intel® expressway tokenization broker: powering internal...
TRANSCRIPT
Intel® Expressway Tokenization Broker: Powering Internal Tokenization
•PCI Scope Reduction: Isolate PCI scope to systems, internal groups and processes that are clearly identified and actively managed by your organization’s IT department. Remove post-payment applications and databases from PCI scope, while reducing scope in others. Over time, minimize PCI scope-creep for internal applications across your enterprise.
•Better Control: Leverage a secure hardware or software appliance to process and manage PAN data on-premises, with a high degree of safety and security.
•Improved Flexibility: Avoid the typical token migration challenges that are associated with outsourced or hosted tokenization programs. Our solution is payment processor- and acquirer- independent, enabling you to change
payment processors or acquirers as your needs change over time.
•Convenient Implementation: Maintain your payment processor or existing application dataflow and business processes. Delivers minimal changes to existing applications when compared to competing technologies such as E2E Encryption. Even further, your security protection’s powered by secure software or hardware appliances that reduce implementation time and offer superior manageability compared to homegrown solutions.
•High-Performance & Consistency: High-performance operations facilitate low-latency document processing across a wide array of standard formats, permitting you to focus on strategic business initiatives.
IN PCI SCOPE REMOVED FROM PCI SCOPE
#1 PAN Data #2 Internal Tokenization #3 Downstream Applications
3285 2348 2348
Figure 1: Tokenization Process Tokenization Broker tokenizes PAN data, removing downstream applications from PCI scope.
Product Highlights:Intel® Expressway Tokenization Broker (Tokenization Broker) is a hardware or software appliance designed to reduce PCI scope. As such, it functions as a tokenization broker for any enterprise application tasked with handling clear-text primary account number (PAN) data. Expressway Tokenization Broker works by tokenizing PAN data in documents or API calls and stores encrypted card data in a protected, secure vault where it can be accessed by authenticated applications and users. The product is available as a secure software or hardware appliance.
PRODUCT BRIEFIntel® Expressway Tokenization BrokerCapabilities and Features
“Restricting access to card
data is the most important
PCI DSS requirement, but
also the most difficult
to achieve.”
Ponemon Institute’s “PCI DSS Trends 2010: QSA
Insights Report,” March 2010
Addressing PCI DSS ScopeOrganizations that process credit card information are confronted with the issue of PCI DSS “scope”, which refers to all of the components of a computing network that directly or indirectly handle card data. These network components are a primary focus of PCI DSS regulation, compliance and assessment. Any information system such as a database, web server, or application server that handles a credit card number can immediately be pulled into PCI scope and become the focus of an assessment. Other systems and servers interacting with systems in scope can
then be pulled into scope, as infectious PAN data spread through the enterprise.
One of the primary ways to counter the cost and organizational burden of PCI DSS compliance is to reduce overall scope within the enterprise, and the only way to reduce scope is to eliminate accessibility to sensitive carddatainthefirstplace.Otherwise,the organization needs to bring all relatedsystemsuptospecification.Inbothcases,retrofittingexistingcode,managing database encryption, and
re-architecting applications to securely handle credit card information can be costly in terms of engineering investment and risky in terms of potential impact to organizational structure and business operating practices. A viable alternative tocostlyretrofittingistointroduceanapplication-level security gateway into your architecture that offers internal tokenization capabilities, effectively dropping sensitive data from internal systems and isolating PCI scope to a few key information systems.
PCI REQUIREMENT PCI SUB-REQUIREMENT INTEL® EXPRESSWAY’S CAPABILITIES
Build and Maintain a Secure Network
Install and maintain a firewall configuration to pro-tect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Provides full application-level security proxy and firewalling capabilities.
Protect Cardholder Data Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Removes data from PCI scope through internal tokenization and protects PAN data at rest in a secure vault.
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Facilitates secure applications by integrating with on-premise virus scanning servers to reduce the threat of malicious attachments.
