PRODUCT BRIEF Intel Expressway Tokenization Broker Capabilities and Features

Intel Expressway Tokenization Broker: Powering Internal Tokenization

Restricting access to card data is the most important PCI DSS requirement, but also the most difficult to achieve.
Ponemon Institutes PCI DSS Trends 2010: QSA Insights Report, March 2010

Product Highlights:
Intel Expressway Tokenization Broker (Tokenization Broker) is a hardware or software appliance designed to reduce PCI scope. As such, it functions as a tokenization broker for any enterprise application tasked with handling clear-text primary account number (PAN) data. Expressway Tokenization Broker works by tokenizing PAN data in documents or API calls and stores encrypted card data in a protected, secure vault where it can be accessed by authenticated applications and users. The product is available as a secure software or hardware appliance. payment processors or acquirers as your PCI Scope Reduction: Isolate PCI needs change over time. scope to systems, internal groups and processes that are clearly identified and Convenient Implementation: Maintain actively managed by your organizations your payment processor or existing IT department. Remove post-payment application dataflow and business applications and databases from PCI scope, processes. Delivers minimal changes to while reducing scope in others. Over time, existing applications when compared minimize PCI scope-creep for internal to competing technologies such as E2E applications across your enterprise. Encryption. Even further, your security protections powered by secure software Better Control: Leverage a secure hardware or software appliance to process or hardware appliances that reduce implementation time and offer superior and manage PAN data on-premises, with a manageability compared to homegrown high degree of safety and security. solutions. Improved Flexibility: Avoid the typical token migration challenges that are associated with outsourced or hosted tokenization programs. Our solution is payment processor- and acquirerindependent, enabling you to change High-Performance & Consistency: High-performance operations facilitate lowlatency document processing across a wide array of standard formats, permitting you to focus on strategic business initiatives.

Figure 1: Tokenization Process Tokenization Broker tokenizes PAN data, removing downstream applications from PCI scope.

3285 2348 2348

#1 PAN Data

#2 Internal Tokenization

#3 Downstream Applications
REMOVED FROM PCI SCOPE

IN PCI SCOPE

Addressing PCI DSS Scope

Organizations that process credit card information are confronted with the issue of PCI DSS scope, which refers to all of the components of a computing network that directly or indirectly handle card data. These network components are a primary focus of PCI DSS regulation, compliance and assessment. Any information system such as a database, web server, or application server that handles a credit card number can immediately be pulled into PCI scope and become the focus of an assessment. Other systems and servers interacting with systems in scope can then be pulled into scope, as infectious PAN data spread through the enterprise. One of the primary ways to counter the cost and organizational burden of PCI DSS compliance is to reduce overall scope within the enterprise, and the only way to reduce scope is to eliminate accessibility to sensitive card data in the first place. Otherwise, the organization needs to bring all related systems up to specification. In both cases, retrofitting existing code, managing database encryption, and re-architecting applications to securely handle credit card information can be costly in terms of engineering investment and risky in terms of potential impact to organizational structure and business operating practices. A viable alternative to costly retrofitting is to introduce an application-level security gateway into your architecture that offers internal tokenization capabilities, effectively dropping sensitive data from internal systems and isolating PCI scope to a few key information systems.

Figure 2: Intels Focus on Merchant IT Systems in Payment Processing Environments Tokenization Broker protects customers merchant IT infrastructure, while reducing or eliminating PCI DSS scope in downstream applications.
Point-of-Sale (POS) Merchant IT Systems Payment Gateways Processors

Store Controller

Payment Applications

Retail POS

Gateway Applications

Processor Applications

In Scope Internal Enterprise Applications

Intel Expressway Service Gateway Address PCI DSS Requirements1 PCI REQUIREMENT Build and Maintain a Secure Network PCI SUB-REQUIREMENT Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs. Develop and maintain secure systems and applications. Implement Strong Access Control Measures Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an Information Security Policy 2 Maintain a policy that addresses information security for employees and contractors. Removes data from PCI scope through internal tokenization and protects PAN data at rest in a secure vault. Facilitates secure applications by integrating with on-premise virus scanning servers to reduce the threat of malicious attachments. Supports strong access control policies by integrating with existing identity management investments and improving physical security for credit card tokenization through its tamper-resistant form-factor. INTEL EXPRESSWAYS CAPABILITIES Provides full application-level security proxy and firewalling capabilities.

Tracks, monitors and logs authorization requests for tokenization, detokenization, and token management. Provides alerting, statistics and reporting in the event of server failures. Maintains auditable security policies in a single, hardened form-factor allowing for convenient review and change control for cardholder protection.

