Cost Effective PCI DSS Tokenization for Retail (Part I)

With PCI-DSS 2.0 compliance newly mandated and recent guidance on PCI DSS tokenization[i] this is an excellent time for merchants to review their compliance and PCI scope reduction strategies. One of the more common approaches to reducing PCI DSS Scope (and hence the cost of assessments and the associated costs of remediation) is to tokenize PAN data within the enterprise.

While this blog series focuses on tokenization within a retail environment, the approaches and results are equally applicable to any tier 1 or 2 merchant with a large investment in existing data centers.

Why Reduce PCI Scope?

Most, if not all, tier 1 and tier 2 merchants are already PCI compliant and view continuing compliance as a cost of doing business. Why would the merchant decide to change its IT infrastructure to reduce PCI scope?

To paraphrase the PCI DSS 2.0 Standard [ii], PCI DSS Scope may be defined as a set of all systems that store, transmit or otherwise have access to Personal Account Number (PAN) data. That is any system that accesses credit card data in any way (encrypted or not) is potentially within PCI Scope.

Since PCI Scope is the set of systems that must be evaluated by a Qualified Security Assessor (QSA) for compliance, the cost of an assessment is directly related to the size of the task (and therefore to the size of the PCI Scope).

The average assessment costs for Tier 1 merchants are $225,000 (with 10% exceeding $500,000 annually)[iii]. This only includes direct out of pocket fees to QSA organizations and does not include the time and resources that the merchant must apply to bring systems in line with the standard.

The largest and least predictable cost is in remediation of PCI inadequacies. As a result of the yearly assessment, the merchant often has a list of remediation activities and compensating controls that must be implemented in order to maintain compliance. Often these involve disrupting or upgrading existing systems or changing where in the network or on what physical servers systems may reside. The cost of this remediation often dwarfs the cost of the annual assessment and may be revisited every year.

As much of the standard is subjective and compliance is up to the discretion of the QSA, a determination of point in time compliance one year, is no guarantee of the same outcome in the following year (even with no or minimal changes to IT infrastructure).

So not only does a large PCI Scope mean a large assessment cost and potentially larger remediation costs, but additional risk to unplanned expenditures caused by IT disruption even for IT systems that change little between assessments.

In short, it is important to reduce scope as much as possible in order to reduce both ongoing costs and the risk of large, unplanned IT expenditures. One obvious strategy here is to reduce the risk as much as possible and ‘delete’ the data. Deleting the data may involve moving the problem to someone else, changing existing business processes to remove PANs, or relying on tokenization to shrink the PCI footprint.

Common Strategies for Reducing PCI DSS Scope

Common strategies for reducing PCI DSS Scope include the following:

1. Outsourcing all credit card processing and credit card handling to another vendor.
2. Eliminating all stored PAN data from the network.
3. PCI DSS Tokenization

The first option is by far the best at reducing scope. If handled properly there is very little or no PCI DSS Scope left for the merchant. This approach is not always practical for a variety of reasons including that existing IT systems could not accommodate the change and it is often preferable for the customer to enter into new transactions without re-entering credit card data. Moreover, large merchants often can’t change existing business processes that rely on PAN data, as it may involve re-training or re-deploying existing personnel or even changing the way business is conducted, if PANs are used for analytics or in other business functions such as CRM.

The second strategy often cannot be applied uniformly due to the saved credit card problem as described above and often data warehousing applications need a unique identifier to track purchases from an existing customer (perhaps to identify profitable and unprofitable transactions and customers). Since not every customer will be a member of a loyalty program, often PAN data is used to track customer activity.

The rest of this posting will concentrate on PCI DSS Tokenization

What is PCI DSS Tokenization?

PCI DSS Tokenization is a means for protecting credit card data by substituting a different, non-encrypted value for a credit card number. Usually this takes the form of random number (with some of the first digits and ending digits preserved) that appears to back end systems to be a valid credit card number.

