Tokenisation for PCI-DSS Compliance

Similar documents
Achieving PCI Compliance: Long and Short Term Strategies

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Google Cloud Platform: Customer Responsibility Matrix. December 2018

SECURITY PRACTICES OVERVIEW

PCI DSS Compliance. White Paper Parallels Remote Application Server

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

6 Vulnerabilities of the Retail Payment Ecosystem

Data Classification, Security, and Privacy

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

University of Sunderland Business Assurance PCI Security Policy

Insurance Industry - PCI DSS

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

COMPLETING THE PAYMENT SECURITY PUZZLE

David Jenkins (QSA CISA) Director of PCI and Payment Services

Navigating the PCI DSS Challenge. 29 April 2011

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Total Security Management PCI DSS Compliance Guide

PCI Compliance. What is it? Who uses it? Why is it important?

PCI DSS COMPLIANCE 101

Have you updated your security lately?

A QUICK PRIMER ON PCI DSS VERSION 3.0

PCI DSS and the VNC SDK

Tokenisation: Reducing Data Security Risk

PCI DSS and VNC Connect

Evolution of Cyber Attacks

Data Sheet The PCI DSS

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Best Practices for PCI DSS Version 3.2 Network Security Compliance

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Safeguarding Cardholder Account Data

Simplify PCI Compliance

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Will you be PCI DSS Compliant by September 2010?

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Security Architecture

Jordan Levesque Making sure your business is PCI compliant

The Prioritized Approach to Pursue PCI DSS Compliance

Utilizing Tokenization. How to minimize the impact of the payment card industry data security standards (PCI DSS) on SAP applications

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

PCI Compliance: It's Required, and It's Good for Your Business

Security Update PCI Compliance

The PCI Security Standards Council

Enabling compliance with the PCI Data Security Standards December 2007

Simple and Powerful Security for PCI DSS

Applying Oracle Technologies in PCI DSS certification process

Payment Card Industry (PCI) Data Security Standard

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Is Your Payment Card Data Secure Enough?

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

PCI DSS v3. Justin

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Commerce PCI: A Four-Letter Word of E-Commerce

Escaping PCI purgatory.

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

Complying with PCI DSS 3.0

Payment Card Industry (PCI) Data Security Standard

PCI COMPLIANCE IS NO LONGER OPTIONAL

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Projectplace: A Secure Project Collaboration Solution

PCI PA-DSS Implementation Guide

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

Payment Card Industry (PCI) Data Security Standard

Using InterSystems IRIS Data Platform for Securely Storing Credit Card Data. Solution Guide

Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization

The Future of PCI: Securing payments in a changing world

Daxko s PCI DSS Responsibilities

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Data Security Standard

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry (PCI) Data Security Standard

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Ready Theatre Systems RTS POS

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Using GRC for PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standard

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Payment Card Industry (PCI) Data Security Standard

Stripe Terminal Implementation Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Transcription:

Tokenisation for PCI-DSS Compliance Silver Bullet, Hype or somewhere in between? Peter Nikitser, Senior Security Architect, CSC pnikitser@csc.com 1 The Challenge with PCI-DSS Compliance Many organisations struggle to balance business priorities, organisational risk and allocate sufficient time and resources to address the twelve requirements under PCI DSS. Often, PCI DSS compliance improvement initiatives take a back seat. Threats of fines or damage to business reputation is the motivator. Since 2007, many business and IT budgets have been reduced. But the compliance burden has increased, and not just for PCI DSS. Tokenisation is a technology solution gaining adoption. 2 1

PCI-DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti virus software or programs 6. Develop and maintain secure systems and applications 3 PCI-DSS Requirements (continued) Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 4 2

