What is Tokenization and How Can I Use it for PCI DSS Compliance?

Tokenizing your payment card data may be the smartest security decision you make in 2016.

By: Mike Riesen

Tokenization is an ultimate data security strategy that, unfortunately, only few companies take advantage of. Perhaps its lack of adoption is because many believe tokenization is the same as encryption. I hope to dispel that myth and help you feel more acquainted with one of the best security strategies for credit card data and Payment Card Industry Data Security Standard (PCI DSS) scope reduction: tokenization.

What is Tokenization and How Does It Work?

The whole point of tokenization is to limit the usage of plain-text sensitive data to as few places in your environment as possible. According to Alex Pezold, CEO at TokenEx (a cloud-based credit card tokenization and data vaulting service), tokens can be used to replace any sensitive or non-sensitive data set (from protected health information to automated clearing house data), but the most popular data for tokenization remains primary account number (PAN) data, or credit card numbers.

Unlike encryption, which generates a new value to represent credit cards via cryptoalgorithms, credit card tokenization solutions randomly generate a value to replace credit card data.

Because tokens are randomly assigned, it’s next to impossible to compromise or reverse-engineer a token. The only way to see which credit card values are related to which tokens is through a data vault, or token vault, usually managed by a third party.

The best part of a correctly implemented tokenization system is merchants never see customer credit card information. They only see tokens, which are essentially useless strings of information.

Now that you understand the basics of tokenization, let’s run through five steps that explain what happens to credit cards from the point of swipe until the payment process is completed.

1. A credit card is swiped in a POS machine or entered into an ecommerce site.
2. The POS machine (or ecommerce site) passes the PAN to the credit card tokenization system.
3. The tokenization system generates a string of 16 random characters to replace the PAN, or retrieves the associated token (if it has already been created) and records the correlation in the data vault.
4. The tokenization system returns the token to the POS terminal (or ecommerce site) and is used to represent the customer’s credit card in the system.
5. If the business is using a payment processor’s tokenization solution, the token is sent to the payment processor, who, using the same tokenization technology, can de-tokenize and view the original credit card number and process payment. If the organization is using a third party tokenization solution, the token is sent to the third party, who then de-tokenizes it and sends it along to the payment processor for credit card processing.

What Does a Token Look Like?

Pezold says there are two types of token formats: format preserving and non-format preserving.

Format preserving tokens maintain the look and feel of original 16-digit payment card data. For example:

Payment Card Number:  4111 1111 1111 1111
Format Preserving Token:  4111 8765 2345 1111

Non-format preserving tokens don’t resemble the original data and could include both alpha and numeric characters. For example:

Payment Card Number:  4111 1111 1111 1111
Non-format Preserving Token:  25c92e17-80f6-415f-9d65-7395a32u0223

According to Pezold, most organizations use format preserving tokens to avoid causing validation issues with existing applications and business processes.

How Many Credit Cards Can a Data Vault Hold?

As was mentioned before, the data vault is the keystone to the tokenization process. So what happens if a merchant takes billions of transactions each year? How does that affect the data vault? To answer that, you must understand the difference between single-use tokens and multi-use tokens.

Single-use tokens
A single-use token is typically used to represent a single transaction, and processes much faster than multi-use tokens. Pezold says if you plan to use single-use tokens, expect your data vault to grow exponentially over time.

“Every time a repeat customer purchases something, a new token will be created in the vault. Because of this, single-use tokens are far more likely to cause a token collision scenario than multi-use tokens.”

A token collision scenario is when two identical tokens are generated, but actually represent two different pieces of data. (This is why validation of previously existing tokens in the token generation process is crucial.)

Multi-use tokens
A multi-use token always represents the same 16-digit PAN, and may be used for multiple transactions. Every time a payment card is entered into a payment system, the same token is generated and used.

“The two most common benefits of multi-use tokens include reducing data vault bloat and data analytics,” says Pezold. “Other benefits more specific to the payments space include recurring payment support and loyalty tracking.”

The question of whether to use single-use or multi-use tokens is completely dependent on 1) an organization’s need for retaining tokens, and 2) plans for storage expansion.

Is Tokenization the Same as Encryption?

The short answer? No. Tokenization and encryption are very different technologies that have diverse pros and cons. To comprehend the strong tokenization vs. encryption debate, you must first understand that encryption is reversible, and tokenization is irreversible.

Pezold explains the difference well.

“Irreversible tokens have no mathematical relationship to the original data point. In other words, you cannot mathematically reverse-engineer the token value to get back to the original data point. Irreversible tokens, in our humble opinion, are the only true types of tokens.”

SEE ALSO: Tokenization vs Encryption—4 Quick Takeaways

Encryption (P2PE, etc.) on the other hand, maintains a mathematical relationship to the original data point, which means encryption methods are only as good as their algorithm strength. If a hacker cracks the algorithm, they are also able to decrypt all encrypted values. Not to mention the precarious security of encryption keys, which are very vulnerable to exposure, especially in large environments.