It is important that the random elements of the token (that is the digits that are not preserved from the original PAN) are not in any way derived from the actual credit card number. [iv] The random number is stored in a secure vault, which defines the mapping from the PAN to the token.

If this is accomplished properly, the following results occur:

1) Any breach of documents with tokens rather than actual credit card data is useless to an attacker as the attacker does not have access to the token vault which stores the mappings.

2) There is no offline attack vector for deriving a decryption key and therefore compromising tokens.

3) Systems that only touch tokens and not actual PAN data may be removed from PCI Scope and are therefore not susceptible to the direct costs or remediation exercises for PCI compliance.

4) Systems that are thus removed from scope may now have past remediations and compensating controls removed in order to free up MIPS for business processes or in order to delay or eliminate the need for costly hardware and software upgrades.

5) Contrasted with encryption, tokenization does not incur a large key management problem at each system that encrypts and decrypts data – key management is centralized to the operation and maintenance of the vault alone.

Conclusion:

There are two primary reasons most merchants evaluate PCI DSS tokenization options.

1) To reduce the cost of PCI DSS compliance (as cost is directly related to scope)

2) To increase security and to drastically reduce the risk of a data breach.

Given these constraints, my colleagues and I are under the contention that the best option is often to begin at the data center where there is the most value gained with the least effort and then utilize this effort to inform the decision of how best to secure other parts of the enterprise.

In my next blog post, I’ll discuss three common architectural approaches towards data center tokenization.

While we continue to explore Tokenization, I encourage everyone to download a complimentary copy of PCI DSS Expert and QSA Walter Conway’s PCI DSS Tokenization Buyer’s guide available here

 

 

 

 

 

 

 

 

 

 

---

You are also welcome to peruse Intel’s solution for reducing PCI DSS scope by visiting the Intel Tokenization Broker landing page

 

 

Tom Burns serves in Intel’s Data Center Software group where he works with many of the world’s top retailers to help increase security and reduce PCI DSS Scope. Tom joined Intel in 2008 and holds a BSEE from Purdue University.

 

 

---

[i] Information Supplement: PCI DSS Tokenization Guidelines: PCI Counsel, August 2011

[ii] PCI DSS Requirements and Security Assessment Procedures, Version 2.0, Page 10 Section “Scope of Assessment for Compliance with PCI DSS Requirements”

[iii] PCI DSS Trends 2010: QSA Insights Report, Page 9 http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/PCI%20DSS%20Trends%20-%20QSA%20Insights%20010310.pdf

[iv] Information Supplement: PCI DSS Tokenization Guidelines: PCI Counsel, August 2011 section 4.1

Your personal data is now yours… maybe? by Andy Thurai

Recently the State of Alaska DHSS was fined a hefty sum of $1.7 million for non-compliance. This issue came to forefront when a USB drive containing PII (Personally Identifiable Information) data was lost (or stolen). This is not the first high profile incident in which stern action was taken by government agencies for someone losing or being careless with consumer data.

Recently, I blogged about how California declared zipcodes as PII and what you should do to protect the information you capture, regardless of whether it is credit card information, patient data, or electronic health records. http://soacloudsecurityblog.wordpress.com/2012/04/02/perfection-series-how-do-you-definemeasure-perfection/

It is not just about tokenizing your data, you have to make sure your logs, storage, and monitoring systems are clean too. If you fail to do that you can be found non-compliant, and when a compliance/ forensic analysis is done they look at all collateral repositories as well. I have previously blogged about being careful about leaving PII residue in your logs. http://soacloudsecurityblog.wordpress.com/2012/04/23/perfection-series-forgotten-data-in-your-logs-log-redaction-service/

Remember the classic case of employees going after Starbucks about their personal data being carelessly handled.  http://soacloudsecurityblog.wordpress.com/2012/04/09/you-too-seattle/

And we all know about FTC going after a data broker Spokeo for $800,000 to settle the FTC charges that it sold personal information gathered from social media and other websites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act. http://www.networkworld.com/news/2012/061212-ftc-spokeo-260092.html?page=1

These are only a few examples of the revolution that is happening. For years we have had our data exposed, particularly personal information, and watched helplessly as our data was collected, sold, used, marketed to, abused and often stolen and circulated in the black market. Finally, the government and related agencies are stepping in to make a statement.

