ANSI X9.119 Part 2: Using Tokenization Methods

Slides:



Advertisements
Similar presentations
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Advertisements

Troy Leach April 2012 The PCI Security Standards Council.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,
Database Systems: Design, Implementation, and Management Tenth Edition
Chapter 19: Network Management Business Data Communications, 5e.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Hardware Cryptographic Coprocessor Peter R. Wihl Security in Software.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
© 2012 Presented by: Preparation For EMV Chip Technology Keith Swiat.
Security Controls – What Works
Chapter 19: Network Management Business Data Communications, 4e.
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
FIT3105 Smart card based authentication and identity management Lecture 4.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Introduction to the new mainframe: Large-Scale Commercial Computing © Copyright IBM Corp., All rights reserved. Chapter 1: The new mainframe.
1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.
Philip is a subject matter expert in Accenture’s Payment practice with more than 30 years experience across payments, transaction processing, networks,
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,
CS 21a: Intro to Computing I Department of Information Systems and Computer Science Ateneo de Manila University.
1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.
Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
ECE Lecture 1 Security Services.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Privacy Communication Privacy Confidentiality Access Policies Systems Crypto Enforced Computing on Encrypted Data Searching and Reporting Fully Homomorphic.
WEP Protocol Weaknesses and Vulnerabilities
4 - 1 Copyright © 2006, The McGraw-Hill Companies, Inc. All rights reserved. Computer Software Chapter 4.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #22 Secure Web Information.
1 Chapter 1 Introduction to Databases Transparencies.
The IBM Rational Publishing Engine. Agenda What is it? / What does it do? Creating Templates and using Existing DocExpress (DE) Resources in RPE Creating.
TransArmorSM A Secure Transaction ManagementSM Solution
Real-Time Intelligence That Matters. © 2015, Brighterion Inc. (all rights reserved) Keeping an eye on your business The Last G-20 Country To Embrace The.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
ARCH-04 Before You Begin Your Transformation Project… Phillip Magnay Architect – Applied Technology.
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Copyright 2009, First Data Corporation. All Rights Reserved. How Does TransArmor SM Work at the POS? SafeProxy Merchant Anti FraudAnalytics First Data.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
ABYSS : An Architecture for Software Protection
Hardware Cryptographic Coprocessor
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

ANSI X9.119 Part 2: Using Tokenization Methods Terence Spies, Chair X9F1 Work Group Steve Schmalz, X9F6 Member and X9.119-2 Document Editor . Terence Spies, CTO, Voltage Steve Schmalz, Solution Architect, RSA the Security Division of EMC Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Agenda Introduction – a short history of X9.119 So what is a token? Tokenization use-cases So what is tokenization? The tokenization model Generic attacks on tokenization systems Derived requirements The hardware question A call for help from the community Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

What is X9 and X9 F1, F4 and F6? X9 develops financial industry technical standards and guidelines. X9F is the “Data & Information Security Subcommittee” X9F1 is the working group that deals with “Cryptographic Tools” Terence Spies is the present chair. They plan on developing a standard covering Tokenization Algorithms. X9F4 focuses on “Cryptographic Protocol and Application Security” Jeff Stapleton is the present chair. X9F6 works on “Cardholder Authentication and ICC’s (Integrated Chip Cards)” Scott Spiker is the current chair. X9.119 is being written here. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

