SESSIONID:SESSIONID:
#RSAC
SandraLambert
Cybersecurityvs.Tokenization
PDAC-R02
CEOLambert&AssociatesANSIX9F4WorkgroupViceChair
JeffStapletonSecurityArchitectWellsFargoANSIX9F4WorkgroupChair
#RSAC
Cybersecurityvs.Tokenization- Agenda
2
TokenizationFundamentals
TopFourControversialImplementationIssuesPaymentvs.Non-PaymentTokensTokenizationvs.DetokenizationSystemIsolationRequirementsCryptographicHardwarevs.Software– aVeryContentiousTopic
Conclusions
#RSAC
WhoWantsTokenizationandWhere?
4
DefinitionofTokenizationPCI:TokenizationisaprocessbywhichthePrimaryAccountNumber(PAN)isreplacedwithasurrogatevaluecalledatoken.— IndexTokenisacryptographictokenthatreplacesthePAN,basedonagivenindexforan
unpredictablevalueANSIX9:Theprocessofmappingaplaintextvalue(i.e.,theunderlyingsensitivevalue)toanexistingornewly-generatedsurrogatevalue(i.e.,atoken).Atokenisasurrogatevalueusedinplaceoftheoriginalvalueincertain,well-definedsituations,butthatisnotusedinplaceoftheoriginalvalueineverywaythattheoriginalvalueisused.EMV:AprocessbywhichthePrimaryAccountNumber(PAN)isreplacedwithasurrogatevaluecalledaPaymentToken.Tokenizationmaybeundertakentoenhancetransactionefficiency,improvetransactionsecurity,increaseservicetransparency,ortoprovideamethodforthird-partyenablement.
Conflictingdefinitions,so,whatisatoken?
#RSAC
WhatisTokenizationandWhyDoIt?
5
Tokenization
PAN
SSN
Name
123
ABC
789
Random
Encryption
Table
MAC
4400111111111113AliceSmith
USV* Token
*UnderlyingSensitiveValue– protectingdata
#RSAC
WhenCanItBeUsed?
6
• Forexample:primaryaccountnumber(PAN)• Token1:middle6digits,notecheckdigit• Token2:wholePAN,ignorecheckdigit• Any16-digitsmightbealegitimatePANsomewhere
• SameissuesforSSNorotherthings
PAN 4 80801 000000 000 5
Token1 4 80801 123456 000 4
Token2 9 21456 332157 278 3
Backwardscompatibility
Separatechannel
Issues• Format• Length• Syntax
Checkdigit
#RSAC
WhatisDetokenization?EncryptionMethod
7
Encryption
Decryption
USV TokenCryptographicKey
Tokenization
Detokenization
TokenizationService
#RSAC
WhatisDetokenization?MACMethod
8
MAC
USV TokenCryptographicKey
Tokenization
Detokenization
USVÛ Token
TokenizationService
VerificationDetokenizationcontroversial
Verificationacceptable
#RSAC
WhatisDetokenization?RandomMethod
9
Random
USV Token
Tokenization
Detokenization
USVÛ Token
RNG
TokenizationService
#RSAC
WhatisDetokenization?TableMethod
10
Table
USV Token
Tokenization
Detokenization
PRNGRNG
TokenizationService
Table
#RSAC
EMVPaymentTokenization
12
4400111111111113AliceSmith
TSP
Issuer
WalletPAN
EMV EMV
PAN
MerchantEMV
Post-auth tokensarenon-paymenttokens
EMVtokenscanonlybeusedforauthorization
Step1:Issuerissuescardtocardholder
Brick&MortarMerchant
EMVChipCard
Step3:Cardholdershopsonline
AMEX
Visa MasterCard
Discover
Acquirer
PANÛ EMV
Step2:CardholdergetsEMVtoken
EMV
EMV
PAN
EMVPAN
AuthorizationtoIssuerisEMVorPAN
#RSAC
Non-PaymentTokenization
13
TokenizationRequestingInterface(TRI)
TokenizationService(TS)
USV
Token
TokenizationSystem• Encryption• MAC• Random• Table
RequestingEntity
RE
RE
USVÛ Token
Token¹ EMV
PostAuthorization(PaymentRelated)Applications
Non-PaymentApplications
Storage
• Tokenization• Detokenization
#RSAC
TokenizationEnvironments:Internal
15
TokenizationRequestingInterface
TokenizationService
USV
Token
TokenizationSystemRE
RE
USVÛ Token
Storage
RE
RE
Non-TokenizationUsers
NT
