A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

May 10, 2021 • Issue 21:05:01

Eliminate all clear-text cardholder data from your network

By David Close

Retailers and acquirers are always looking at better ways to secure transactions to reduce exposure of sensitive customer data. It's vital that the payment processing infrastructure combines security and performance to enable safe, secure commerce around the world, minimize audit risks, and protect customer data even in the event of a breach or hack. Two technologies, point-to-point encryption (P2PE) and tokenization—when used together—can help eliminate clear-text customer data from being anywhere on the network.

In this model, customer data remains encrypted throughout the entire payment process, thereby reducing its exposure. Data is encrypted at the initial point of capture using P2PE, decrypted within the secure boundary of a hardware security module (HSM) and re-encrypted using a transfer key for payment validation by the processor, while simultaneously having a token generated for storage and future use. This is also a sophisticated, easily implemented tool for reducing compliance scope.

Encrypting at every hop

In 2011, The PCI Security Standards Council released a spec called PCI Point-to-Point Encryption to provide governance and guidance for encryption of cardholder data. It outlined how financial services encrypt and decrypt cardholder data and handle key management within secure cryptographic devices.

It's called point-to-point encryption and not end-to-end encryption because you typically encrypt data from one point to another, and then either decrypt it or re-encrypt it under another key for the next point, or hop. Encrypting at every hop eliminates a potential weak link. If malware were on the card reader, for example, the sensitive cardholder data would still be encrypted.

The PCI Data Security Standard, which defines the infrastructure where cardholder data is traversing, contains many requirements: cardholder data cannot be stored in the clear, for example. If retailers store data in a database, it must be stored encrypted in a data protection environment. However, the data protection environment limits what you can do with the data, and it introduces risk if you’re exporting that data to handle functions such as chargebacks or account lookups, because you have to decrypt the data. This is where tokenization enters in.

Combining P2PE and tokenization

Tokenization is a representation of data, using cryptographically generated substitute characters as placeholder data to preserve the data format. Tokenization protects PAN data in storage by removing it altogether, replacing it with an identifier known as a token. In a typical financial application of tokenization, a payment transaction occurs, and the merchant only retains the token. The token is linked to that cardholder account and, by itself, has no intrinsic value. The transaction token can be used by the processor to look up the PAN needed to process the appropriate transaction.

Since tokenized data is random and valueless, it's typically not subject to the same compliance requirements as clear-text payment data and can help reduce PCI DSS compliance scope. Widespread adoption of tokenization in payments ushered in substantial increases in security and an overall reduction in compliance costs.

Vaulted versus vaultless tokenization

Vaulted tokenization requires large databases mapping tokens to their corresponding clear data. In this model, detokenization requires the database to be queried with a token to retrieve original data. Token vaults represent a high-risk target for theft since they contain clear cardholder data.

Vaultless tokenization eliminates the need for a vault or master token database, providing strong cryptography to secure data at rest. Vaultless tokenization resolves the problem of storing encrypted data by protecting it and being able to use the data to perform everyday functions in a secure way.

When you combine P2PE and tokenization, you're minimizing risk of exposing customer data by storing it in a tokenized format and protecting it at every point of interaction. Innovative acquirers are deploying P2PE and tokenization simultaneously; large-scale retailers are typically adopting one or the other.

The payments industry is complicated. And the current ecosystem is fairly segmented. Most financial organizations today use separate systems for encrypting and tokenizing data. Essentially, what’s needed is for the entire infrastructure—terminals to HSMs—to support P2PE and tokenization, the security needed to handle billions of transactions daily. end of article

David Close is chief solutions architect at Futurex, a trusted provider of hardened enterprise data security solutions. He is a subject matter expert in enterprise key management best practices and systems architecture and infrastructure design. Contact him at linkedin.com/in/davidclose or www.futurex.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing