[email protected] www.comforte.com
Protecting PANs through tokenization –
Alternatives to compensating controls for PCI 3.4
BITUG– BIGSIG
December 8th 2011
Trinity House
London UK
Richard (Rick) Ploen
Director Business Development
comForte21 GmbH
www.comforte.com 2
FYI only - Session Abstract
The PCI standard clearly states that PAN data has to be “rendered unreadable
anywhere it is stored”. Many NonStop users rely on compensating controls as they
feel encryption or tokenization simply is not doable in their environment. This
presentation will explain the concept of tokenization which is being embraced by
several organizations as a technology which is less intrusive that encryption. It will
look at the impact of implementing either encryption or tokenization in existing
applications. It will also describe how tokenization can be implemented for
ENSCRIBE-based applications without having to modify the application at all.
Finally it will introduce a new product by comForte which implements Tokenization
on the NonStop platform.
• Three learning objectives
1. Understand the regulatory implications of PCI DSS requirement 3.4
2. Understand the impact of implementing either tokenization or encryption for
existing applications
3. Learn about new product from comForte
www.comforte.com 3
Why encrypt PANs ?
PAN=Primary Account Number=Credit Card Number
Why protect?
PCI Requirement 3.4
Use either Tokenization or
Encryption to comply
# PCI Text
3.4 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:
• Strong one-way hash functions (hashed indexes)
• Truncation
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
www.comforte.com 4
SecurData – why customers should do it
PAN=Primary
Account Number
Why ?
PCI Requirement 3.4
Use either
Tokenization or
Encryption to comply
www.comforte.com 5
SecurData – why HP VLE alone is not sufficient
www.comforte.com 6
SecurData – why customers don’t do it
Compensating controls
www.comforte.com 7
Three alternatives for securing Data-at-Rest:
1. VLE (Volume Level Encryption)
2. Column Level DB Encryption
3. Tokenization
Encrypted DB
Data “in the clear”
Data Encrypted
VLE
Application
SecurLib API
DB Encryption
BASE24
Token Server
TKN PAN PTLF TKN
Tokenization
www.comforte.com 9
1) Is VLE (Volume Level Encryption) enough?
Using VLE with the storage CLIM is an effective way to protect
the disk from physical theft
Encrypted DB
Data “in the clear”
Data Encrypted
Rats! I can’t exploit
encrypted data
www.comforte.com 10
1) Is VLE (Volume Level Encryption) enough?
PCI 3.4.1:
“If disk encryption is used
…logical access must be
managed independently of
native operating system access
control mechanisms”
VLE Encrypted DB
Safeguard protection of VLE encrypted data isn’t enough.
www.comforte.com 11
1) Is VLE (Volume Level Encryption) enough?
Encrypted DB
Data “in the clear”
Data Encrypted
>FUP DUP $VLEDISK.SECURE, $INTHECLEAR.UNSAFE
VLE doesn’t
protect from
TACL attacks
“In the clear” DB
That was easy!
www.comforte.com 12
2) Using DB encryption to protect PANs
Converts PANs into Ciphertext, which looks like random data
Pro:
Protects data
Con:
Requires massive application changes
Field size in DB changes
Application
SecurLib API
DB Encryption
www.comforte.com 13
2) Current comForte: SecurLib/DataEncryption
Provides simply cryptography API for applications
Three different “engines” for key management
See http://www.comforte.com/ecomaXL/index.php?site=COMFORTE_SecurLib
However
Application source code changes required
Data size changes
between “normal” and
encrypted data
Slow customer adoption
due to above issues
Three customers in
production, two using
nuBridges crypto engine
and key management
server
Application
Encrypted Database
(SQL/MX, SQL/MP,
ENSCRIBE)
SecurLib/DataEncryption
Option 4
File transfer
(one-time)
Key
Store
nuBridges
Key Management
platform
Option 1
OpenSSL
Option 3
SafeNet
DataSecure
HSM
TCP/IP
Option 2
ESKM
HP ESKM
SecurLib API
www.comforte.com 14
3) Introducing SecurData - the new comForte Tokenization
product Uses two concepts to overcome “have to change source code”
dilemma
“format preserving Tokenization” of PANs
Will intercept calls to file system (WRITEUPDATE, KEYPOSITION, etc.)
