor Problem: Non-payment processing applications
contain PAN information, increasing scoping
costs
Solution: Internal tokenization
Data w/ Tokens
Customer Customized Bills
Billing Information and Statements
Documents
Large Data with original PAN
Edge Security + Tokenization
Feeds with PAN data
Data
Connected App.
Databases Portals
Invoicing, Bill Payment Bill Production and Printing
Bank Statement Customization
and Consolidation
PCI Scope Service Provider
Data Center
50
50. For Additional Information, go to: www.intel.com/go/identity
Download Eval
Data Sheet
PCI White Paper
Assessors Guide
E-mail: intelsoainfo@intel.com 51
Notes de l'éditeur
Title: Enterprise API Best Practices (John) – ~15 slides – Talk for 25-30 minutes I. API Evolution – Where did they come from? (6-8 slides) a. APIs evolved from SOA as services b. Now they are pervasive – REST/JSON is king c. 2011 API growth was huge – what will 2012 look like? d. API business model slides – which types of businesses benefit the most from APIs? (Blake to help with this) e. Comparison to website – APIs are the new “website” II. Categories: Open APIs versus Private APIs (4 slides) a. Open APIs focus on developer on-boarding and platform enablement – name examples b. Private APIs (Enterprise APIs) focus on security, scalability, and availability – name examples of these (if you have some) c. For Enterprise APIs, developer on-boarding is less of an issueIII. Hosted vs On-Premise (1-2 slides) a. What are the pros and cons of hosting an API through an enabler service (Mashery/APIgee) versus doing it yourself.b. Hosted – Good for open APIs, as the developer community is more importantc. On-Premise – Good for private/enterprise grade APIs, as security and scalability are paramount (Blake) – 8 to 10 slides – Talk for 10-15 minutes III. Enterprise Use cases – Types of things an Enterprise wants to do (1-2 slides)IV. The value of the gateway pattern – abstraction (consuming APIs) and security (protecting APIs) – (2 slides)V. Security overview – threats, trust, anti-malware, data loss prevention (1 slide)VI. Intel Expressway Product Pitch (2 slides)VII. Customer Examples (2 slides)
Embedded Secure Vault – Clustered, high performance secure vault with unlimited token capacityHorizontal Scalability – Additive, Load scalability increases performance for each additional nodeHigh Availability – N-to-N/Active-Active HA Clustering. Hitless Key Rotation – Change vault encryption keys with zero downtimeHardware Upgrade – 10G Ethernet, Dual Disks, 32GB Memory, Dual SSD drives (300GB)Log Privacy and Security – RedactionCustom Credit Card Support – User-defined credit card length support, including 19 digit cardsVault Back-Up & Restore – Supports manual back-up and restore for archival.
Resources on the PCI Solutions page of DP include the following: Eval Version of Tokenization Broker Data Sheet PCI DSS White Paper Gateway Tokenization Webinar Playback QSA Assessors Guide (New content’s being added on a regular basis- Please keep posted!)