The Green Sheet Online Edition
August 10, 2009 • Issue 09:08:01
The real story on tokenization
Your cover story, "Diverse perspectives on end-to-end encryption," dated May 25, 2009, states on page 63: One option, known as tokenization, is simply the use of a single, common encryption key by different parties up and down networks. It is considered by many to be a relatively uncomplicated way to avoid decrypting data when it's transferred, since each handler is privy to the original encryption formula.
This is an incorrect statement as it is describing encryption, not tokenization. As the person that coined the phrase tokenization as it is applied to payments, I urge you and your readers to read my 2008 white paper "Tokenization in Depth" - at www.shift4.com/pdf/s4-wp0806_tokenization-in-depth.pdf.
This white paper clearly defines that a token is not encrypted data; instead a token is simply a reference key to other data, in this case sensitive cardholder data.
Tokens, by definition, are not decryptable. The author of the article is describing a problem with one form of end-to-end encryption.
I guess the best way to distinguish the difference between an encryption solution and a tokenization solution is by example: One merchant has a plain text file on his server containing thousands of tokens. Another merchant has a plain text file on his server containing thousands of fully encrypted card numbers (for this example, the encryption doesn't really matter; it could be any strong cipher or hidden TDES [Triple Data Encryption Standard]), and further assume the encryption keys are secured in a Tamper Resistant Security Module (TRSM) that has not been compromised.
Both merchants get hacked and the files are stolen. Again assume TRSM has not been compromised; only the text files were stolen. The first is not considered a breach because true tokens do not contain cardholder data in any form, whereas the second is considered a breach because even though the card data is encrypted, it does contain cardholder data, and it has the potential of being decrypted.
There are big differences between tokenization and end-to-end encryption. Both have their strengths and weaknesses. I obviously have a bias for tokenization solutions; others have a bias for end-to-end encryption models. To me, the strongest solution would be a hybrid solution using an encrypted card reader feeding a tokenization solution. This would give you the strengths of both.
Thank you for taking the time to send us this explanation. We strive for accuracy in all that we publish, but sometimes we don't get it quite right. We will use your white paper as a resource when writing about this topic in the future.
When will my news appear?
If I submit a press release to you containing relevant industry news, when will it be posted? And will you let me know once it's done?
Ometz Payments Ltd..
We typically post press releases pertaining to the payments industry on the same day we receive them, but we do not notify parties who send us releases when they are posted. When your release is ready, send it to firstname.lastname@example.org, and check News From The Wire on the left-hand side of our home page later in the day to see if it's been posted. If you do not see your news there, it's just fine to send us a follow-up e-mail.
#h4 Farewell to a payment champion
The payments industry lost a groundbreaker on July 17, 2009, when Paul William Noblett Jr. passed away. Noblett thrived on challenges and was instrumental in the growth of National Bancard Corp. (NaBanco), which is now First Data Corp.
A decorated veteran of the U.S. Army, he began his career in the industry by leading an intricate payroll automation project for the Army Finance Corp.
Noblett joined NaBanco in 1979, leading the company as operations manager through significant growth and acquisitions of several bank merchant portfolios. From 1983 to 1989, he worked for MasterCard International (now MasterCard Worldwide) where he oversaw, among other things, the deployment of Banknet, MasterCard's first global processing network. He then returned to NaBanco, which soon became one of the nation's largest acquirers.
In 1992, Noblett formed his own consulting firm, Noblett & Associates Consulting LLC. Mike McCormack, an Associate in the firm, said, "One of the things he specialized in was helping small and emerging ISOs and various technology companies in the acquiring space move up to the next level. ... Paul's legacy is one of bringing a very optimistic, proactive, enthusiastic perspective to things."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.