Thought leadership from First Data released a new whitepaper on encryption and tokenization. If you are an informed merchant or software developer looking for the most advanced payment security technologies then this whitepaper is for you.
Now there are technologies available that merchants can use to go beyond the current requirements of PCI. End-to-end encryption (E2EE) and tokenization solve for many vulnerabilities in the payments processing chain. E2EE addresses security weaknesses that exist when cardholder data has been captured but not yet authorized, and tokenization addresses security vulnerabilities after a transaction has been authorized. When combined, these two technologies provide a very strong way to secure data.
Encryption
Encryption is the process of using algorithmic schemes to transform plain text information into a non-readable form called ciphertext. A key (or algorithm) is required to decrypt the information and return it to its original plain text format.
Why encryption is important?
Anytime that live cardholder data is in the clear – that is, in plain text format that is readable by a person or computer – it is extremely vulnerable to theft. Of course, cyberthieves know this and look for ways to capture a copy of that data. For example, it’s possible for a thief to siphon off the card data as it is transmitted in plain text from a card reader to the point of sale (POS) server or the merchant’s central server. (This is what is suspected to have happened in data breaches involving Hannaford Bros., TJX and the Dave & Buster’s restaurant chain.)
Encryption of either the data itself or the transmission path the data takes along the network, or both, can vastly reduce the vulnerability of the data, which in turn reduces a merchant’s business risks.
There are multiple ways that data encryption can be applied. Again, which method is “best” depends on a merchant’s specific environment. There is Session encryption (which encrypts the pipe), there is data encryption (which encrypts the payload), there is symmetric encryption (which uses a single key), and asymmetric encryption (which uses public and private keys).
Data encryption in hardware (TRSM)
The process of encrypting cardholder data can be done in hardware in a tamper resistant security module (TRSM). A TRSM device has the ability to destroy itself and render useless any data or keys stored in it if someone attempts to tamper with it. A merchant that is using symmetric data encryption should always store the key in a TRSM device.
There are models of card readers that have a TRSM inside so that data can be encrypted immediately at the point of capture. Hardware-based encryption offers a higher degree of overall security than software-based encryption because it prevents key tampering or theft; it is considered “the best of best practices.” Deploying this kind of card reader provides excellent security, but deployment may be cost prohibitive for a merchant that must acquire hundreds or thousands of the devices. Moreover, at this time, many merchants are in a wait-and-see mode with Chip and PIN technology potentially on the horizon, and thus are hesitant to acquire new readers in the near term.
Data encryption in software
Data encryption also can be performed by a software program. This approach provides more flexibility in where the encryption takes place, as it can be added to virtually any terminal, POS device or e-commerce server where card data is presented. In addition, software encryption can be used with devices that simply don’t have TRSM available to them, such as older pieces of hardware. Many merchants appreciate that adding software-based encryption doesn’t require a capital investment in new equipment.
Tokenization
An increasingly popular approach for the protection of sensitive data is the use of data substitution with a token (or alias) as a replacement for a real credit card number. In the process of tokenization, actual cardholder data is used in a payment transaction and, once the transaction is authorized, this very sensitive data is sent to a centralized and highly secure server called a “vault” where it is stored securely. At the same time, a random unique number is generated and returned to the merchant’s systems for use in place of the cardholder data. The vault manager maintains a reference database that allows the token number to be exchanged for the real cardholder data if it is needed again for, say, a chargeback. Meanwhile the token number, which cannot be monetized, can be used in various auxiliary business applications as a reliable substitute for the real card data.
Why tokenization is important
Tokenization is important for two reasons:
1. It vastly reduces a merchant’s risk in the event of a data breach because the process eliminates
sensitive cardholder data from a merchant’s environment after a transaction has been authorized.
If token numbers are breached, they are meaningless to anyone who would attempt to use them
because the tokens are simply random numbers.
2. Using token numbers instead of real card data in back-end business applications shrinks the
merchant’s cardholder data environment (CDE) that is subject to PCI compliance requirements and
audits. This reduction of PCI scope can save a merchant significant time and money.
Encryption and tokenization solve for different security weaknesses in the payments process. Encryption protects data that has been captured by the merchant but has not yet been used for the transaction authorization process yet. Tokenization solves the problem of storing and using real card data in business processes that are downstream from authorization.
Does your current system support encryption and tokenization? If not, you should explore making a change.
At Prineta Payment Consulting we work with industry leading partners that offer both encryption and tokenization. If you need to incorporate encryption and tokenization into your payment environment; we can help. Contact Us!