NT
NT
AuthorizedTokenizationRequestingEntity
AuthorizedDetokenizationRequestingEntity
NT
Write
Read
#RSAC
TokenizationEnvironments:External
16
TRI TSUSV
Token
TokenizationSystemRE
RE
USVÛ Token
RE
RE
NT
NT
NT
AuthorizedTokenizationRequestingEntity
AuthorizedDetokenizationRequestingEntityNT
Write
Read
EnterpriseNetworkDMZ
TSPbecomesThirdParty(Cloud)ServiceProvider
API
RE
RE
#RSAC
TokenizationEnvironments:Multiple
17
IssuesMulti-tokenizationsystemsinteroperabilityMulti-tokenizationsystemsmigrationMulti-tokenizationsystemsbackupandrecovery
TRI TS USVÛ Token
RE
RETRITSUSVÛ Token
RE
RE
TokenizationSystemA TokenizationSystemB
#RSAC
Organization’sInternalNetwork
TokenizationIsolation
19
TokenizationRequestingInterface
TokenizationService
USV
Token
TokenizationSystem
USVÛ Token
StorageFW
R
SDMZIn
ternet
NTOtherApplications CardholderDataEnvironment(CDE)
#RSAC
Cryptography:EncryptionMethod
21
Encryption
Decryption
USV Token
Tokenization
Detokenization
TokenizationService
HSM
HSMsaretypicallyoptional
Checkwithvendorsupport
#RSAC
Cryptography:MACMethod
22
MAC
USV Token
Tokenization
USVÛ Token
TokenizationService
HSM
HSMsaretypicallyoptional
Checkwithvendorsupport
DetokenizationVerification
#RSAC
Cryptography:RandomMethod
23
Random
USV Token
Tokenization
Detokenization
USVÛ Token
TokenizationService
RNG HSM
Randomisdifficulttoachieve
Quantummechanics
Availablequantum
randomnessproducts
#RSAC
Cryptography:TableMethod
24
Table
USV Token
Tokenization
Detokenization
TokenizationService
Table
HSMshaveinsufficientmemorytostoretables
HSMshaveinsufficient
CPUtoprocesstables
Cryptographicboundaryis
softwarebased
ISO19790SecurityLevels
1and2aresoftware
PRNGRNG
#RSAC
ApplyWhatYou’veLearnedToday…
26
ShareyourtokenizationunderstandingDetermineyourtokenizationneeds(ifany)EMVpaymentsPCIcomplianceCybersecuritycontrol
DefineyourtokenizationstrategyPlanyourtokenizationimplementationWhereUSVistokenizedWheretokensarestoredWheretokensareprocessedWheretokensaredetokenized,recoveringtheUSV
Implementations
Strategy
Needs
#RSAC
Conclusions
27
TokenizationcanprotectyourunderlyingsensitivedataTreadcarefullythroughthemajorcybersecurityissues
Paymentvs.Non-PaymentTokensTokenizationvs.DetokenizationSystemIsolationRequirementsCryptographicHardwarevs.Software– includingkeymanagement
Standards,specifications,andguidelinesexistandareindevelopmentTokensarenotapanacea;they’renotforeverybody
TokenizationcanaffectdatabasesearchfunctionsTokenizationisnotinteroperable,today
Tokenizationcontrolsneedtobeincorporatedintoyourcybersecuritypoliciesandpractices– includingincidentresponseplans
#RSAC
References
28
AccreditedStandardsCommitteeX9www.x9.orgAmericanNationalStandardX9.82RandomNumberGeneration(RNG)–multiplepartsAmericanNationalStandardX9.119RequirementsforProtectionofSensitivePaymentCardData– Part2:ImplementingPost-AuthorizationTokenizationSystems(inballot)AmericanNationalStandardX9.137TokenizationManagementandSecurity(workinprogress)
PaymentCardIndustry(PCI)SecurityStandardsCouncil(SSC)www.pcisecuritystandards.org
PCIDataSecurityStandard(DSS)RequirementsandSecurityAssessmentProceduresv3.2April2016PCITokenizationProductSecurityGuidelinesv1.0April2015PCIDSSTokenizationGuidelinesv2.0August2011
Europay-MasterCard-VisaCompany(EMVCo)www.emvco.comEMVCo PaymentTokenisation SpecificationTechnicalFrameworkv1.0March2014