Professional Documents
Culture Documents
Product Highlights:
Intel Expressway Tokenization Broker (Tokenization Broker) is a hardware or software appliance designed to reduce PCI scope. As such, it functions as a tokenization broker for any enterprise application tasked with handling clear-text primary account number (PAN) data. Expressway Tokenization Broker works by tokenizing PAN data in documents or API calls and stores encrypted card data in a protected, secure vault where it can be accessed by authenticated applications and users. The product is available as a secure software or hardware appliance. payment processors or acquirers as your PCI Scope Reduction: Isolate PCI needs change over time. scope to systems, internal groups and processes that are clearly identified and Convenient Implementation: Maintain actively managed by your organizations your payment processor or existing IT department. Remove post-payment application dataflow and business applications and databases from PCI scope, processes. Delivers minimal changes to while reducing scope in others. Over time, existing applications when compared minimize PCI scope-creep for internal to competing technologies such as E2E applications across your enterprise. Encryption. Even further, your security protections powered by secure software Better Control: Leverage a secure hardware or software appliance to process or hardware appliances that reduce implementation time and offer superior and manage PAN data on-premises, with a manageability compared to homegrown high degree of safety and security. solutions. Improved Flexibility: Avoid the typical token migration challenges that are associated with outsourced or hosted tokenization programs. Our solution is payment processor- and acquirerindependent, enabling you to change High-Performance & Consistency: High-performance operations facilitate lowlatency document processing across a wide array of standard formats, permitting you to focus on strategic business initiatives.
Figure 1: Tokenization Process Tokenization Broker tokenizes PAN data, removing downstream applications from PCI scope.
#1 PAN Data
#2 Internal Tokenization
#3 Downstream Applications
REMOVED FROM PCI SCOPE
IN PCI SCOPE
Figure 2: Intels Focus on Merchant IT Systems in Payment Processing Environments Tokenization Broker protects customers merchant IT infrastructure, while reducing or eliminating PCI DSS scope in downstream applications.
Point-of-Sale (POS) Merchant IT Systems Payment Gateways Processors
Store Controller
Payment Applications
Retail POS
Gateway Applications
Processor Applications
Intel Expressway Service Gateway Address PCI DSS Requirements1 PCI REQUIREMENT Build and Maintain a Secure Network PCI SUB-REQUIREMENT Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Use and regularly update anti-virus software or programs. Develop and maintain secure systems and applications. Implement Strong Access Control Measures Restrict access to cardholder data by business need to know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain an Information Security Policy 2 Maintain a policy that addresses information security for employees and contractors. Removes data from PCI scope through internal tokenization and protects PAN data at rest in a secure vault. Facilitates secure applications by integrating with on-premise virus scanning servers to reduce the threat of malicious attachments. Supports strong access control policies by integrating with existing identity management investments and improving physical security for credit card tokenization through its tamper-resistant form-factor. INTEL EXPRESSWAYS CAPABILITIES Provides full application-level security proxy and firewalling capabilities.
Tracks, monitors and logs authorization requests for tokenization, detokenization, and token management. Provides alerting, statistics and reporting in the event of server failures. Maintains auditable security policies in a single, hardened form-factor allowing for convenient review and change control for cardholder protection.
Description
upport for randomly-generated, field-preserving tokens using pseudo random or hardware-based random S number generation ingle-use and multi-use tokens with configurable lifetimes S reservation of portions of the original PAN, using a configurable policy P ne-way PAN masking O oken replacement support for XML, Word (97-03), Word (07), PDF, HTTP Forms, SOAP API call, and text formats T
Token Management
ecure SOAP or REST API for token management functions S trong authentication support for applications and users using HTTP Basic Authentication, WS-Security, SAML S and X.509 certificates
Secure Vault
Starter token vault included (HSQL database) Supported database applications include Oracle, MySQL, and Microsoft PAN protection using AES-256 or Triple-DES Two-way SSL communication for secure vault access
Secure Hardware
ell PowerEdge R610 1U Server Appliance D ase Lid Sensor - Opening case will stop functional processing C isable Video Port - VGA ports are inaccessible D ecure Boot - System first boot must incorporate gathering system parameters from the serial port console S ELinux Support S ncrypted File System - Utilizes AES-256 and Trusted Platform Management (TPM) for key storage E
Threat Prevention
XML Limit Checking, SQL Injection, DTD Checking, XPath Injection, Forbidden RegEx Scan, Malformed XML Attack. XML Bomb Attack, Schema Poisoning Attack daptive Denial of Service Protection and Throttling A nti-virus protection using ICAP A
.509 certificate, CRL, username/password. LDAP or Microsoft Active Directory, Kerberos, SAML 1.0/1.1/2.0, Web X SSO cookie and STS credential mapping, Amazon Cloud API ntegrates with: CA SiteMinder, Oracle Internet Directory, Oracle Access Manager, IBM Tivoli Access Manager I ntegrates with XACML policy decision points including Axiomatics Policy Server and Oracle Entitlements Server I
OASIS WS-Security 1.0/1.1.W3C XML encryption and XML signatures, WS-I BSP 1.0/1.1.SOAP with Attachments Data validation, schema validation, WSDL validation, SOAP filtering and customizable data security support Supports HTTP, FTP, JMS, MLLP, Raw TCP and File protocols. Customizable protocol support available Support for multiple SSL identities, mutual auth, SSL v3 and TLS v1 SFTP
Supports DES, 3DES, AES, RSA v1.5, RSA-OAEP, SHA-1 and SHA-256 Secure SOAP, REST, JSON, or custom service mediation within the datacenter or across the internet Supports Open Groups X/Open XA transaction standard for long running transactions Proven integration with all major ISV middleware solutions
Service Governance
High performance runtime policy enforcement for security, SLA, mediation and transformation Integrates with business service repositories from Software|AG* CentraSite, Oracle, SAP Zero downtime dynamic policy updates for routing, attack signatures, validation and transformation Fine-grained service and policy monitoring Message throttling and ordering UDDI v2/v3 integration for service publishing and retrieval
Supported Hardware
oftware Appliance - Any Intel Xeon Multi-Core server with 4GB RAM (Xeon 5500 or 5600 Series w/8GB S Recommended) ardware Appliance - Dell PowerEdge R610 1U Server Appliance H luster support allows a group of appliances to be managed & monitored simultaneously C clipse-based Intel service and policy designer with pre-built templates E anagement through command line, SNMP, and integrates with HP OpenView, Microsoft MOM M
ed Hat AS5 (64-bit), SUSE Linux Enterprise 11 SP1 (64-bit), Solaris 10, VMware ESX R ire speed XML processing engine optimized for Intel Multi-Core and SSE42 hardware instruction set W ow sub-millisecond latency, high performance multi-step processing and large XML processing (>1GB) L ryptographic Acceleration - Cavium 1620 PCIe C
Dynamic Perimeter
More Information
Website: www.intel.com/software/soae Resource Site: www.dynamicperimeter.com
E-mail: intelsoainfo@intel.com
For further details about PCI DSS, consult the PCI Security Standards Councils Web site, at the following link: www.pcisecuritystandards.org Be sure to consult your Qualified Security Assessor (QSA) or other PCI DSS compliance professional when managing your PCI DSS initiatives.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTELS TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked reserved or undefined. Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intels Web site at www.intel.com. Copyright 2011 Intel Corporation. All rights reserved. Intel, the Intel logo, and Xeon are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others. Printed in USA Please Recycle TOKENIZATION-PRODUCT BRIEF -001US