Feature and Functionality Details

Category
Token Generation

Description
upport for randomly-generated, field-preserving tokens using pseudo random or hardware-based random S number generation ingle-use and multi-use tokens with configurable lifetimes S reservation of portions of the original PAN, using a configurable policy P ne-way PAN masking O oken replacement support for XML, Word (97-03), Word (07), PDF, HTTP Forms, SOAP API call, and text formats T

Token Management

ecure SOAP or REST API for token management functions S trong authentication support for applications and users using HTTP Basic Authentication, WS-Security, SAML S and X.509 certificates

Secure Vault

Starter token vault included (HSQL database) Supported database applications include Oracle, MySQL, and Microsoft PAN protection using AES-256 or Triple-DES Two-way SSL communication for secure vault access

Secure Hardware

ell PowerEdge R610 1U Server Appliance D ase Lid Sensor - Opening case will stop functional processing C isable Video Port - VGA ports are inaccessible D ecure Boot - System first boot must incorporate gathering system parameters from the serial port console S ELinux Support S ncrypted File System - Utilizes AES-256 and Trusted Platform Management (TPM) for key storage E

Threat Prevention

XML Limit Checking, SQL Injection, DTD Checking, XPath Injection, Forbidden RegEx Scan, Malformed XML Attack. XML Bomb Attack, Schema Poisoning Attack daptive Denial of Service Protection and Throttling A nti-virus protection using ICAP A

Authentication and Authorization

.509 certificate, CRL, username/password. LDAP or Microsoft Active Directory, Kerberos, SAML 1.0/1.1/2.0, Web X SSO cookie and STS credential mapping, Amazon Cloud API ntegrates with: CA SiteMinder, Oracle Internet Directory, Oracle Access Manager, IBM Tivoli Access Manager I ntegrates with XACML policy decision points including Axiomatics Policy Server and Oracle Entitlements Server I

Data Security Supported Protocols

OASIS WS-Security 1.0/1.1.W3C XML encryption and XML signatures, WS-I BSP 1.0/1.1.SOAP with Attachments Data validation, schema validation, WSDL validation, SOAP filtering and customizable data security support Supports HTTP, FTP, JMS, MLLP, Raw TCP and File protocols. Customizable protocol support available Support for multiple SSL identities, mutual auth, SSL v3 and TLS v1 SFTP

Cryptographic Support Service Mediation

Supports DES, 3DES, AES, RSA v1.5, RSA-OAEP, SHA-1 and SHA-256 Secure SOAP, REST, JSON, or custom service mediation within the datacenter or across the internet Supports Open Groups X/Open XA transaction standard for long running transactions Proven integration with all major ISV middleware solutions

Service Governance

High performance runtime policy enforcement for security, SLA, mediation and transformation Integrates with business service repositories from Software|AG* CentraSite, Oracle, SAP Zero downtime dynamic policy updates for routing, attack signatures, validation and transformation Fine-grained service and policy monitoring Message throttling and ordering UDDI v2/v3 integration for service publishing and retrieval

Supported Hardware

oftware Appliance - Any Intel Xeon Multi-Core server with 4GB RAM (Xeon 5500 or 5600 Series w/8GB S Recommended) ardware Appliance - Dell PowerEdge R610 1U Server Appliance H luster support allows a group of appliances to be managed & monitored simultaneously C clipse-based Intel service and policy designer with pre-built templates E anagement through command line, SNMP, and integrates with HP OpenView, Microsoft MOM M

Management and Monitoring

Operating Systems Performance Features

ed Hat AS5 (64-bit), SUSE Linux Enterprise 11 SP1 (64-bit), Solaris 10, VMware ESX R ire speed XML processing engine optimized for Intel Multi-Core and SSE42 hardware instruction set W ow sub-millisecond latency, high performance multi-step processing and large XML processing (>1GB) L ryptographic Acceleration - Cavium 1620 PCIe C

Regain Control...Secure the

Dynamic Perimeter

SOLUTION PROVIDED BY:

More Information
Website: www.intel.com/software/soae Resource Site: www.dynamicperimeter.com

Americas: 1-978-948-2585 All other Geographies: +44 (0)118 9546 574

E-mail: intelsoainfo@intel.com

For further details about PCI DSS, consult the PCI Security Standards Councils Web site, at the following link: www.pcisecuritystandards.org Be sure to consult your Qualified Security Assessor (QSA) or other PCI DSS compliance professional when managing your PCI DSS initiatives.

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTELS TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intels Web site at www.intel.com. Copyright 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Printed in USA Please Recycle TOKENIZATION-PRODUCT BRIEF -001US