The core of all these issues stem from the fact that it is hard to fix the holes across your enterprise ecosystem. While you can continue to encrypt the data in as many places as you can, the human element still wins most of the time. And there is also the issue of encryption algorithm strengths or weak links in your process flow. That is why the newer model “tokenization” is becoming very popular. Especially since when you move your data applications and processes to the cloud, you lose a lot of control. Essentially when you lose control over the data trails, transport and storage i.e. – alerts, monitoring, logs, auditing, etc., compounded by the fact that you’re at the mercy of the cloud provider. This exponentially complicates your ability to figure out how vulnerable your data is, and thus could be very dangerous. Additionally, you need to know where all your data is flowing (or leaking). Especially if your data flows to an application instance, which is controlled by export control laws with stronger encryption exceptions as this could really mess things up. While you have to worry about using a stronger encryption to protect your data, you also have to worry about complying with export regulation laws.

Intel Tokenization solutions would be a perfect fit in such situations. Our PCI and PII tokenization allows you to strike a balance between both issues. You can keep your enterprise data encrypted and tokenize the sensitive data when it is sent over the wire to cloud locations, partners, etc. Given this fact, unless they are a whitelisted application, they won’t know where to go to get the original data. You can rest in peace knowing that while your sensitive data is sitting safe and secure, only your tokens are floating around everywhere.

If you are interested either in PAN tokenization or PII tokenization (such as SS#, DOB, etc) use the link below to check out our solution information and reach out to me if you need further details.http://cloudsecurity.intel.com/solutions/tokenization-broker-reduce-pci-scope

Also, check out this whitepaper by Walter Conway, QSA, who is an expert on this subject.

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role, he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this role, he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Datapower), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience. He blogs regularly at www.thurai.net/securityblog on Security, SOA, Identity, Governance and Cloud topics. You can find him on LinkedIn at http://www.linkedin.com/in/andythurai.

The “Intel” on Intel is… We do software! by Andy Thurai

Are you surprised? I start off most of my presentations/conferences with the following question:

How many of you know that Intel ‘does’ Software?

Very few hands usually go up, and that is exactly the challenge I have today in getting the word out about other exciting developments that people wouldn’t normally associate with this technology juggernaut. And while the Silicon Valley behemoth often conjures up images of powering a plethora of devices (including phones too!), it’s Application Security & Identity Products division (ASIP), my unit, that is quickly escaping the formidable shadow of the “mother ship” as it gains prominence in the world at large with Cloud, Application security, Identity and Tokenization software. Intel’s ASIP group is on the cutting edge of innovation in a myriad of ways with some very advanced technologies such as Cloud SSO, Cloud-based Identity services, Identity Manager, OTP (One Time Password), Big Data, Analytics, API Gateway, Cloud Service Broker, Security Gateway, Mobile middleware and Security as a Service.

Every Intel commercial you see on TV, or through other media channels, usually promotes Intel chips, as that is a core strength of ours. But I want you to be aware that we are far more than just chips. We are a leading edge technology company that constantly renews itself as well as its raison d’être. We hold more patents than almost anyone else in almost every field that we are in. And we employ an army of engineers in some of the largest research efforts in the world, with one of the largest research budgets.

There was a great article in Forbes not too long ago, about how Intel is one of the largest software companies in the world, that you’ve never heard about. Lead by our fearless leader, Renee James – SVP of Intel’s Software group, Intel recently announced Security as our third pillar. Our CEO Paul Otellini didn’t just stop there; he showed the world he meant it by acquiring McAfee soon after. However, we’ve also made some very key strategic acquisitions in software security and identity areas to strengthen our position. Those include, but are not limited to: McAfee, Nordic Edge, Sarvega, WindRiver… (a complete list can be seen on the Forbes link below or at Intel.com). This is consistent with our strategy. We continue to acquire and develop a lot more software/ security solutions with unwavering commitment.