Will transparently protect existing applications (e.g. BASE24) without
requiring any source code changes
BASE24
Token Server
TKN PAN PTLF TKN
Tokenization
www.comforte.com 15
Tokenization – the concept
4026157151401408 PAN1 PAN2 … PANX
TKN1 TKN2 … TKNX
Token Vault
4026xExn12VT0258
Replaces credit card numbers (PANs) with “Tokens” which have the same
length but cannot be derived from the PANs in any way
“Token Vault” stores PANs and TKNs together and protects the PANs from
direct access
Format preserving: TKNs can fit into same DB layout as PANs and can
share characteristics (e.g., leading 4 digits of PAN and TKN are the same)
www.comforte.com 16
BASE24 classic POS today
POS Device or Payment gateway
Visa/MC/…
BASE24
PAN
PAN PAN
This is a simplified diagram of BASE24 POS
The PANs flow through the system and get forwarded to other systems
The PANs are also written to various files on disk, e.g., the PTLF
This creates an issue with PCI 3.4
PTLF PAN
www.comforte.com 17
SecurData Example: BASE24 classic from acquirer
environment POS Device
Visa/MC/…
BASE24
PAN PAN
Token Server
Interception of file system calls
TKN
PAN
PTLF TKN
ENC PAN
TKN EncKEY INDEX
HASH PAN
PAN1 TKN1 A #1
PAN2 TKN2 A #2
… … … …
PANX TKNX B #X
Audit Log
www.comforte.com 19
SecurData Key Management options
POS Device
Visa/MC/…
BASE24
PAN PAN
Token Server
Interception of file system calls
TKN
PAN
PTLF TKN
ENC PAN
TKN EncKEY INDEX
HASH PAN
PAN1 TKN1 A #1
PAN2 TKN2 A #2
… … … …
PANX TKNX B #X
Option 3
File transfer
(one-time)
Key
Store
nuBridges
Key Management
platform
Key Mgmt Opt 1
ESKM
HP ESKM
Option 2
SafeNet
DataSecure
HSM
TCP/IP
www.comforte.com 21
BASE24 PTLF before Tokenization
$B2402.RYN1PTLF.PO110114 RECORD 11 KEY 12290 (%30002) LEN 1066
0: ....S...01VISAVISA4026157151401408 000RYN1AIB10015001588888830
35: 88888830 001001RYN1AIB188888830 1026410088888830
70: 588888830 11111100210001399....S...................1101
105: 1410264100110114000000110114000000005605TEST TERMINAL ASSET ML JOE
140: DOE NEW YORK IE IE0000 ..63049300000000000000007011
175: 11110000000000005999B24 B24 100000V 050............
210: ....1306M4026157151401408=1306?
245: P1A^APACS^02 9001000 6910000000000
280: 02000001501109789786100000097861000000........1220
315: 00 00000000000
350: 0000 00
385: & ....! 04.. 0 Y ! C0..111 2
420: 7 1 ! C1..S1A^APACS^AST^02! C4..20351000061 ! B4..011500..
455: 15060 ! P0.& 88888830 ! B8."
490: POS ! B9.< ISO000000
525:
www.comforte.com 22
BASE24 PTLF after Tokenization
$B2402.RYN1PTLF.PO110114 RECORD 11 KEY 12290 (%30002) LEN 1066
0: ....S...01VISAVISA4026xExn12VT0258 000RYN1AIB10015001588888830
35: 88888830 001001RYN1AIB188888830 1026410088888830
70: 588888830 11111100210001399....S...................1101
105: 1410264100110114000000110114000000005605TEST TERMINAL ASSET ML JOE
140: DOE NEW YORK IE IE0000 ..63049300000000000000007011
175: 11110000000000005999B24 B24 100000V 050............
210: ....1306M4026xExn12VT0258=1306?
245: P1A^APACS^02 9001000 6910000000000
280: 02000001501109789786100000097861000000........1220
315: 00 00000000000
350: 0000 00
385: & ....! 04.. 0 Y ! C0..111 2
420: 7 1 ! C1..S1A^APACS^AST^02! C4..20351000061 ! B4..011500..
455: 15060 ! P0.& 88888830 ! B8."
