Encryption was a simple premise for securing data back in the seventies – the early days of the Data Encryption Standard (DES). Though DES may not have been infallible it was effective enough to be widely adopted both in commercial and government applications. While encryption algorithms and standards have evolved through research and technology improvements, businesses are creating and storing enormous amounts of sensitive data, which is driving the demand for smarter, more efficient systems to protect that data. In response to this pressure, and stricter industry standards, new technologies have emerged for protecting business and customer data.
The rising star born to complement encryption systems is tokenization, a proven technology that has gained traction in the electronic payments industry and has broader applicability across other industries. It allows retailers to retain credit card data (mandated by the card associations) by converting the sensitive data into meaningless tokens, which can be safely used within the merchant’s applications, databases and backup media without any risk of exposing the actual data. The credit card numbers may be stored locally or in a hosted off-site data vault, which is properly secured. A significant benefit of tokenization is that it preserves the key characteristics of the card numbers, enabling merchants to track purchasing habits without modifying their business applications.
The credit card associations, through the PCI Security Standards Council, have created the PCI DSS (and PA DSS) industry security standards for protecting credit card data. Tokenization technology offloads card data from the merchant’s systems, and not only does it remove the mass of sensitive data that is an attractive hacker target, it eliminates or mitigates many of the requirements in the PCI standard for securing sensitive data stores. Merchants who install tokenization find their PCI audit scope is greatly reduced, whether they are large Level 1 merchants or smaller merchants who with tokenization are only required to complete a more limited questionnaire (known as the PCI Self Assessment Questionnaire). In fact, recently Visa included tokenization in its, “Visa Best Practices for Data Field Encryption, Version 1.0” (October 2009).
Adopting a tokenized solution does not require a new IT architecture or put a severe dent into security budgets. An experienced provider will work within the framework of a card authorization system and integrate the tokenization process seamlessly into the structure. One of Merchant Link’s clients was able to implement tokenization across a large enterprise, including several legacy systems, over a period of four months. For this large, national retailer our token solution facilitates card settlement to their five different credit card processors.
Our token solution, TransactionVaultTM, has been protecting merchants’ card data for more than two years. It has successfully removed sensitive cardholder data from more than 15,000 merchant systems and processes over 60 million transactions each month, in the restaurant, hospitality, and retail industries, thereby greatly reducing the risk of data breaches.
The success of tokenization has spurred development of the next promising technology in the payments industry for protecting cardholder data. Companies in the payments industry are developing an integrated end-to-end solution, designed to protect the data while it’s “in flight” as well as when it is “at rest.” Even with tokenization, the fact remains that cardholder data must still be transmitted from the merchants to the payment processing banks. In order to achieve a truly secure solution, a methodology is needed in addition to tokenization to protect data end-to-end. The current PCI-DSS standard states that securing connections being made over public networks with SSL encryption is sufficient. However data is passed between applications, databases, and files from the entry point of the end user point of sale interface to other systems or servers within a merchant’s network, which opens vulnerabilities that can also be exploited.
Achieving a solid and strong encryption methodology calls for the coordination of several important components. The encryption scheme itself ( 3DES, AES, etc.), the management of encryption keys (public – private key pairing, symmetric keys, etc.) securing the location or devices that hold the encryption keys to prevent exposure to attackers, and the ability to change or rotate the keys are all factors that must be addressed. All of these components must be tightly managed and synchronized to ensure the data can be decrypted for use downstream in the payment processing data flow.
The payments industry has discovered that tokenization is an ideal alternative to encryption for protecting cardholder data. Token type solutions are being discussed in other industries where businesses must handle sensitive customer data. For example, healthcare and government agencies face many of the same challenges confronting the payments industry. Security technology has carried us far beyond the days when DES first debuted. As computing gets more powerful and sensitive data continues to proliferate, we still need to keep pace with the efforts made by hackers and criminals that seek to exploit that data for financial gain.
Dan Lane is the chief technology officer for Merchant Link, LLC.