You might be surprised to learn the following:

• Intel turbo-charges the Linux community by putting hundreds of full-time engineers to work on the free operating system.
• Intel’s tools helped Apple’s engineers move its Macintosh computers to Intel processors.
• Intel helped Google move into the Smartphone business.
• Maybe the company’s biggest software triumph has been its push into high-performance computing. Five of the ten fastest supercomputers in the world now run Intel’s chips.
• Intel has a solution that helps companies Tokenize their sensitive data.
• Intel’s Cloud Service Broker (CSB) and API Gateway solutions help companies seamlessly move their enterprise applications to the cloud.

Along these lines, Intel has been a pivotal partner on many projects that have helped to move the “proverbial needle” by developing tools, frameworks and enhancements – all of which often have gone unrecognized since the efforts are not branded with any kind of Intel logo.

With the acquisition of security software vendor McAfee last year, Intel became one of the world’s 10 largest software companies. – Forbes May 2012.
http://www.forbes.com/sites/briancaulfield/2012/05/09/intel-is-the-biggest-software-company-youve-never-heard-of/.

If you have time, I suggest you give our annual report a read. You’ll get a first-hand look at the contributions of the software division. They are impressive. Just from the numbers alone, we could easily be considered one of the largest software vendors in the world.

We, the software group of Intel, get access to information coming from the advanced security labs of McAfee and extreme performance labs from Intel. This allows our software unit to understand what is coming down the road and architect solutions for the future. That is why when you choose Intel for any of the aforementioned products, the performance comparison numbers against our direct competitors our numbers are truly outstanding. If you have any questions about this, please give me a shout and I will demonstrate to you how awesome we really are.

A very familiar AllState commercial states “Are you in good hands?”, With Intel I can guarantee you are.

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel

Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role, he is responsible for helping Intel/McAfee field sales, technical teams and customer executives. Prior to this role, he has held technology architecture leadership and executive positions with L-1 Identity Solutions, IBM (Datapower), BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

He blogs regularly at www.thurai.net/securityblog on Security, SOA, Identity, Governance and Cloud topics. You can find him on LinkedIn at http://www.linkedin.com/in/andythurai.

Andy Thurai, on Defining and Measuring “Perfection”

A few weeks ago I had a conversation with a customer of mine and we discussed this very topic. How do you measure perfection? It’s a good question worthy of inquiry. I was really surprised at the different answers suggested in the conversations that ensued.

Perfection is, as stated by Merriam-Webster dictionary, “broadly, a state of completeness and flawlessness, an unsurpassable degree of accuracy or excellence”. Some would also would say perfection is the absence of judgment.

If you operate within a Math or Science context, the term perfection is actually used to designate a range of diverse concepts. These concepts have historically been addressed in a number of discrete disciplines, notably mathematics, physics, chemistry, ethics, aesthetics, ontology and theology.

To an extent, “perfection” is a state of mind. Why am I telling you all of this?  I was asked the question “Is your solution Perfect for our situation”?  So instead of pursuing a quest for the meaning of perfection (and the meaning of life) I thought I would take this opportunity to write a series of blogs within which I am going to highlight our solution capabilities and recent enhancements that may make our solution perfect for you! (You knew that plug was coming right)?

A few years back (I used to work for a competitor at that time), I was visiting a customer of ours to discuss a complex architectural issue they were having. I sat down with the Security Architect, Enterprise Architect, and the CISO of a big insurance company (who shall remain unnamed) to discuss an issue.  At the time, to show me the issue at-hand, they pulled up a specific transaction to analyze. There it was, the admin password for the system (the holy grail), for their important backbone component, baring its nakedness to us in clear text. In all fairness, the ‘most verbose log feature’ was turned on to debug a specific issue in that situation. After we joked about the fact that I then knew the admin password for their the backbone and for their entire enterprise, I was told I was going to spend most of my life in a corner of their data center sleeping on a rug!

