Reducing PCI Compliance Costs and
Effort with SafeNet Transparent Tokenization
WHITE PAPER
Tokenization is gaining increased adoption in a range of organizations and
industries. By effectively taking PCI data out of scope, tokenization presents a host
of benefits, helping organizations both boost security and reduce PCI compliance
efforts and costs. This paper offers a detailed look at tokenization and offers
practical guidelines for helping organizations successfully employ tokenization so
they can maximize the potential benefits.
Introduction: Challenges of Compliance
How good is good enough? When it comes to security, the question continues to be a vexing one
for just about any organization. For companies regulated by the Payment Card Industry Data
Security Standard (PCIDSS), the question remains, even after a successfully completed audit.
The very next day a new system may be installed, a new threat discovered, a new user added, a
new patch released.
If an audit is passed and a breach occurs, the impact would still potentially be devastating. IT
infrastructures, security solutions, threats, regulations, and their interpretation continue to
evolve. That’s why, when it comes to security, organizations need to take a defense-in-depth
approach, and the work is never done. This holds true for organizations in virtually any industry.
A company needs to maintain vigilance in securing the personally identifi able information of
employees, whether national IDs, social security numbers, etc. Organizations complying with
Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA), HITECH, the
EU Data Privacy Directive, or any other regulation have a fundamental requirement to secure
sensitive data.
Within this context, business and security leaders must constantly strive to fi nd a balance,
weighing budget allocations, staffi ng, new investments, and ongoing costs vs. security
objectives. Given that, it is incumbent upon security teams to refi ne their approaches in order
to maximize effi ciency while they maximize security. That’s why many organizations have
looked to tokenization.
This paper offers a detailed look at tokenization and how it can support organizations’ PCI
compliance efforts. The paper compares tokenization to encryption and other approaches,
including some of the factors to consider in choosing which approach is best for a given
deployment scenario.
In addition, the paper describes an approach from SafeNet, transparent tokenization, and it
reveals some of the specifi c advantages and benefi ts this solution offers to organizations
looking to safeguard sensitive data in the most effective and effi cient manner possible.
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
1
Weighing Tokenization Alternatives: Encryption, Data Masking, and Other
Approaches
In today’s security landscape, there are many alternatives organizations can choose from as they
set out to ensure optimal security and sustain compliance. Following is an overview of several
approaches that represent an alternative or a complement to tokenization.
“Encrypted data may be deemed
out of scope if, and only if, it
has been validated that the
entity that possesses encrypted
cardholder data does not have
the means to decrypt it.”
--PCI SSC Issues Statement on
Scope of Encrypted Data via FAQ
10359, Issued 11/10/2009
Encryption
In most PCI-regulated organizations, cardholder data will need to be retrieved in the clear at
some point. Given that, encryption will be a fundamental requirement, a way to ensure sensitive
payment information is only accessible by authorized users for authorized purposes. When
plotting security strategies, however, it is important to factor in the degree to which encryption
affects the scope of an organization’s PCI compliance efforts.
As the PCI Security Standards Council makes clear, encrypted data is still in scope in any
organization that has mechanisms in place for decrypting that data. In other words, if a merchant
uses an off-site storage facility, and encrypts payment data before it is transported off site, that
facility’s operations would not be in scope—as long as there were no capabilities within the
facility to decrypt that data.
In this way, encryption can help reduce the scope of compliance. However, within an organization
that is employing encryption mechanisms, and so has the ability to decrypt data, care should be
taken to minimize the occurrence of systems that store or access encrypted data. This is true for
several reasons:
• Scope of compliance and costs. It is important to bear in mind that the systems managing
encryption, and the housing and transmission of encrypted data, are very much in scope of
PCI, and so must adhere to the spectrum of PCI regulations, including malware protection,
multi-factor authentication, and, perhaps most importantly, rigorous key protection
mechanisms. Further, each of these systems will be under the purview of a PCI audit, and the
more such systems audited, the higher the overall audit expense will be.
• Application integration. All the applications that need to access encrypted data will
typically need to be modifi ed to accommodate the changes in data type and fi eld size
that accompany the move from clear text and binary data to accommodate the lengthier fi
eld sizes of cipher text. Depending on the number and type of applications involved, these
changes can represent a signifi cant investment in time and money.
Format Preserving Encryption
Format preserving encryption has been introduced by several vendors in recent years in order
to minimize the implications of encryption on associated applications. However, at the time of
the publication of this paper, the PCI Security Standards Council has not issued a formal policy
around format preserving encryption, leaving open whether, and which of, these techniques are
acceptable to meet compliance mandates. Further, many algorithms and modes may not have
been approved by standards bodies, such as the National Institute of Standards and Technology
(NIST). Because format preserving encryption must return a shorter value than strong encryption
algorithms would normally create, the strength of the ciphertext is reduced in comparison to
transparent tokenization which is based on proven algorithms. Additionally, if a malicious attack
results in the capture of the key used for the format preserving encryption and its associated
algorithm, then the clear text could be derived whereas, a token cannot be derived by the
systems interacting with the tokenized data which is why those systems remain out of audit
scope.
