Intel® Expressway Tokenization Broker: Powering Internal Tokenization

•PCI Scope Reduction: Isolate PCI scope to systems, internal groups and processes that are clearly identified and actively managed by your organization’s IT department. Remove post-payment applications and databases from PCI scope, while reducing scope in others. Over time, minimize PCI scope-creep for internal applications across your enterprise.

•Better Control: Leverage a secure hardware or software appliance to process and manage PAN data on-premises, with a high degree of safety and security.

•Improved Flexibility: Avoid the typical token migration challenges that are associated with outsourced or hosted tokenization programs. Our solution is payment processor- and acquirer- independent, enabling you to change

payment processors or acquirers as your needs change over time.

•Convenient Implementation: Maintain your payment processor or existing application dataflow and business processes. Delivers minimal changes to existing applications when compared to competing technologies such as E2E Encryption. Even further, your security protection’s powered by secure software or hardware appliances that reduce implementation time and offer superior manageability compared to homegrown solutions.

•High-Performance & Consistency: High-performance operations facilitate low-latency document processing across a wide array of standard formats, permitting you to focus on strategic business initiatives.

IN PCI SCOPE REMOVED FROM PCI SCOPE

#1 PAN Data #2 Internal Tokenization #3 Downstream Applications

3285 2348 2348

Figure 1: Tokenization Process Tokenization Broker tokenizes PAN data, removing downstream applications from PCI scope.

Product Highlights:Intel® Expressway Tokenization Broker (Tokenization Broker) is a hardware or software appliance designed to reduce PCI scope. As such, it functions as a tokenization broker for any enterprise application tasked with handling clear-text primary account number (PAN) data. Expressway Tokenization Broker works by tokenizing PAN data in documents or API calls and stores encrypted card data in a protected, secure vault where it can be accessed by authenticated applications and users. The product is available as a secure software or hardware appliance.

PRODUCT BRIEFIntel® Expressway Tokenization BrokerCapabilities and Features

“Restricting access to card

data is the most important

PCI DSS requirement, but

also the most difficult

to achieve.”

Ponemon Institute’s “PCI DSS Trends 2010: QSA

Insights Report,” March 2010

Addressing PCI DSS ScopeOrganizations that process credit card information are confronted with the issue of PCI DSS “scope”, which refers to all of the components of a computing network that directly or indirectly handle card data. These network components are a primary focus of PCI DSS regulation, compliance and assessment. Any information system such as a database, web server, or application server that handles a credit card number can immediately be pulled into PCI scope and become the focus of an assessment. Other systems and servers interacting with systems in scope can

then be pulled into scope, as infectious PAN data spread through the enterprise.

One of the primary ways to counter the cost and organizational burden of PCI DSS compliance is to reduce overall scope within the enterprise, and the only way to reduce scope is to eliminate accessibility to sensitive carddatainthefirstplace.Otherwise,the organization needs to bring all relatedsystemsuptospecification.Inbothcases,retrofittingexistingcode,managing database encryption, and

re-architecting applications to securely handle credit card information can be costly in terms of engineering investment and risky in terms of potential impact to organizational structure and business operating practices. A viable alternative tocostlyretrofittingistointroduceanapplication-level security gateway into your architecture that offers internal tokenization capabilities, effectively dropping sensitive data from internal systems and isolating PCI scope to a few key information systems.

PCI REQUIREMENT PCI SUB-REQUIREMENT INTEL® EXPRESSWAY’S CAPABILITIES

Build and Maintain a Secure Network

Install and maintain a firewall configuration to pro-tect cardholder data.

Do not use vendor-supplied defaults for system passwords and other security parameters.

Provides full application-level security proxy and firewalling capabilities.

Protect Cardholder Data Protect stored cardholder data.

Encrypt transmission of cardholder data across open, public networks.

Removes data from PCI scope through internal tokenization and protects PAN data at rest in a secure vault.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software or programs.

Develop and maintain secure systems and applications.