The conversation got very serious when we talked about how admin passwords should NEVER be displayed, in clear text, on any log for any reason.  I took this noted and avoidable vulnerability back to my Product Management/Engineering teams. To my surprise, the concern was brushed aside as a non-issue.

A risk of this magnitude could easily be considered a major compliance issue if you are an organization that deals with HIPAA and/or PCI compliance. Regardless of whether you have the most verbose mode turned on or not, if you leave PCI or PII (personally identifiable information) clearly visible in logs, in clear text, you are creating potential breaches. As is sometimes the case, log data gets lost and at the most innoportune time — could be unearthed during an audit. Aside from exposing one’s self to the risk associated with not properly safeguarding data, those risks multiply when failed audits lead to very expensive fines.

The California supreme court recently ruled in a case, Pineda v. Williams-Sonoma, that zipcodes are really “personally identifiable information” (PII).  In a California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision the supreme court made a ruling on this.  Penalties of up to $250 for the first violation and $1,000 for each subsequent violation could accrue, without there even being any allegations of harm to the consumer.

Section 1747.08 of this law states that a retailer cannot ask their customers for PII information (including zip codes), or record it during credit card transactions. (I have distilled the legalese for you. However, those so inclined may read about the ruling in its entirety at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1747-1748.95. Though this information is applicable only to PCI compliance right now, there are laws pending in California (and in other states) around the essence of PII.  This may end up being germaine to medical records, EHR (Electronics Health Records), and prescription Information, etc.

Initially it could be limited to include SS#, PAN (credit card info), date of birth, zip codes, address, age, gender, password (in the corporate world), etc. However, safeguarding data could potentially expand into several other domains. All organizations need to be cognizant of how the laws and regulations continue to change at a state and national level and how they may vary from one country to another.  Imagine if you are using a cloud provider, which is hosting your data in a country (not of your) choice, where you have virtually no control.

In the next few blogs I am going to talk about our Log Redact, Data Redact, Data privacy, Compliance, Encryption and Tokenization capabilities, which will help address some of the aforementioned issues. They not only help you address today’s needs but will also enable you to “change direction” as necessary as incipient changes come to fruition.

You may already know that Intel acquired McAfee, the leader in the security software business, over a year ago.  We are quickly seeing the successful integration of both entities.  However, as part of this perfection series, I’m going to share with you in greater detail, our integration efforts with McAfee security components. At the end of this series, you’ll get a sense of palpable energy abound, and the synergies that are helping us to bring even better solutions together for our customers.

As far as that company that had given me a rug to sleep on in the datacenter corner for sharing their family secrets?  I wish I had this solution set handy when I was at that meeting!  Oh well, comfortable sleep is often over rated anyways.

If you would like a sneak preview of some of the solutions that I’m going to address in this blog series, please visit:

http://www.intel.com/go/identity

http://software.intel.com/en-us/articles/Expressway-Tokenization-Broker-Reduce-PCI-Scope/

Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field  and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.

 

Intel Announces a PCI DSS Solution

At the National Retail Federation (NRF) show last week, Intel announced the release of the Intel® Expressway Tokenization Broker. Offered in conjunction with Intel® Expressway Service Gateway, Intel’s industry-leading XML security gateway appliance, Tokenization Broker lowers costs and dramatically simplifies administration of Payment Card Industry Data Security Standard, or PCI DSS, compliance for organizations across all industry types, by replacing customers’ Primary Account Number, or PAN, information with secure tokens.  For downstream applications that receive such tokens, PCI scope is either reduced or completely eliminated.
Want more information? Visit the following page for a whitepaper, datasheet,  informative webinar,  and much more.

http://www.dynamicperimeter.com/solutions/pci-compliance