X9.119 X9.119 started as a single document aimed at addressing both encryption and tokenization methods for protecting sensitive payment card data. First real work started in early 2009. Over the next couple of years several issues stalled work on the standard The requirement for strong hardware to implement any cryptographic processes. The definition of tokenization. In early 2012 F6 decided to divide the document into two parts. Part 1 covered encryption and was approved in March of last year after which F6 began work on part 2, tokenization. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Definition of a Token Token – A surrogate value used in place of an underlying sensitive value (USV) in certain, well defined situations, but not in every way that the USV is used. Tokens have attributes and utility. Token attribute – the structure of the token Token utility – what you can do with the token Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Examples of Tokens PAN Token Comment 13980 826539 1255 231poK983HKzns100 Token is composed of alphabetic and numeric characters 84295 195562 7629 12345 098765 6574 Token is identical to PAN in structure and character set (LUN check could even hold) 91094 389921 9321 T3245 918234 4251 Token is almost identical to PAN except for a character indicating it is a token Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Token Utility X9.119’s concept of utility is similar to PCI’s concept of a high value token. The utility of a token replacing a PAN can run the scale from a simple unique value mapped to the underlying sensitive value to a value that can be used to approve certain financial transactions X9.119 focuses on tokens with minimal utility. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Tokenization Use-Cases Main business drivers from the perspective of why tokenization versus encryption. Reduced auditing costs (reducing PCI auditing scope) Reduced impact on workflow (a PAN token does not require a new database schema) Use of tokenization in payment processing At the Acquirer At the Merchant Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

A Simple Payment Processing Workflow Merchant Acquirer P R O V I D E I S U E R POS S W I T C H Vertical Specific Middleware Token Vertical Specific Middleware Vertical Specific Middleware POS Token TC Token Token DB Tokenization Service DB DB Token Token Token Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Questions for You, Our Audience Do you use tokenization in your organization? If so do you know what motivated you to adopt this technology? If  you use tokenization, do you use it internally or as a service from an Acquirer? Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Encryption vs Tokenization Architecturally, Encryption is typically used between two entities. Tokenization is used for persistently stored values. One common design pattern: encryption between the POS and host, with a token emitted from host in response. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

The Tokenization Model Tokenization Service Access Control Rules Tokenization Algorithm Secret Data Random Mapper Token USV* Application Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Generic Attacks Tokenization Service Token USV Application Attack 2: Access Control Rules Tokenization Algorithm Secret Data Random Mapper Token USV Application Attack 1: Guess Secret Data Attack 2: Predict Random Mapping Attack 3a: Subvert Access Control Rules Attack 4a: Subvert Isolation of Tokenization System Attack 5: Subvert Secure Communication Link Attack 4b: Attack 3b: Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Broad Security Requirements Attacks 1 and 2 The secret data must contain the appropriate amount of entropy. Standards must exist covering the random mapping function and overall algorithm used to generate the tokens. Attack 3 The tokenization service must implement some form of access control to insure that only authorized processes have access. The application must know which tokenization services to trust. Logging of all access to the tokenization service must occur and mechanisms to effectively use this information be in place. Attack 5 Access by applications to tokenization services must be over a secure channel that protects the privacy and integrity of the tokens and USVs as well as authenticating both sides of the communications. Mutually authenticated TLS using standards based cipher-suites will probably be the most common mechanism used but other protocols will be allowed. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Secure Isolation of the Tokenization System Architecturally, Encryption is typically used between two entities. Tokenization is used for persistently stored values. One common design pattern: encryption between the POS and host, with a token emitted from host in response. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Levels of Isolation Tokenization service and application live in the same computing environment Hardware enforced process isolation – example: Tokenization service and clients run on same machine but as separate operating system services. Hardware enforced environment isolation – example: tokenization service and application run on different virtual machines. Physical process separation – example: IBM mainframe security processors. Tokenization service and application live on separate physical systems Physical system isolation Limited functionality physical system isolation (SCD) Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

The Hardware Question Historically, isolation has happened at many points, and dedicated hardware is the right answer. It is probably impractical to run the some, and in some cases any, of the tokenization system components on an SCD. F6 is looking at ways to address this. Get help from SCD vendors to see if their product set can be modified to address any performance issues More fully investigate various forms of process isolation available on modern OSes and processors. Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

A Call for Help If you would like to participate in this standards process please contact: Steve Schmalz – 410 274-7267, steve.schmalz@rsa.com Terence Spies – terence@voltage.com Janet Bush – 410 267-7707 Janet.busch@x9.org Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Questions? Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.

Copyright © 2013 Accredited Standards Committee X9, Inc Copyright © 2013 Accredited Standards Committee X9, Inc. All rights reserved.