490: POS ! B9.< ISO000000
525:
www.comforte.com 24
•Card Management System •Fraud Management
Transaction Analysis
Settlement
Typical retail environment
Visa/MC/…
BASE24
PAN PAN
NonStop platform Unix/ Linux/ Windows/ NonStop platforms
TLF/PTLF
PAN
TLF/PTLF
PAN
TLF/PTLF
PAN
Mainframe
TLF/PTLF
PAN
TLF/PTLF
PAN
TLF/PTLF
PAN
TLF/PTLF
PAN
ATMs
POS
Extractor/Replicator
PAN is stored “in the clear” on all
platforms (PCI “No No”)
www.comforte.com 25
Card Management System Fraud Management
Transaction Analysis
Settlement
Tokenized on NonStop, Exported as PAN
Visa/MC/…
BASE24
PAN PAN
Unix/ Linux/ Windows/ NonStop platforms
Mainframe
TLF/PTLF
ATMs
POS
PAN1 PAN2 … PANX
TKN1 TKN2 … TKNX
Token Server PAN
TKN
NonStop platform
Extractor/Replicator
PAN TKN
TKN
TLF/PTLF
PAN
TLF/PTLF
PAN
TLF/PTLF
PAN
Token Server “intercepts”
Enscribe calls to replace PAN
with TKN
Token Server “intercepts”
Enscribe calls to replace TKN with
PAN before extraction
PAN is stored “in the clear” on
satellite platforms
www.comforte.com 26
Enterprise Token Server (SecurData Phase 2)
Visa/MC/…
BASE24
PAN PAN
Card Management System Fraud Management
Transaction Analysis
ATMs
POS
Mainframe
Settlement
TLF/PTLF
TKN
PAN TKN
Unix/ Linux/ Windows/ NonStop platforms
NonStop platform
Extractor/Replicator
PAN1 PAN2 … PANX
TKN1 TKN2 … TKNX
Token Server PAN
TKN
TLF/PTLF
TKN
TLF/PTLF
TKN
TLF/PTLF
TKN
PAN is Tokenized
on all platforms
Satellite applications do Web service call to Token Server to convert TKN to PAN
“on the fly”
PAN TKN
www.comforte.com 27
Typical retail environment
POS Device
Visa/MC/…
BASE24
PTLF PAN
PAN PAN
Marketing/Data Warehouse
Customer Service/Product Returns
NonStop platform Other platforms
PAN
PAN
PAN
The PAN is a natural key to find customers for marketing, data warehouse, return of items processes.
For that reason, it is typically “all over the place” in a retail environment
This creates an issue with PCI 3.4 which results in many different platforms having to undergo PCI
audits
In hindsight, it would be nice to “de-scope” the PCI audits so that only the POS device and NonStop
system would stay in scope
POS system
www.comforte.com 28
Typical retail environment after Tokenization
POS Device
Marketing/Data Warehouse
Customer Service/Product Returns
Other platforms
TKN
TKN
Tokenization takes place after the transaction is processed
(and finished) in the POS device
After Tokenization, the number of systems “seeing a PAN” is
drastically reduced
This reduces in massive cost-savings in the PCI audits as
Marketing, Customer Service etc. are no longer “in scope”
If needed, 4 last digits of PAN can be preserved, still allowing to find
customers using these 4 digits and additional information such as
name, ZIP code, … Worst case TKN can be converted back to PAN
comForte Tokenization product (Stage 2) will provide Token2PAN (and PAN2Token conversion as external interface (via SOAP, …) NonStop platform is ideally suited for this Note: Stage 1 could be run in parallel, this is somewhat independent
Visa/MC/…
BASE24
PTLF PAN
PAN PAN
NonStop platform
PAN1 PAN2 … PANX
TKN1 TKN2 … TKNX
Token Server
POS system PAN
www.comforte.com 29
And what about Key Management?
Reproduced under license from xkcd.com
www.comforte.com 30
SecurData Key Management Options
Key Store
nuBridges
Key Management
platform
HP Enterprise
Key Manager
DataSecure HSM
Token Manager
Encrypted Data Vault
Audit Log
Access Rights
Key Manager
Interface
www.comforte.com 31
SecurData Benefits and Summary
Compliance without Excuses
De-Scoping
Lower Compliance Cost
Reduced Risk
31
www.comforte.com 32