SESSIONID:SESSIONID:

#RSAC

SandraLambert

Cybersecurityvs.Tokenization

PDAC-R02

CEOLambert&AssociatesANSIX9F4WorkgroupViceChair

JeffStapletonSecurityArchitectWellsFargoANSIX9F4WorkgroupChair

#RSAC

Cybersecurityvs.Tokenization- Agenda

2

TokenizationFundamentals

TopFourControversialImplementationIssuesPaymentvs.Non-PaymentTokensTokenizationvs.DetokenizationSystemIsolationRequirementsCryptographicHardwarevs.Software– aVeryContentiousTopic

Conclusions

#RSAC

TokenizationFundamentals

#RSAC

WhoWantsTokenizationandWhere?

4

DefinitionofTokenizationPCI:TokenizationisaprocessbywhichthePrimaryAccountNumber(PAN)isreplacedwithasurrogatevaluecalledatoken.— IndexTokenisacryptographictokenthatreplacesthePAN,basedonagivenindexforan

unpredictablevalueANSIX9:Theprocessofmappingaplaintextvalue(i.e.,theunderlyingsensitivevalue)toanexistingornewly-generatedsurrogatevalue(i.e.,atoken).Atokenisasurrogatevalueusedinplaceoftheoriginalvalueincertain,well-definedsituations,butthatisnotusedinplaceoftheoriginalvalueineverywaythattheoriginalvalueisused.EMV:AprocessbywhichthePrimaryAccountNumber(PAN)isreplacedwithasurrogatevaluecalledaPaymentToken.Tokenizationmaybeundertakentoenhancetransactionefficiency,improvetransactionsecurity,increaseservicetransparency,ortoprovideamethodforthird-partyenablement.

Conflictingdefinitions,so,whatisatoken?

#RSAC

WhatisTokenizationandWhyDoIt?

5

Tokenization

PAN

SSN

Name

123

ABC

789

Random

Encryption

Table

MAC

4400111111111113AliceSmith

USV* Token

*UnderlyingSensitiveValue– protectingdata

#RSAC

WhenCanItBeUsed?

6

• Forexample:primaryaccountnumber(PAN)• Token1:middle6digits,notecheckdigit• Token2:wholePAN,ignorecheckdigit• Any16-digitsmightbealegitimatePANsomewhere

• SameissuesforSSNorotherthings

PAN 4 80801 000000 000 5

Token1 4 80801 123456 000 4

Token2 9 21456 332157 278 3

Backwardscompatibility

Separatechannel

Issues• Format• Length• Syntax

Checkdigit

#RSAC

WhatisDetokenization?EncryptionMethod

7

Encryption

Decryption

USV TokenCryptographicKey

Tokenization

Detokenization

TokenizationService

#RSAC

WhatisDetokenization?MACMethod

8

MAC

USV TokenCryptographicKey

Tokenization

Detokenization

USVÛ Token

TokenizationService

VerificationDetokenizationcontroversial

Verificationacceptable

#RSAC

WhatisDetokenization?RandomMethod

9

Random

USV Token

Tokenization

Detokenization

USVÛ Token

RNG

TokenizationService

#RSAC

WhatisDetokenization?TableMethod

10

Table

USV Token

Tokenization

Detokenization

PRNGRNG

TokenizationService

Table

#RSAC

ImplementationIssue:Paymentvs.Non-PaymentTokens

#RSAC

EMVPaymentTokenization

12

4400111111111113AliceSmith

TSP

Issuer

WalletPAN

EMV EMV

PAN

MerchantEMV

Post-auth tokensarenon-paymenttokens

EMVtokenscanonlybeusedforauthorization

Step1:Issuerissuescardtocardholder

Brick&MortarMerchant

EMVChipCard

Step3:Cardholdershopsonline

AMEX

Visa MasterCard

Discover

Acquirer

PANÛ EMV

Step2:CardholdergetsEMVtoken

EMV

EMV

PAN

EMVPAN

AuthorizationtoIssuerisEMVorPAN

#RSAC

Non-PaymentTokenization

13

TokenizationRequestingInterface(TRI)

TokenizationService(TS)

