How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Transcription

1 How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit Executive Summary The annual Payment Card Industry Data Security Standard (PCI DSS) Audit is expensive in two ways: Out of Pocket Costs Companies pay on average $225,000 for their annual PCI audit (and 1 out of 10 pays $500,000 per year for the annual security compliance audit)1. Opportunity Costs The time consuming audit places a major burden on your staff, taking them away from productive activities for long periods of time. Companies look to minimize or eliminate the annual cost of PCI audits and in addition, they are looking to move beyond the constant vulnerability of Primary Account Number (PAN) data, which they consider toxic. They want peace of mind in knowing that they are removing all of the PAN data from their environment. Who should read this? Retail executives responsible for data security and who want to cut costs. What will you learn here? Ideas on how to slash the cost and complexity of PCI compliance audits by shrinking the Cardholder Data Environment using Vaultless Tokenization.

2 What is PCI DSS? Payment Card Industry Data Security Standard (PCI DSS) is a program created by Visa, MasterCard and others to ensure that credit card data is secure and protected. Retailers who process credit cards are subject to an annual security audit by Quality Security Assessors (QSAs). This is an intensive and expensive endeavor. It is done annually because changes occur in the cardholder data environment (CDE). The security standard is well established. Visa reports that 98% are PCI compliant in Level 1 (>6m VISA transactions/year) and 92% of Level 2 (1-6M VISA transactions/year 2 ). L1 and L2 account for 2/3 of all transactions. What is the Cost and Complexity of the PCI Audit? You might be thinking If it ain t broke, why fix it? In other words, if your data is encrypted and you are one of the Level 1 or 2 merchants with PCI DSS compliance certification, why change? The bottom line is that, while you are likely PCI compliant today, the yearly burden is considerable. First, there s the direct cost estimated to hit companies with an annual PCI audit bill of $225,000. Second, there s the burden on in-house staff. The audit consumes a large amount of staff time that could be better spent on revenue generating tasks. These audits certify the IT environments every year to account for any changes that may have occurred in the CDE. By using Vaultless Tokenization from Protegrity, retailers can eliminate most of their audit costs while freeing up staff, by reducing the size of the Cardholder Data Environment (CDE). The CDE is The people, processes, and technology that store, process or transmit cardholder data or sensitive authentication data including any connected system component. 2 US PCI DSS Compliance Status, VISA, March 31,

3 How Can Vaultless Tokenization Reduce the Cost of the Yearly PCI Security Audit? The key to reducing the cost of the yearly PCI security audit is to take systems out of scope. If you can show systems are not processing credit card data, they are no longer subject to audit. The key is to reduce the size of the CDE. Your Quality Security Assessor (QSA) will determine what is and is not in scope. Look at the typical retail environment using encryption in Figure 1 below. Every represents a system using encryption and subject to PCI audit encompassing the entire CDE. As you can see below, all of their systems are in scope and hence consuming budget dollars and staff time. Figure 1 PCI DSS Compliance achieved with Encryption Retail Channels Merchant Headquarters Central Key Management Settlement E-COMMERCE Payment Processes Customer Service STORE HQ Transaction Aggregation ERP Business Functions Loss Prevention Sales Analysis = Encryption = PCI Audit 3

4 Now let s look at Figure 2 - a retailer who has deployed a new process using Vaultless Tokenization shrinking the CDE. Note how almost all of the red encryption circles are gone and replaced with designating tokens. The CDE has shrunk considerably to only include systems that tokenize or de-tokenize. Systems like Customer Service, ERP, Loss Prevention, and Sales Analysis hold tokens with business intelligence rather than the PAN and they are no longer subject to the PCI audit. Tokens with business intelligence are secure while revealing part of the number (first six digits and last four) enabling them to be used in business processes without the need to de-tokenize. This is how companies shrink the CDE, reducing PCI audit costs. Figure 2 PCI DSS Compliance achieved with Vaultless Tokenization Retail Channels Merchant Headquarters Central Tokenization Management Settlement E-COMMERCE Payment Processes Customer Service STORE HQ Transaction Aggregation ERP Business Functions Loss Prevention Sales Analysis = Encryption = PCI Audit = Tokenization 4