Comparison
Transparent Tokenization Format Preserving Encryption
Reduce Audit Scope


Not vulnerable to decryption


Higher security strength


Proven algorithms


Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
2
“Transparent tokenization is a
very useful technique to remove
sensitive data from a database
system, by replacing it with
similarly formatted data that is
not sensitive in any way,”
“Although this means that no
changes in the database schema
have to be made, there are still
some changes that may be
required on associated systems
in order for them to integrate
properly with the tokenization
solution. In addition, special
care has to be taken to make
sure that the systems are not
misinterpreting the new token
data, for example, using it as
basis for a business intelligence
solution. It is important to
understand that most operations
would still need to be performed
on the actual data.”
Alexandre Pinto,
Senior Technical Manager and
PCI QSA, CIPHER Security
Data Masking
Data masking is another approach to consider when it comes to many enterprise’s security and
compliance objectives. Data masking is an approach typically used in testing and development
environments, and is particularly useful when outsourcing application development. Data
masking is used to ensure that application development environments don’t compromise the
security of real customer data. With data masking, sensitive data is replaced with realistic, but
not real, data. While data masking may be a useful technique, development organizations need
to ensure such aspects as referential integrity are addressed, and that the mechanism used to
mask data isn’t susceptible to reverse engineering techniques that could uncover real data.
Given the characteristics and considerations of the alternatives above, tokenization is an
approach that is gaining increased market acceptance. The following section offers a range of
insights and considerations for employing tokenization most effectively.
Keys to Successful Tokenization
In recent years, tokenization has increasingly become an integral approach for PCI compliance,
helping organizations both strengthen the security of payment data while reducing overall
security and PCI audit costs.
Employed for online credit card transactions or transmission of other sensitive data, tokenization
works by replacing sensitive data with tokens that retain the characteristics of the original data.
With tokenization, security teams can ensure that databases, applications, and users cannot
access sensitive data, and only interact with placeholders for that sensitive data. Tokenization
systems convert the sensitive data to an encrypted token in the same format as the original data,
allowing associated applications to continue operating seamlessly. Masking features can also be
maintained if a subset of the data needs to be available for authentication.
Effectively implemented tokenization can signifi cantly reduce an organization’s security and
PCI compliance costs. When applications have access to tokenization, but have no means to
reverse tokenization and access cardholder data in the clear, those applications are considered
out of scope. As a result, organizations don’t need to employ the range of PCI-mandated security
mechanisms on these systems. Further, these approaches thus reduce the cost of ongoing PCI
audits. According to Simon Sharp, Director, Illumis, “An assessor will also inspect samples of
all systems to ensure that cardholder data is not present, particularly where personal account
numbers (PANs) used to be in order to ensure that tokenization is working. Therefore, it is
important to make sure there is a distinction between the tokenized values and the PAN so the
system can be removed from scope.”
Following are some important considerations and strategies to consider when planning new
tokenization implementations.
Minimize Instances of Sensitive Cardholder Data—Whether through Deletion or Tokenization
Before employing encryption, tokenization, or any other security mechanism, organizations
should start by ensuring cardholder data is only stored and accessible where there’s an absolute
business need to do so. If there isn’t, eliminating the sensitive data completely, and the inherent
exposure, is a critical fi rst step.
It is critical to assess the impact of removing, encrypting, or tokenizing the data that resides
on a given system. Once sensitive data has been discovered, it needs to be analyzed in terms
of the associations and interdependencies of other systems. For example, if a business
process requires access to the sensitive data, will those processes be affected by encrypting
or tokenizing that sensitive data? If not accounted for, the impact of tokenization on those
associated processes may cause signifi cant problems for the business.
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
3
“One of the biggest areas of
value we can provide is in helping
reduce audit scope, both by
consolidating systems and
processes—and really ensuring
that there’s a good business
reason for keeping sensitive
payment data accessible to
a given system or process,”
explained Brian Serra, PCI
Program Manager, CISSP, QSA,
and ISO ISMS Lead Auditor,
Accuvant. “Practically, for every
system taken out of audit scope,
a business generally saves about
two hours of auditing time—plus
a great deal of expense in
applying and maintaining all the
security mechanisms required by
the PCI standard.”
