iSeries Tokenization | DB2 & Application | AS400 Token Manager
Tokenization for IBM iSeries AS400 can help eliminate regulatory compliance exposures by replacing sensitive data with a token that has no real value. While tokens are used in place of iSeries AS400 DB2 data, the relationships still exist on the system in applications, but simply removes the sensitive data from production, test, and QA environments. The iSeries Token Manager provides the implementation of tokenization, including an independent and encrypted repository accessible only by authorized applications. Tokenization is often used by large enterprises and payment system vendors to provide a secure, scalable repository of tokens.
iSeries Tokenization Features
Recoverable and Non-Recoverable Tokens which are defined based on whether data should be allowed to be retrieved in an unencrypted format or not.
Automatically tokenize iSeries data without any application changes
Satisfies PCI DSS, HIPAA, GDPR, State Privacy, GLBA, and Federal FISMA regulatory compliance requirements
All token activity is logged to meet compliance audit and reporting requirements
Comprehensive protection of original iSeries DB2 data with NIST-certified 256-bit AES encryption and NIST FIPS-140 certified key management
Recoverable & Non-Recoverable Tokens
A recoverable token is one that allows retrieval of the original sensitive data from an encrypted archive on the iSeries. A non-recoverable token is one which does not store the original sensitive data. If you only need to retain information about a credit card transaction in order to provide customer support, and do not need to actually use the card number for future charges, you can create a non-recoverable token for this purpose. You will always be able to locate a customer’s information based on a credit card number, without having to store their original card number. By not storing the original card number you eliminate the chance of data theft. ISeries Token Manager lets you define on a case-by-case basis whether your iSeries data should use recoverable or nonrecoverable tokens.
NIST Certified Encryption for iSeries
When you need to store recoverable tokens, compliance regulations require strong encryption to protect the original sensitive data. The iSeries Token Manager can utilize AES/400 for NIST certified 256-bit AES encryption for protection. NIST certification involves extensive testing by an independent validation laboratory chartered by the US government. The testing includes validation that AES encryption has been implemented correctly and is your assurance of quality, compatibility, and reliability.
Encryption Key Management
Proper encryption requires the use of encryption key management solutions that securely generate, store, and deploy encryption keys. The iSeries Token Manager is compatible with the NIST FIPS-140 certified Alliance Key Manager and can be used to protect encryption keys.
Protect All Types of Data
The iSeries Token Manager lets you protect a wide variety of information including credit and debit cards, social security numbers, driver’s license, phone numbers, zip codes, and many other types of information. In addition to properly formatted tokens, the Token Manager can also generate random numbers and character strings, Base16 (hex) and Base64 encoded strings, and binary numbers in a variety of formats. You can even specify that a token credit card number pass LUHN check-digit authentication, or that it will NOT pass LUHN check-digit validation. Driver’s license tokens can be generated that are properly formatted for any of the 50 US states. And social security number tokens will meet the formatting requirements of actual social security numbers. ISeries Token Manager gives you the widest possible set of choices for implementing your tokenization strategy.
Masked tokens are non-sensitive replacement values that include some part of the original value. For example, the original credit card number of 4111-1111-1111-1111 might be replaced with the token value of 4783-7221-5032-1111. This masked token retains the last four digits from the original number. Compliance regulations allow the retention of some parts of the original information, which can be helpful for various purposes. Token Manager supports the masking of tokens using the following options:
- • Mask using the last 4 digits
- • Mask using the first 5 digits
- • Mask using the first 6 digits
- • Mask using the first 2 and last 4 digits
These options allow you to meet any current regulatory requirements for masking.
ISeries Token Manager makes it easy for IBM i system administrators to set up the tokenization of data without performing any developer tasks. A file is simply copied to a designated library, the fields or columns are selected for tokenization, and Automatic Tokenization replaces the sensitive data with replacement values. Over 20 different fields types are supported including credit card, date, zip code, social security number, address, and many others. The referential integrity of the Db2 database is maintained and data is usable by developers and users. Simple commands allow for the replication and automation of the tokenization process.
ISeries Token Manager can help you meet a variety of regulatory requirements including Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), the European Union General Data Protection Regulation (GDPR), state privacy regulations, Gramm-Leach-Bliley Act (GLBA), and the federal FISMA standards. In the majority of current regulations, tokenization is approved as a method of reducing your exposure to data loss. Consult with your security administrator or security auditor for more information about compliance regulations.
Integrated Compliance Logging
ISeries Token Manager implements a multi-layered approach to logging access to tokenization functions. The activities of the security administrator are recorded in the system log to ensure that you have full visibility on all token management functions. You can also implement the logging of all token activity by individual users including token creation and deletion, token retrieval, and token decryption. All system logging is done to a non-modifiable, serialized system journal. You can use the Alliance LogAgent application to transmit this journal to a centralized system log repository or SIEM product.
ISeries Token Manager includes a tokenization server option that allows you to completely separate the token database from your protected data, and implement a central repository for tokens across the entire Enterprise. You can tokenize information using a Windows application and then use the token across Linux, UNIX, IBM i and IBM z (mainframe) platforms. Communications with the tokenization server are secured using SSL/TLS communications. This allows any application that is capable of SSL/TLS communications to access the server.
User Access Controls
Using native operating system security allows you to fully control which users have access to ISeries Token Manager. You can grant or restrict user access control based on a specific user account, or based on the group to which a user belongs. If you prefer, you can completely disable public access to the token repository to provide the highest level of security for your token database. All access to the tokenization database can be logged to a centralized compliance journal.
High Availability Mirroring
ISeries Token Manager supports real-time replication by high availability products for data redundancy, server recovery, and load balancing. You can mirror the token database to a remote data center or third-party business recovery site using a variety of commercially available high availability products.
IBM i, Windows, Linux, UNIX, and Java Support
Any application or operating system that supports industry standard SSL/TLS communications can access ISeries Token Manager. This includes, but is not restricted to, the Windows, Linux, UNIX, IBM i, and IBM z (mainframe) operating systems and languages such as Java, C/++, .NET, VBNET, Cobol and many others.