Facilitates secure applications by integrating with on-premise virus scanning servers to reduce the threat of malicious attachments.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need to know.

Assign a unique ID to each person with computer access.

Restrict physical access to cardholder data.

Supports strong access control policies by in-tegrating with existing identity management investments and improving physical security for credit card tokenization through its tamper-resis-tant form-factor.

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data.

Regularly test security systems and processes.

Tracks, monitors and logs authorization requests for tokenization, detokenization, and token management. Provides alerting, statistics and re-porting in the event of server failures.

Maintain an Information Security Policy

Maintain a policy that addresses information secu-rity for employees and contractors.

Maintains auditable security policies in a single, hardened form-factor allowing for convenient re-view and change control for cardholder protection.

Intel® Expressway Service Gateway Address PCI DSS Requirements1

PaymentGateways

Processors

Retail POS

Merchant IT SystemsPoint-of-Sale(POS)

GatewayApplications

ProcessorApplications

Payment ApplicationsStore Controller

In Scope InternalEnterprise Applications

Figure 2: Intel’s Focus on Merchant IT Systems in Payment Processing Environments Tokenization Broker protects customers’ merchant IT infrastructure, while reducing or eliminating PCI DSS scope in downstream applications.

2

Feature and Functionality DetailsCategory Description

Token Generation •Supportforrandomly-generated,field-preservingtokensusingpseudorandomorhardware-basedrandomnumber generation

•Single-useandmulti-usetokenswithconfigurablelifetimes

•PreservationofportionsoftheoriginalPAN,usingaconfigurablepolicy

•One-wayPANmasking

•TokenreplacementsupportforXML,Word(97-03),Word(07),PDF,HTTPForms,SOAPAPIcall,andtextformats

Token Management •SecureSOAPorRESTAPIfortokenmanagementfunctions

•StrongauthenticationsupportforapplicationsandusersusingHTTPBasicAuthentication,WS-Security,SAMLandX.509certificates

Secure Vault •Startertokenvaultincluded(HSQLdatabase)

•SupporteddatabaseapplicationsincludeOracle,MySQL,andMicrosoft

•PANprotectionusingAES-256orTriple-DES

•Two-waySSLcommunicationforsecurevaultaccess

Secure Hardware •DellPowerEdgeR6101UServerAppliance

•CaseLidSensor-Openingcasewillstopfunctionalprocessing

•DisableVideoPort-VGAportsareinaccessible

•SecureBoot-Systemfirstbootmustincorporategatheringsystemparametersfromtheserialportconsole

•SELinuxSupport

•EncryptedFileSystem-UtilizesAES-256andTrustedPlatformManagement(TPM)forkeystorage

Threat Prevention •XMLLimitChecking,SQLInjection,DTDChecking,XPathInjection,ForbiddenRegExScan,MalformedXMLAttack.XMLBombAttack,SchemaPoisoningAttack

•AdaptiveDenialofServiceProtectionandThrottling

•Anti-virusprotectionusingICAP

Authentication and Authorization •X.509certificate,CRL,username/password.LDAPorMicrosoft®ActiveDirectory,Kerberos,SAML1.0/1.1/2.0,WebSSOcookieandSTScredentialmapping,Amazon®CloudAPI

•Integrateswith:CA®SiteMinder,Oracle®InternetDirectory,Oracle®AccessManager,IBM®TivoliAccessManager

•IntegrateswithXACMLpolicydecisionpointsincludingAxiomatics®PolicyServerandOracle®EntitlementsServer

Data Security •OASISWS-Security1.0/1.1.W3CXMLencryptionandXMLsignatures,WS-IBSP1.0/1.1.SOAPwithAttachments

•Datavalidation,schemavalidation,WSDLvalidation,SOAPfilteringandcustomizabledatasecuritysupport

Supported Protocols •SupportsHTTP,FTP,JMS,MLLP,RawTCPandFileprotocols.Customizableprotocolsupportavailable