Next, security teams need to determine where and how tokenization can be employed. Today,
tokenization is typically employed in one of two ways:
• Outsourced. Within an e-commerce scenario, a retailer can outsource tokenization
entirely so they never have the potential to access cardholder data in the clear within their
systems. For example, after an online transaction is completed, the card information can be
transparently redirected to the service provider, who then converts the card data into a token
and returns the token to the retailer. The downside with this approach is that it can be very
diffi cult for a retailer to change service providers, given the complexity of migrating tokens
and payment data. Further, this approach may not be an option for retailers that use multiple
card processors.
• In house. Here, the merchant would manage converting card numbers into tokens so
associated downstream applications would not be able to access cardholder data in the
clear. While this approach does not reduce the scope of compliance nearly as much as the
fi rst scenario, the trade-off is that the merchant will have more ongoing fl exibility and will
avoid the potential for being locked into a given service provider.
In either case, these approaches can provide substantial benefi ts. On the other hand, security
teams may not want to use tokenization in cases in which users or applications need capabilities
to access payment data in the clear. If systems or users need to be authorized to use cardholder
data in clear text, encryption may be a better alternative or complement to tokenization.
Particularly in cases in which there is unstructured data, for example, the data in spreadsheets
and Word documents, encryption would be complementary to tokenization employed with
structured data.
Leverage Proven Third-Party Solutions
When PCI auditors are verifying the compliance of encryption and tokenization, a critical first
question stems around the types of technologies used. If a merchant or fi nancial institution
has employed an internally developed system for all or part of these areas, the scope of an audit
will inherently grow—each facet of the implementation, everything from access controls to key
rotation will need to be inspected and verifi ed. Consequently, internally developed systems can
signifi cantly increase audit costs, not to mention increased upfront investments and ongoing
development.
On the other hand, if organizations employ compliant commercial solutions that are already
vetted by PCI auditors, they simplify the audit process, enabling auditors to focus on the manner
in which the security systems are implemented, rather than the mechanisms themselves.
Further, it is important to view the tokenization infrastructure in a cohesive fashion and ensure
all aspects are secured.
“One of the areas that is often
a focus for our auditing efforts
is the security of the lookup
table, which relates the token to
the original PAN,” Benj Hosack,
Director, Foregenix. “This is
fundamental to the solution
and needs to be protected
accordingly. That’s why working
with reputable suppliers with
experience and expertise in this
area is recommended.”
Centrally Manage Encryption and Tokenization
Whenever possible, organizations should leverage systems that offer integrated capabilities for
both encryption and tokenization on one platform. These solutions offer a range of benefi ts:
• Cost savings. If tokenization solutions operate independently of encryption, the cost of
upfront purchase, initial integration, and ongoing maintenance will typically be much higher.
• Simplifi ed auditing and remediation. When logs and policies are gathered and tracked
across various point solutions, demonstrating and maintaining compliance grows more
complex.
• Centralized key management. By leveraging key management from a common platform,
administrators can establish best practices for tokenized data in accordance with PCI
DSS or VISA, as well as for encrypted data. For instance, having the fl exibility to use the
strongest encryption keys for the components of the token vault, such as AES256 for the
ciphertext of the PAN and SHA256 for the protecting the associated hash or token value.
• Consistent Enforcement of Policy. It is also important to centrally enforce protection policies
to control not only what data is protected in which manner (tokenized or encrypted) and
where, but to also manage the permissions for privileged users and systems.
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
4
To optimize these benefi ts, organizations should look for solutions that offer the scalability
required to accommodate high transaction volumes. Further, they should employ solutions that
offer the broadest support for industry standards, tokenization and encryption approaches,
and more, to ensure initial investments can be maximized in the long term. This is especially
important knowing compliance is not a static event but an ongoing effort for as long as an
organization has to manage sensitive data.
“I’m a big proponent that
tokenization, key management,
and encryption should be done
in hardware wherever possible,”
stated Simon Sharp, Illumis.
“No matter how many malware
mechanisms may be employed,
ultimately, software may still be
vulnerable—a hacker using an
inline key logger may still be able
to compromise access controls.
Hardware-based solutions offer
an additional layer of security
that is critical for these vital
systems.”
Optimize Security with Hardware-based Platforms
Whenever possible, organizations should leverage hardware-based platforms, which provide a
vital layer of protection for sensitive business assets. Robust hardware-based encryption and
tokenization platforms feature capabilities like centralized, secure backup, and more limited
access points, which can signifi cantly strengthen overall security.
SafeNet Transparent Tokenization
SafeNet offers the robust, comprehensive, and fl exible solutions that enable organizations to
boost security, ensure PCI compliance, and reduce security costs. With SafeNet, security teams
get the capabilities they need to maximize the benefi ts of tokenization in reducing audit scope
and strengthening security. Through its integrated tokenization and encryption capabilities,
SafeNet gives security teams the fl exibility they need to apply tokenization and encryption in
ways that yield the biggest benefi t for their business and security objectives.
Benefits
By employing SafeNet tokenization, organizations can enjoy a range of benefits:
• Ensure PCI compliance and strengthen security. With SafeNet, organizations can address
PCI rules by securing credit card information with format-preserving tokenization. Further,
they can optimize the security of sensitive data through the hardened DataSecure appliance,
which features secure key storage and backup, granular administrative controls, and more.
Further, SafeNet enables businesses to protect a wide range of data types in addition to credit
card information, including bank transaction data, personnel records, and more.
• Reduced audit costs. SafeNet helps security teams save time and money by restricting
the number of devices that need to be audited. When facing an audit for PCI compliance,
many organizations must certify regulatory compliance for each server where sensitive
data resides. Because SafeNet Tokenization replaces sensitive data in databases and
applications with tokens, there are fewer servers to audit. Reducing the scope of audits
helps save time and money.
• Streamline security administration and integration. With SafeNet, organizations can
leverage a central platform for managing policies, lifecycle key management, maintenance,
and auditing through a single solution for both tokenization and encryption. Further, they
can deploy tokenization with full application transparency, which eliminates the need to
customize applications to accommodate tokenized data.
• Alignment with VISA best practices. SafeNet Transparent Tokenization is in alignment
with the recently published VISA Best Practices for Tokenization version 1.0 in regards to
token generation, token mapping, use of a data vault as a cardholder data repository using
encryption, and strong cryptographic key management. (http://usa.visa.com/download/
merchants/tokenization_best_practices.pdf)
SafeNet Tokenization offers a variety of integration options, providing customers with the
fl exibility to choose the right security technique for their environment, while enabling
them to protect more data types—without affecting business logic, database architecture,
storage systems, or other critical enterprise components. SafeNet Tokenization also enables
development teams to move or replicate production data to test environments without having to
de-identify or mask data. With SafeNet Tokenization, organizations can keep data protected with
optimal efficiency and cost-effectiveness.
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
5
Benefits
• Ensure PCI compliance and
strengthen security
• Reduced audit costs
• Streamline security
administration and integration
• Alignment with VISA best
practices
Features
SafeNet offers a range of critical features:
• Format-preserving tokenization. Ensure transparent interactions with applications and
users by defi ning the format of the unique value or token during assignment. By preserving
the format of the data in the token values, applications that interact with the data will not
require customization. SafeNet supports various data formats, including partially masked
data, such as XXXXX6789.
• Token variations. Choose from a range of token variations by tokenizing random digits,
sequential numbers, preserving the fi rst two or six digits, or the fi rst two and the last four.
• Support for an array of data types. Protect a full array of data, ranging from credit card
numbers and member IDs to social security numbers and driver’s license numbers.
• Broad platform support. Enjoy complete deployment fl exibility through SafeNet’s support
for a wide range of applications and Web servers, including Oracle, IBM, BEA, J2EE, Apache,
Sun ONE, JBoss. In addition, SafeNet offers data and token storage for Oracle and Microsoft
SQL Server.
SafeNet Transparent Tokenization Deployment
Following is an overview of how the tokenization process works:
1. Sensitive data comes in through an Ecommerce system.
2. Sensitive data is passed to the Tokenization Manager.
3. Tokenization encrypts the sensitive data, stores it, and returns a token,
4. Other enterprise systems are passed tokens transparently.
5. PCI Auditor only needs to inspect the tokenized database or data vault and sample
any active applications to ensure proper tokenization technique; otherwise, the systems
be removed from scope.
Features
How Tokenization Works
• Format-preserving
tokenization
1
Sensitive data comes in through
an Ecommerce system
• Token variations
• Support for an array of data
types
Enterprise
Application
2
• Broad platform support
3
Tokenization encrypts the
sensitive data, stores it
and returns a token
Sensitive data is passed
to Tokenization Manager
Tokenization
Manager
PCI
Auditor
6
DataSecure
4
Other Enterprise systems
pass tokens to Tokenization
Manager
5
Order
Processing
Systems
PCI Auditor only needs to
inspect tokenized database
and active applications
Tokenization decrypts and
returns sensitive data
Payment
Systems
Customer
Service
Systems
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
6
Conclusion
For organizations tasked with ensuring PCI compliance, the battle is never over. In this effort,
tokenization is becoming an increasingly prevalent approach, one that can take PCI data out
of scope, and so both strengthen security and reduce compliance costs. Today, SafeNet offers
leading transparent tokenization solutions that enable organizations to fully maximize the
benefits of tokenization.
About SafeNet
Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its
customers’ most valuable assets, including identities, transactions, communications, data
and software licensing, throughout the data lifecycle. More than 25,000 customers across
both commercial enterprises and government agencies and in over 100 countries trust their
information security needs to SafeNet.
Contact Us: For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: www.safenet-inc.com/connected
©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (EN) A4-3.07.11
Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization White Paper
7