5 How is Vaultless Tokenization Different from Vault-Based Tokenization? You may have heard about tokenization or you may have had some experience with tokenization. Why hasn t tokenization exploded into the scene and replaced encryption? It s simple. The vault was getting in the way and creating operational inefficiencies. First generation vault-based tokenization has not materialized as the PCI DSS killer app because of its implementation approach. PAN data is replaced with tokens and the actual PAN is stored in a database table in a token server. As new PAN data is tokenized, the vault grows and grows becoming large and unmanageable, resulting in excessive total cost of ownership. Vaultless Tokenization is the most cost-effective data protection strategy available today. Vaultless Tokenization is the latest advancement in a long line of data security strategy improvements. Over time, as improved strategies advance, total cost of ownership goes down and down. As shown in Figure 3, Vaultless Tokenization is the most cost-effective data protection strategy available today. Figure 3 Evolution from Encryption to Tokenization Reduction of Audit Burden & TCO with New Protection Techniques Low Input Value: PCI Audit Burden & TCO Vault-based Tokenization Greatly reduced Key Management Format Preserving Encryption DTP, FPE Format Preserving Vaultless Tokenization No Vault Strong Encryption AES, 3DES!@#$%a^.,mhu7///&+!@ High 5

6 Compared to vault-based tokenization, Vaultless Tokenization removes the problem of the vault. As a result, it has a tiny footprint and uses commodity hardware. It also provides industry leading performance. And because it requires no data replication, collisions are eliminated, and latency is reduced. Vaultless Tokenization from Protegrity drives down your cost of ownership. Vaultless Tokenization addresses several key requirements: Performance Scalable and highly available Vaultless tokenization delivers greater than 200K tokens per second and can scale to even greater performance. Delivers easy to use token clusters. Token Servers can be easily added to token clusters on top of virtualization platforms such as VMWare, Xen, and Hyper-V. Deploy to many data centers Transparent tokens with business intelligence Unique tokens Deploys a consistent solution globally for production and data recovery. Large enterprises operate geographically distributed data centers. Vaultless Tokenization can easily be deployed to different data centers without the need to synchronize these Token Servers. This reduces complexity and contributes to the reduced Total Cost of Ownership (TCO). Business processing with no disruption to production environment. Since the business intelligence is embedded in the token, there is no need to de-tokenize. Business functions have what they need to continue their role in the business without modifications. Support PCI DSS Distinguishability best practice with several approaches to facilitate the differentiation between actual credit cards and tokens. In Conclusion Protegrity Vaultless Tokenization is a modern, efficient data protection approach that delivers robust performance while dramatically lowering the cost and complexity of the annual PCI audit, by shrinking the CDE. Where to Find More Information If you want to learn more about how to get much better PCI DSS protection at vastly lower cost, talk to Protegrity today. Call us at or info@protegrity.com. 6

7 A Retail Customer Example Oil Company with Convenience-Stores and Teradata Enterprise Data Warehouse This company wanted to cut the cost and time of their yearly PCI Audit. At the start of the project, the audit was taking 7 months. After implementing Vaultless Tokenization to reduce the size of the CDE environment, they were able to reduce the audit to just 3 ½ months. This company also saw a huge performance boost. They started by tokenizing all the existing data in their Teradata Enterprise Data Warehouse (EDW). They started using vault-based tokenization, and then redeployed using Vaultless Tokenization. Look at the time required to process 50 million PANs: 1. Vault-based Tokenization 30 days 2. Protegrity Vaultless Tokenization 90 minutes Vaultless Tokenization offers massive improvements in throughput from a full month down to 90 minutes! Best practices suggest starting with the EDW because all of your PAN information ends up there. For complete analysis capabilities, you want as much information included in the EDW as possible. And it all needs to be secure. Ultimately, by sending tokens with business intelligence to the data warehouse, we are able to take the EDW out of scope. Bottom Line: Vaultless Tokenization offers superior performance and the lowest total cost of ownership for a data protection strategy available to today. For more information Telephone: info@protegrity.com About Protegrity Headquartered in Stamford, CT, Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company s award winning software products span a variety of data protection methods, including end-to-end encryption, vaultless tokenization, masking and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity s comprehensive data security solutions to enable compliance for PCI DSS, HIPAA and other data security requirements while protecting their sensitive data, brand, and business reputation. Copyright 2012 Protegrity Corporation. All rights reserved. Protegrity is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners. 6/2012 7