•SupportformultipleSSLidentities,mutualauth,SSLv3andTLSv1

•SFTP

Cryptographic Support •SupportsDES,3DES,AES,RSAv1.5,RSA-OAEP,SHA-1andSHA-256

Service Mediation •SecureSOAP,REST,JSON,orcustomservicemediationwithinthedatacenteroracrosstheinternet

•SupportsOpenGroup’sX/OpenXAtransactionstandardforlongrunningtransactions

•ProvenintegrationwithallmajorISVmiddlewaresolutions

Service Governance •Highperformanceruntimepolicyenforcementforsecurity,SLA,mediationandtransformation

•IntegrateswithbusinessservicerepositoriesfromSoftware|AG*CentraSite,Oracle,SAP

•Zerodowntimedynamicpolicyupdatesforrouting,attacksignatures,validationandtransformation

•Fine-grainedserviceandpolicymonitoring

•Messagethrottlingandordering

•UDDIv2/v3integrationforservicepublishingandretrieval

Supported Hardware •SoftwareAppliance-AnyIntel®Xeon®Multi-Coreserverwith4GBRAM(Xeon5500or5600Seriesw/8GBRecommended)

•HardwareAppliance-DellPowerEdgeR6101UServerAppliance

Management and Monitoring •Clustersupportallowsagroupofappliancestobemanaged&monitoredsimultaneously

•Eclipse-basedIntelserviceandpolicydesignerwithpre-builttemplates

•Managementthroughcommandline,SNMP,andintegrateswithHP®OpenView,Microsoft®MOM

Operating Systems •RedHatAS5(64-bit),SUSELinuxEnterprise11SP1(64-bit),Solaris10,VMwareESX

Performance Features •WirespeedXMLprocessingengineoptimizedforIntel®Multi-CoreandSSE42hardwareinstructionset

•Lowsub-millisecondlatency,highperformancemulti-stepprocessingandlargeXMLprocessing(>1GB)

•CryptographicAcceleration-Cavium1620PCIe

3

More InformationWebsite:www.intel.com/software/soaeResourceSite:www.dynamicperimeter.com

Americas:1-978-948-2585 AllotherGeographies:+44(0)1189546574

E-mail:intelsoainfo@intel.com

SOLUTION PROVIDED BY:

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.

Intelmaymakechangestospecificationsandproductdescriptionsatanytime,withoutnotice.Designersmustnotrelyontheabsenceorcharacteristicsofanyfeaturesorinstructionsmarked“reserved”or“undefined.”Intelreservestheseforfuturedefinitionandshallhavenoresponsibilitywhatsoeverforconflictsorincompatibilitiesarisingfromfuturechangestothem.Theinformationhereissubjecttochangewithoutnotice.Donotfinalizeadesignwiththisinformation.

Theproductsdescribedinthisdocumentmaycontaindesigndefectsorerrorsknownaserratawhichmaycausetheproducttodeviatefrompublishedspecifications.Currentcharacterizederrataareavailableonrequest.ContactyourlocalIntelsalesofficeoryourdistributortoobtainthelatestspecificationsandbeforeplacingyourproductorder.Copiesofdocumentswhichhaveanordernumberandarereferencedinthisdocument,orotherIntelliterature,maybeobtainedbycalling1-800-548-4725,orbyvisitingIntel’sWebsiteatwww.intel.com.

Copyright©2011IntelCorporation.Allrightsreserved.Intel,theIntellogo,andXeonaretrademarksofIntelCorporationintheU.S.andothercountries.*Othernamesandbrandsmaybeclaimedasthepropertyofothers. PrintedinUSA PleaseRecycleTOKENIZATION-PRODUCTBRIEF-001US

1ForfurtherdetailsaboutPCIDSS,consultthePCISecurityStandardsCouncil’sWebsite,atthefollowinglink:www.pcisecuritystandards.orgBesuretoconsultyourQualifiedSecurityAssessor(QSA)orotherPCIDSScomplianceprofes-sionalwhenmanagingyourPCIDSSinitiatives.

Regain Control...Secure the Dynamic Perimeter