Payment Card Process 5 Track 1 Data (Format B) Example 6 3

What exactly is Tokenisation? Tokenisation is the process of substituting sensitive information with alternate data that has no intrinsic value outside the environment for which it was intended. Tokenisation can be used to secure more than just payment card information. It can also be used for securing medical records, classified data, bank records and other types of sensitive information. Tokenisation is not to be confused with other forms of tokens Why select tokenisation over encryption? 7 The Difference between Encryption and Tokenisation Encrypted data is a scrambled version of the original content, in contrast to a token, which is a surrogate value. The power of tokenisation is that although the token is usable within its native application environment, it is completely useless elsewhere! 8 4

The Benefits of Tokenisation over Encryption The benefits of tokenisation include: Protects data at a (potentially) lower overall cost (needs to be validated). Data can be substituted like for like, or format preserving. Most business processes can use the token and limit access to the sensitive data. The downsides with encryption include: Retrofitting encryption to existing systems can be costly and increase operational risk. Incorporating encryption processes within an application can impact system performance. Programmers may need to up skill to incorporate encryption processes. Encryption, decryption and re encryption at different points means more attack points. Increased overhead with key management. 9 Does this mean I don t require encryption? Encryption is still required for: Secure message transmission (sending and receiving email between sites with TLS). Secure file transfer (SFTP). Secure sessions (SSH). Replication of sensitive information between data centres. PIN lifecycle management. Information that cannot be tokenised. As an alternative to tokenisation, Point to Point Encryption (P2PE) can be deployed from the terminal and decrypted at the payment processor there isn't any decryption in between because the merchant can't access the keys used by the payment service. 10 5

Examples of Tokenisation Credit Card Information: PAN 5353 1610 0001 0373 0566 27ab cd36 0373 Health Record: Blood Alcohol Level 0.14 *0n* Classified Data: Grid Location 28 o 1 S / 153 o 25 E #121# / #5xy# 11 How popular is Tokenisation? According to a recent Gartner survey completed in early 2011, approximately half of the U.S. retailers surveyed were, at that time, using or planning to use tokenisation or end to end encryption within two years. The key driver for considering or adopting tokenisation was to improve compliance with PCI DSS whilst minimising disruptions to business processes due to improvement activities. Source: Gartner Survey: Challenged U.S. Firms Seek Alternative PCI Compliance Solutions (Article ID: G00214003) 12 6

Why implement Tokenisation for PCI-DSS? The ongoing compliance requirement means every system or component that processes or stores payment card data must be audited. As companies grow, so too does the audit scope! When payment card data is completely replaced with tokens, almost half the security checks from PCI DSS no longer apply: Database encryption, key management and other controls may no longer be required. However, the tokenisation system still needs to be deployed and managed. This may either be managed in house or via a managed security service provider. The tokenisation system uses encryption and needs to be fully compliant. 13 PCI SSC Characteristics for Tokenisation Solutions The PCI SSC, outlines eight characteristics that tokenisation solutions must meet according to its guideline: 1. Tokenisation systems must not reverse tokens to credit card numbers for any component outside of the organisation's cardholder data environment. 2. Systems performing the tokenisation must be on secure internal networks that are isolated from out of scope networks. 3. Untrusted communication must be prohibited in and out of the tokenisation system. 4. The solution must be built upon strong cryptography. 5. The solution must meet the access control and authentication requirements in PCI DSS sections 7 and 8. 6. The solution must be securely configured with vulnerabilities remediated. 7. The solution must implement the organisation's data retention policy by securely deleting cardholder data when it is no longer necessary for meeting business requirements. 8. The solution must provide appropriate monitoring, alerting and logging capabilities. 14 7

Characteristics of a good Token design The same number of digits as for a PAN, i.e. 15, 16 or 19. There is some card number preservation, i.e. last 4 digits. The tokenised number should not start with any of the major brand numbers, i.e. 3, 4, 5 or 6. The tokenised number will always fail a mod 10 check. Source: First Data Corporation 2012 15 What are the business requirements for Tokens? Transactional A unique token is generated for each transaction. Will have different values for a single payment card. Card based A single token is generated for each payment card. Will have multiple transactions stored per card. Issues to consider Token Collisions Token Lifetime 16 8