Implement Strong Access Control Measures
Restrict access to cardholder data by business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Supports strong access control policies by in-tegrating with existing identity management investments and improving physical security for credit card tokenization through its tamper-resis-tant form-factor.
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Tracks, monitors and logs authorization requests for tokenization, detokenization, and token management. Provides alerting, statistics and re-porting in the event of server failures.
Maintain an Information Security Policy
Maintain a policy that addresses information secu-rity for employees and contractors.
Maintains auditable security policies in a single, hardened form-factor allowing for convenient re-view and change control for cardholder protection.
Intel® Expressway Service Gateway Address PCI DSS Requirements1
PaymentGateways
Processors
Retail POS
Merchant IT SystemsPoint-of-Sale(POS)
GatewayApplications
ProcessorApplications
Payment ApplicationsStore Controller
In Scope InternalEnterprise Applications
Figure 2: Intel’s Focus on Merchant IT Systems in Payment Processing Environments Tokenization Broker protects customers’ merchant IT infrastructure, while reducing or eliminating PCI DSS scope in downstream applications.
2
Feature and Functionality DetailsCategory Description
Token Generation •Supportforrandomly-generated,field-preservingtokensusingpseudorandomorhardware-basedrandomnumber generation
•Single-useandmulti-usetokenswithconfigurablelifetimes
•PreservationofportionsoftheoriginalPAN,usingaconfigurablepolicy
•One-wayPANmasking
•TokenreplacementsupportforXML,Word(97-03),Word(07),PDF,HTTPForms,SOAPAPIcall,andtextformats
Token Management •SecureSOAPorRESTAPIfortokenmanagementfunctions
•StrongauthenticationsupportforapplicationsandusersusingHTTPBasicAuthentication,WS-Security,SAMLandX.509certificates
Secure Vault •Startertokenvaultincluded(HSQLdatabase)
•SupporteddatabaseapplicationsincludeOracle,MySQL,andMicrosoft
•PANprotectionusingAES-256orTriple-DES
•Two-waySSLcommunicationforsecurevaultaccess
Secure Hardware •DellPowerEdgeR6101UServerAppliance
•CaseLidSensor-Openingcasewillstopfunctionalprocessing
•DisableVideoPort-VGAportsareinaccessible
•SecureBoot-Systemfirstbootmustincorporategatheringsystemparametersfromtheserialportconsole
•SELinuxSupport
•EncryptedFileSystem-UtilizesAES-256andTrustedPlatformManagement(TPM)forkeystorage
Threat Prevention •XMLLimitChecking,SQLInjection,DTDChecking,XPathInjection,ForbiddenRegExScan,MalformedXMLAttack.XMLBombAttack,SchemaPoisoningAttack
•AdaptiveDenialofServiceProtectionandThrottling
•Anti-virusprotectionusingICAP
Authentication and Authorization •X.509certificate,CRL,username/password.LDAPorMicrosoft®ActiveDirectory,Kerberos,SAML1.0/1.1/2.0,WebSSOcookieandSTScredentialmapping,Amazon®CloudAPI
•Integrateswith:CA®SiteMinder,Oracle®InternetDirectory,Oracle®AccessManager,IBM®TivoliAccessManager
•IntegrateswithXACMLpolicydecisionpointsincludingAxiomatics®PolicyServerandOracle®EntitlementsServer
Data Security •OASISWS-Security1.0/1.1.W3CXMLencryptionandXMLsignatures,WS-IBSP1.0/1.1.SOAPwithAttachments
•Datavalidation,schemavalidation,WSDLvalidation,SOAPfilteringandcustomizabledatasecuritysupport
