Tokenization

Partner Converge 2012 – Session 7 – “Data Tokenization Concepts”Converge 2012With Theresa Robison and TJ Bowling of LiaisonThe Next Frontier

What is Tokenization?•It’s NOT the same as ‘token’ used for two-factor authentication•It’s not the ‘token’ used for lexical analysis (creating a programminglanguage)•From data security standpoint, it’s a surrogate value which issubstituted for the actual data (e.g. credit card) while the actual datais encrypted and stored elsewhere in a central vault

Typical Tokenization Customers:Who, What, and Why?• Types of customers:– Banks– Merchants– Resellers• Tokenized data:– Credit Cards– Personal Identifiable Information (PII)• Primary reasons for tokenization– Reduces risk– Ease compliance– Minimize cost

Encrypt, Hash, or Tokenize?Encryption(cipher text)Hashing(hash)Tokenization(token)PCI Compliant? Yes Yes YesIs original data retrievable? Yes No YesIs output consistent? No Yes YesPermits format preservation? No No YesNo/minimal application changes? No No YesPermits output configuration? No No YesReduces PCI audit scope? No No Yes

Tokenization - Important Hallmarks• Original data values cannot be mathematically derived fromtokens– Tokens can be safely passed to databases, applications, mobiledevices, etc.– Solves the age-old problem of data for development and testing inoffshore environments!• Protected Data Vault where sensitive data is encryptedand stored– Reduces the footprint where sensitive data is located– Eliminates points of risk– Simplifies security management• Minimal changes to your databases and applications• Token generation can be configured to meet your requirements

Data type segmentation• Separate credit card data from personally identifiable information• PCI requires separation for transfer, but also good practice3752 5712250 3125Order Entry SystemToken ServerData VaultTime Sheet SystemData Vault

Protection Strategies1. Preserve the format (length and data type):Tokens that maintain the length and format of the original data don’t require applications to be modified.2. Preserve a number of leading and trailing characters, but introducealternatives to the equation for easy token distinction3. Mask a portion of the token when a full value is not neededor desirable

Protection Strategy Configurations• Format preserving tokenization– Strict 1:1 relationship between data and tokens– Data type and length is maintained in the token• Non-format preserving tokenization– Configurable– Strict 1:1 relationship OR 1:Many relationship– Data type preservation OR data type modification– Delimiter capable

TM/TaaS Integration:Web Service Calls (WSDL)• Use of synchronousSOAP (web services)APIs to connectapplications toTM/TaaSProtect () DataProtectBulk ()Receives RequestCheck Data VaultEncryptStoreGenerate TokenReturn Token• Adapters available forcommunicating withTM/TaaS• Client Authentication• Mutual SSL basedauthentication• API key for clientauthorization duringregistrationclientsReveal () TokenRevealBulk ()Lookup () TokenProtectCipher()Receive TokenValidates TokenValidates PolicyReturn DataReceive DataReturns TokenReceive Encrypted DataChecks VaultReturns TokenTM/TaaS• Control clientfunctions by actions,by time, by number ofattemptsDelete () DataReceive TokenValidates TokenRemoves encryptedvalue associatedwith Token

Liaison’s Industry Involvement• PCI SSC– Active member of the PCI SSC– Led the Tokenization Working Group since inception– Participated in Working groups on Encryption, Tokenization, EMV, PCI ScopeReduction– Part of the Tokenization Task Force (recently released guidelines)– Championing standardization around interoperability statements• Other Consortia– IEEE Key Management Standards Council (1619.3)– Vendorcom– ISSA– TAG– HDMA– Common

What Others Say About Tokenization• On Token Manager - John Pescatore, Gartner• “nuBridges was a first-mover in supporting enterprise tokenization, but mostof the major key management vendors have since added tokenizationcapabilities.”• "That early lead has given them a head start on other features that largeenterprises look for and the idea of token coordination across differentphysical locations is one of those features.“• On Tokenization as a Service - Avivah Litan, Gartner• "Outsourced tokenization is an effective strategy for securing credit cardsand it's a natural progression to use it to protect PII and HER."• "We expect to see it become a commonplace data protection strategy for awide variety of data types as more companies exploit secure cloud-basedtokenization services from trusted data security vendors.”13

Questions?

Thank YouQuestionsUp Next, Session 8 - “Introduction to Complementary Partner Solutions”