Tokenization to Secure Sensitive Data
By identity on Jul 16, 2009
"A merchant has a point of sale system where customers swipe their credit or debit cards to initiate a payment transaction. Among the information from the magnetic stripe on the back of the card is a 16 digit number called the primary account number (PAN). Any thief who can gain access to the PAN has enough information to use the card data fraudulently. The PAN (i.e., the cardholder data) is sent to a token server where it is encrypted and placed into a secure data vault. A token is generated to replace the PAN data in the merchant's storage systems or business applications. If the merchant needs access to the original cardholder data again -- say to issue a refund on the credit card -- the merchant is authorized to reach into the secure data vault to look up the PAN again."What benefit does this provide to companies?
"First and foremost, it takes highly sensitive data out of the business processes that would use customer data. This reduces the likelihood that the real data can be stolen off of servers or from applications. If a thief steals tokenized data, he can't use it to retrieve the real data, since he isn't authorized to access the secure data vault. Instead, he ends up with a bunch of random numbers that don't mean anything to him."Linda also refers to a post on CreditCards.com by Jay Mcdonald, who explores the potential for tokenization to increase credit card security. Quoting Randy Carr, vice president of marketing for Shift4, developer of a commercial tokenization technology, Jay writes:
"Carr believes the game-changer in the equation is today's hacker. 'These aren't college students doing it anymore; they're ex-Soviet operatives, and they're serious guys. They're not there to get 20 card numbers; they're there to get 100 million card numbers,' he says.
"Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea."
It will be interesting to see how this technology is deployed or adapted in the next few years. Perhaps the recent hacking of government computer systems will accellerate federal government interest.