Supported Protocols •SupportsHTTP,FTP,JMS,MLLP,RawTCPandFileprotocols.Customizableprotocolsupportavailable
•SupportformultipleSSLidentities,mutualauth,SSLv3andTLSv1
•SFTP
Cryptographic Support •SupportsDES,3DES,AES,RSAv1.5,RSA-OAEP,SHA-1andSHA-256
Service Mediation •SecureSOAP,REST,JSON,orcustomservicemediationwithinthedatacenteroracrosstheinternet
•SupportsOpenGroup’sX/OpenXAtransactionstandardforlongrunningtransactions
•ProvenintegrationwithallmajorISVmiddlewaresolutions
Service Governance •Highperformanceruntimepolicyenforcementforsecurity,SLA,mediationandtransformation
•IntegrateswithbusinessservicerepositoriesfromSoftware|AG*CentraSite,Oracle,SAP
•Zerodowntimedynamicpolicyupdatesforrouting,attacksignatures,validationandtransformation
•Fine-grainedserviceandpolicymonitoring
•Messagethrottlingandordering
•UDDIv2/v3integrationforservicepublishingandretrieval
Supported Hardware •SoftwareAppliance-AnyIntel®Xeon®Multi-Coreserverwith4GBRAM(Xeon5500or5600Seriesw/8GBRecommended)
•HardwareAppliance-DellPowerEdgeR6101UServerAppliance
Management and Monitoring •Clustersupportallowsagroupofappliancestobemanaged&monitoredsimultaneously
•Eclipse-basedIntelserviceandpolicydesignerwithpre-builttemplates
•Managementthroughcommandline,SNMP,andintegrateswithHP®OpenView,Microsoft®MOM
Operating Systems •RedHatAS5(64-bit),SUSELinuxEnterprise11SP1(64-bit),Solaris10,VMwareESX
Performance Features •WirespeedXMLprocessingengineoptimizedforIntel®Multi-CoreandSSE42hardwareinstructionset
•Lowsub-millisecondlatency,highperformancemulti-stepprocessingandlargeXMLprocessing(>1GB)
•CryptographicAcceleration-Cavium1620PCIe
3
More InformationWebsite:www.intel.com/software/soaeResourceSite:www.dynamicperimeter.com
Americas:1-978-948-2585 AllotherGeographies:+44(0)1189546574
E-mail:[email protected]
SOLUTION PROVIDED BY:
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR.
Intelmaymakechangestospecificationsandproductdescriptionsatanytime,withoutnotice.Designersmustnotrelyontheabsenceorcharacteristicsofanyfeaturesorinstructionsmarked“reserved”or“undefined.”Intelreservestheseforfuturedefinitionandshallhavenoresponsibilitywhatsoeverforconflictsorincompatibilitiesarisingfromfuturechangestothem.Theinformationhereissubjecttochangewithoutnotice.Donotfinalizeadesignwiththisinformation.
Theproductsdescribedinthisdocumentmaycontaindesigndefectsorerrorsknownaserratawhichmaycausetheproducttodeviatefrompublishedspecifications.Currentcharacterizederrataareavailableonrequest.ContactyourlocalIntelsalesofficeoryourdistributortoobtainthelatestspecificationsandbeforeplacingyourproductorder.Copiesofdocumentswhichhaveanordernumberandarereferencedinthisdocument,orotherIntelliterature,maybeobtainedbycalling1-800-548-4725,orbyvisitingIntel’sWebsiteatwww.intel.com.
Copyright©2011IntelCorporation.Allrightsreserved.Intel,theIntellogo,andXeonaretrademarksofIntelCorporationintheU.S.andothercountries.*Othernamesandbrandsmaybeclaimedasthepropertyofothers. PrintedinUSA PleaseRecycleTOKENIZATION-PRODUCTBRIEF-001US
1ForfurtherdetailsaboutPCIDSS,consultthePCISecurityStandardsCouncil’sWebsite,atthefollowinglink:www.pcisecuritystandards.orgBesuretoconsultyourQualifiedSecurityAssessor(QSA)orotherPCIDSScomplianceprofes-sionalwhenmanagingyourPCIDSSinitiatives.
Regain Control...Secure the Dynamic Perimeter