Tokenization to Secure Sensitive Data

In her Network World column earlier this week, Linda Musthaler described a fairly new technology called "tokenization" that is gaining interest from organizations that have much to lose from data breaches, such as credit card merchants and financial institutions.  She uses the example of payment card data to describe how the tokenization process works:
"A merchant has a point of sale system where customers swipe their credit or debit cards to initiate a payment transaction. Among the information from the magnetic stripe on the back of the card is a 16 digit number called the primary account number (PAN). Any thief who can gain access to the PAN has enough information to use the card data fraudulently. The PAN (i.e., the cardholder data) is sent to a token server where it is encrypted and placed into a secure data vault. A token is generated to replace the PAN data in the merchant's storage systems or business applications. If the merchant needs access to the original cardholder data again -- say to issue a refund on the credit card -- the merchant is authorized to reach into the secure data vault to look up the PAN again."
What benefit does this provide to companies?
"First and foremost, it takes highly sensitive data out of the business processes that would use customer data. This reduces the likelihood that the real data can be stolen off of servers or from applications. If a thief steals tokenized data, he can't use it to retrieve the real data, since he isn't authorized to access the secure data vault. Instead, he ends up with a bunch of random numbers that don't mean anything to him."
Linda also refers to a post on CreditCards.com by Jay Mcdonald, who explores the potential for tokenization to increase credit card security.  Quoting Randy Carr, vice president of marketing for Shift4, developer of a commercial tokenization technology, Jay writes:
"Carr believes the game-changer in the equation is today's hacker. 'These aren't college students doing it anymore; they're ex-Soviet operatives, and they're serious guys. They're not there to get 20 card numbers; they're there to get 100 million card numbers,' he says.

"Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea."

It will be interesting to see how this technology is deployed or adapted in the next few years.  Perhaps the recent hacking of government computer systems will accellerate federal government interest.

Technorati Tags: , ,

Comments:

Post a Comment:
Comments are closed for this entry.
About

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.


The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today