Components of a Tokenisation System Secure server environment A tokenisation system needs good physical and logical controls. The entity managing the tokenisation system needs to provide this assurance. This can be managed in house or as a managed service. Don t forget all of the supporting and underpinning services! Token vault (database) with hash table The hash table is the glue that matches each piece of sensitive data to a token. Access to the tokenisation system to tokenise and detokenise data. Access to the operating system and other infrastructure. What operations are allowed? The token vault can also be split from the hash table. 17 Token Server Deployment Example In-house 18 9

Token Server Deployment Example Managed Service 19 Token Server Deployment Example Reduced Scope 20 10

PCI SSC Tokenisation Compliance Program The Compliance Program provides validated evidence about a product s features and capabilities: Compliance Effectiveness Product Capabilities Support Scope impact analysis and coverage Management and Usability Suitable for Use In and Recommended Configuration Product Roadmap Source: http://www.compliance labs.com/ 21 Implementation Considerations Example Implementation Issues An organisation with 20+ payment card applications. Can all of the applications use tokenised values? Does it make sense to use tokenisation for all? What about sharing sensitive information? I still need to send information securely! May have to update security architecture to accommodate 22 11

Sharing Sensitive Information Example 23 The challenge with modifying applications Organisations baulk at modifying applications to encrypt and decrypt data. The solutions vary depending upon constraints and the maturity of an organisation to software development. Applications most likely need to be modified in some way to manage tokens instead of payment card data. 24 12

Attacks on Tokenisation Systems When sensitive data is corralled into a single solution: Allows an attacker to focus his/her analysis and attacks on the tokenisation system in use. Can either be performed online or offline. To minimise the likelihood of a successful attack, good implementations of tokenisation systems require: Authentication Authorisation Auditing Monitoring 25 It depends Do I need to worry about all of this? Will tokenisation be completely managed in house? Or by a third party, Tokenisation as a Service (TaaS)? Outside North America, TaaS is not a well known service offering. Your organisation may be an early adopter in Australia. Can all of my applications be updated to use tokens? My organisation is undergoing a change 26 13

How do I determine if Tokenisation is viable? Analyse. Where is the data in transit, in use and at rest? Analyse data flows for the payment card systems your organisation is responsible for. Look at relationships with all entities in the extended enterprise (RACI model). Ask. Is tokenisation suitable for my organisation? How many applications do I have that process payment card data? Do any applications have restrictions with adopting tokenisation? Act. Do something about it. Start putting up the business case to move towards tokenisation; or Place tokenisation on your strategy & architecture roadmap. 27 It depends upon: Business type and size. Is Tokenisation a Silver Bullet? Complexity of existing payment card applications. Risk appetite for organisational change. 28 14

A good quote Many people view tokenisation as a silver bullet for protecting data or achieving compliance, when, in reality, it is an implementation approach that should be considered as a possible part of your overall data protection strategy. Tokenisation only makes sense when you integrate encryption, secure key management and access control, as they are critical components to a comprehensive data protection strategy. Ultimately, there are still many instances where (sensitive) data needs to be moved throughout an enterprise and accessed; these are the challenges that tokenisation doesn t really solve. Derek Tumulak, VP of Product Management Safenet, Inc. 29 Summary of Tokenisation A disruptive technology that is still gaining traction. Costs may increase in some areas and decrease in others. PCI DSS scope is reduced, but the tokenisation server/service is still in scope. Take up in Australia is slow but should increase over the next five years. Will not replace encryption; they will both be required. Understand how tokenisation may benefit your organisation. Understand how tokenisation will impact your organisation if implemented. Should be considered and placed on your architectural roadmap. Implementation Guideline available from http://www.pcisecuritystandards.org Talk to vendors and service providers, but do ask the hard questions! 30 15

Questions? 31 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback