November 21, 2024

PCI Security Standards Council Releases Tokenization Product Guidelines

Posted on April 3, 2015 by in Security

The PCI Security Standards Council announced on Thursday the availability of guidelines designed to help organizations develop tokenization products.

Tokenization is the process in which sensitive information, such as payment card data, is replaced with a randomly generated unique token or symbol. Tokenization products, which can be software applications, hardware devices or service offerings, can help merchants reduce the risk of having their customers’ financial information stolen by malicious actors.

“Tokenization is one way organizations can limit the locations of cardholder data (CHD). A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts,” explained PCI SSC Chief Technology Officer Troy Leach.

There are several challenges to implementing tokenization, but reliable solutions already exist and representatives of the merchant community believe this could be an efficient approach to preventing payment card fraud and identity theft.

The Tokenization Product Security Guidelines released by the PCI Council have been developed in collaboration with a dedicated industry taskforce. The report focuses on the generation of tokens, using and storing tokens, and the implementation of solutions that address potential attack vectors against each component. The document also contains a classification of tokens and their use cases.

The recommendations in the guidelines are addressed to tokenization solution and product vendors, tokenization product evaluators, and organizations that want to develop, acquire or use tokenization products and solutions.

“Minimizing the storage of card data is a critical next step in improving the security of payments. And tokenization does just that,” said PCI SSC General Manager Stephen Orfei. “At the Council, we are excited about the recent advancements in this space. Helping merchants take advantage of tokenization, point-to-point encryption (P2PE) and EMV chip technologies as part of a layered security approach in current and emerging payment channels has been a big focus at this week’s PCI Acquirer Forum.”

The PCI Council has pointed out that the guidelines are supplemental and they don’t supercede or replace any of the requirements detailed in the PCI Data Security Standard (PCI DSS).

PCI DSS 3.0, which focuses on security instead of compliance, went into effect on January 1. Version 3.1 of the PCI DSS, expected to be released this month, targets the SSL (Secure Sockets Layer) protocol. Organizations must ensure that they or their service providers don’t use the old protocol.

Last week, the PCI Council published new guidance to help organizations conduct penetration testing, which is considered a critical component of the PCI DSS.

The Tokenization Product Security Guidelines are available for download in PDF format.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Oracle Releases Massive Security Update

Posted on January 20, 2015 by in Security

Oracle has pushed out a massive number of patches in a security update, including critical fixes for Java SE and the Oracle Sun Systems Products Suite.

Overall, the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password. 

Oracle Security LogoThe most serious of the bugs however impact Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408).

“Out of these [Java] 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations,” blogged Oracle Software Security Assurance Director Eric Maurice. “This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.”

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes. There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualization. 

“The challenge with the Oracle CPU is, quarter after quarter, there is so much in these advisories,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are so many different, unrelated platforms, that administrators risk missing something that might apply specifically to a very niche version of hardware that might be in their environment.”

Subscribe to the SecurityWeek Email Briefing

view counter

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Cloud Security Alliance Releases Update to Software Defined Perimeter (SDP)

Posted on May 2, 2014 by in Security

LONDON – Infosecurity Europe – The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, announced the release of two key documents related to the CSA’s Software Defined Perimeter (SDP), an initiative to create the next generation network security architecture. The SDP Version 1.0 Implementation Specification and SDP Hackathon Results Report provide important updates on the SDP security framework and deployment in protecting application infrastructures from network-based attacks.  CSA will be providing press briefings about SDP developments at Infosecurity Europe.

The SDP, a collaboration between some of the world’s largest users of cloud computing within CSA’s Enterprise User Council, is a new approach to security that mitigates network-based attacks by creating dynamically provisioned perimeters for clouds, demilitarized zones, and data center infrastructures. 

Cloud Security AllianceThe SDP Version 1.0 Implementation Specification being released today provides a detailed description of the base architecture.  Version 1.0 provides the necessary information to design and implement a highly secure network system for a wide variety of use cases.  As part of the updated framework, key concepts comprising the SDP, such as Single Packet Authorization (SPA) and Mutual Transport Layer Security (TLS) have undergone extensive review.  Additionally, a number of CSA members, including some of the largest global companies, have SDP pilots in place.

Also being released today, the SPD Hackathon Results Report Whitepaper provides a detailed explanation of the SDP concept, its multiple layers of security controls, and the results of the hacking contest. The Hackathon, announced by Alan Boehme of Coca Cola at the CSA Summit at RSA 2014, invited hackers worldwide to attack a server defended by the SDP.  While more than 10 billion packets were fired at the SDP from around the world, no attacker broke through even the first of five layers of security controls specified by the SDP architecture.

“The Hackathon provides critical validation for the multi-layer SDP security model. Even after 10 billion attack packets, no one was able to crack even the first layer of SDP security controls during the event,” said Junaid Islam, co-chair of the SDP Working Group and CTO of new CSA corporate member Vidder, Inc. “Its the goal of this research initiative to keep testing SDP against real life attack scenarios to provide the highest level of security for cloud, mobile computing and the Internet of Things applications.” 

In releasing the SDP Version 1.0 Implementation Specification, the SDP working group is providing the industry with a validated and proven concept for cloud-based security models and has also announced an open call for participation for the development of version 2.0.  According to Bob Flores, former CTO of the CIA and Chief Executive Officer of Applicology Incorporated and SDP Working Group Co-Chair, now is the time for interested experts to get involved.  “Today’s release of SPD 1.0 will enable sufficient industry participation and feedback to allow CSA to release version 2.0 at the CSA Congress US taking place Sept 17-19 in San Jose, CA.

“The new SDP specification, together with the results of the Hackathon, represent the tremendous progress and confidence we have in making this framework part of every organization’s security posture in the future,” said Jim Reavis, CEO of the CSA.  “Now it is time for the industry to join us in the next phase of the SDP, version 2.0, to make the framework stronger and even more secure against outside attacks.”

SOURCE Cloud Security Alliance

Previous Columns by SecurityWeek News:


SecurityWeek RSS Feed