USV

Token

TokenizationSystem• Encryption• MAC• Random• Table

RequestingEntity

RE

RE

USVÛ Token

Token¹ EMV

PostAuthorization(PaymentRelated)Applications

Non-PaymentApplications

Storage

• Tokenization• Detokenization

#RSAC

ImplementationIssue:Tokenizationvs.Detokenization

#RSAC

TokenizationEnvironments:Internal

15

TokenizationRequestingInterface

TokenizationService

USV

Token

TokenizationSystemRE

RE

USVÛ Token

Storage

RE

RE

Non-TokenizationUsers

NT

NT

NT

AuthorizedTokenizationRequestingEntity

AuthorizedDetokenizationRequestingEntity

NT

Write

Read

#RSAC

TokenizationEnvironments:External

16

TRI TSUSV

Token

TokenizationSystemRE

RE

USVÛ Token

RE

RE

NT

NT

NT

AuthorizedTokenizationRequestingEntity

AuthorizedDetokenizationRequestingEntityNT

Write

Read

EnterpriseNetworkDMZ

TSPbecomesThirdParty(Cloud)ServiceProvider

API

RE

RE

#RSAC

TokenizationEnvironments:Multiple

17

IssuesMulti-tokenizationsystemsinteroperabilityMulti-tokenizationsystemsmigrationMulti-tokenizationsystemsbackupandrecovery

TRI TS USVÛ Token

RE

RETRITSUSVÛ Token

RE

RE

TokenizationSystemA TokenizationSystemB

#RSAC

ImplementationIssue:SystemIsolationRequirements

#RSAC

Organization’sInternalNetwork

TokenizationIsolation

19

TokenizationRequestingInterface

TokenizationService

USV

Token

TokenizationSystem

USVÛ Token

StorageFW

R

SDMZIn

ternet

NTOtherApplications CardholderDataEnvironment(CDE)

#RSAC

ImplementationIssue:CryptographicHardwarevs.Software

#RSAC

Cryptography:EncryptionMethod

21

Encryption

Decryption

USV Token

Tokenization

Detokenization

TokenizationService

HSM

HSMsaretypicallyoptional

Checkwithvendorsupport

#RSAC

Cryptography:MACMethod

22

MAC

USV Token

Tokenization

USVÛ Token

TokenizationService

HSM

HSMsaretypicallyoptional

Checkwithvendorsupport

DetokenizationVerification

#RSAC

Cryptography:RandomMethod

23

Random

USV Token

Tokenization

Detokenization

USVÛ Token

TokenizationService

RNG HSM

Randomisdifficulttoachieve

Quantummechanics

Availablequantum

randomnessproducts

#RSAC

Cryptography:TableMethod

24

Table

USV Token

Tokenization

Detokenization

TokenizationService

Table

HSMshaveinsufficientmemorytostoretables

HSMshaveinsufficient

CPUtoprocesstables

Cryptographicboundaryis

softwarebased

ISO19790SecurityLevels

1and2aresoftware

PRNGRNG

#RSAC

Conclusions

#RSAC

ApplyWhatYou’veLearnedToday…

26

ShareyourtokenizationunderstandingDetermineyourtokenizationneeds(ifany)EMVpaymentsPCIcomplianceCybersecuritycontrol

DefineyourtokenizationstrategyPlanyourtokenizationimplementationWhereUSVistokenizedWheretokensarestoredWheretokensareprocessedWheretokensaredetokenized,recoveringtheUSV

Implementations

Strategy

Needs

#RSAC

Conclusions

27

TokenizationcanprotectyourunderlyingsensitivedataTreadcarefullythroughthemajorcybersecurityissues

Paymentvs.Non-PaymentTokensTokenizationvs.DetokenizationSystemIsolationRequirementsCryptographicHardwarevs.Software– includingkeymanagement

Standards,specifications,andguidelinesexistandareindevelopmentTokensarenotapanacea;they’renotforeverybody

TokenizationcanaffectdatabasesearchfunctionsTokenizationisnotinteroperable,today

Tokenizationcontrolsneedtobeincorporatedintoyourcybersecuritypoliciesandpractices– includingincidentresponseplans

#RSAC

References

28

AccreditedStandardsCommitteeX9www.x9.orgAmericanNationalStandardX9.82RandomNumberGeneration(RNG)–multiplepartsAmericanNationalStandardX9.119RequirementsforProtectionofSensitivePaymentCardData– Part2:ImplementingPost-AuthorizationTokenizationSystems(inballot)AmericanNationalStandardX9.137TokenizationManagementandSecurity(workinprogress)

PaymentCardIndustry(PCI)SecurityStandardsCouncil(SSC)www.pcisecuritystandards.org

PCIDataSecurityStandard(DSS)RequirementsandSecurityAssessmentProceduresv3.2April2016PCITokenizationProductSecurityGuidelinesv1.0April2015PCIDSSTokenizationGuidelinesv2.0August2011

Europay-MasterCard-VisaCompany(EMVCo)www.emvco.comEMVCo PaymentTokenisation SpecificationTechnicalFrameworkv1.0March2014