Says Pezold, “considering the astronomical rate by which computing power is multiplying – it’s just a matter of time before encryption mechanisms are invalidated.”

So, is a tokenization solution safer than encryption?

Tweet

There’s no solid answer to that question, because there are applications for both tokenization and encryption. Encryption is great for transmission of sensitive data. But because tokenization can’t be exploited through computer algorithms or mathematical formulas, some argue it makes a better overall data security solution, especially where payment card data is involved. Even if tokenized payment card data is stolen, nothing would ever happen to it . . . as long as the data vault was protected.

Using Tokenization to Reduce PCI DSS Compliance Scope

According to the PCI DSS, “Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment.”

Since credit cards aren’t available outside of the original point of capture and the data vault, risk (and therefore scope) is dramatically reduced with credit card tokenization. However, how tokenization reduces a company’s individual scope totally depends on how the company’s technology and business processes interact with payment card data.

Learn other ways to reduce PCI DSS scope.

Technically, the elements of the tokenization system (like the card vault and de-tokenization) are part of the cardholder data environment and therefore in scope for PCI requirements. But if the card vault is handled by a third party, it’s out of scope for the business taking the payment cards. All the business must do is ensure their tokenization vendor is approved through the PCI SSC, and that they protect tokenization systems and processes with strong security controls.

Check out more information on which PCI DSS requirements can be reduced/eliminated using TokenEx.

Risks of Tokenization

Tokenization is a fairly new technology, and with new technologies, new risks develop. Pezold thinks those risks are “pretty far and few between”, but outlines cross-domain, token co-mingling, and multiple tokenization solutions as three of the worst offenders.

With cross-domain tokenization, businesses request the ability to tokenize data across all of their customers in a single data vault.

“This scenario creates a situation where a token for one merchant can be used across all merchants in that vault – essentially making a token a credit card. For service providers with multiple merchant customers in particular, each customer must have their own data vault so a cross-domain scenario is not introduced,” says Pezold.

He goes on to explain the challenges behind data co-mingling, which essentially means an organization stores both card data and tokens.

“Organizations that opt for a phased approach to tokenizing data can actually end up storing payment card data as well as tokens in their databases. This can create a challenge with some token schemes, as it makes it nearly impossible to determine what is a token and what is a payment card number.”

The PCI DSS requests that merchants prove they do not have payment card data within their environment. Data co-mingling makes that request nearly impossible.

Similarly to data co-mingling, some companies elect to use multiple tokenization solutions, which could lead to some unique card processing challenges.

“In the event you have tokens from multiple providers present with no business logic around which tokens can be used with different service providers, there exists an opportunity for the merchant to try and use the wrong token to process a transaction. In other words, the merchant uses token from Company B to try and process a transaction through Company A.  Unfortunately for the merchant, it’s not going to work,” says Pezold.

All things considered, if a merchant implements tokenization correctly, the risks associated remain quite limited.

Is tokenization right For your organization?

Any business environment handling sensitive data should use tokenization to reduce risk and secure data. According to Pezold, TokenEx’s customer base is composed of companies ranging from start-up ecommerce to multi-national Fortune 500 companies. These companies utilize tokenization in mobile environments, through call centers, for file batching, and more.

There are, however, a few considerations you should study before investing in credit card tokenization.

• Storage pricing. Those hosting their own tokenization platform in-house must plan for additional architecture and memory storage that goes beyond the initial cost of implementation, especially those using single-use tokenization. With single-use tokenization every transaction equates to a newly generated token, which limits storage and slows down lookup response time. For those using a cloud-based provider, more storage will still cost you, but your infrastructure can remain the same.
• Implementation. Before you even talk to a tokenization provider, you need to understand where sensitive data exists in your environment. The best way to do this is through a card flow diagram. With this diagram, you can answer questions like, what technologies/people/software store, handle, maintain, and transfer credit card data? Then you have to answer the even bigger question: will you roll tokenization out all at once, or in phases across the different acceptance channels?
• Choosing the right tokenization solution provider. PCI tokenization as a technology is pretty straightforward. The hard part is selecting the right partner. First you must decide if using a third party, or using a payment processor is right for you. Using your payment processor as your tokenization solution provider limits you to processing only with that processor, but you may be able to work out a pretty good implementation deal. However, with third party PCI tokenization solutions like TokenEx, it’s simple to work with multiple payment processors. Ultimately you’ve got to decide what’s right for your unique environment and business model.

5 things businesses should know about tokenization

I asked Pezold what he wished every business knew about tokenization, and he responded with these five thoughts:

1. Encryption is not tokenization . . . and using encryption as a means of tokenization leaves a company at risk.
2. Tokenization is applicable and should be used across all sensitive data sets (with the right provider).
3. Tokenization is more about implementation than the actual technology.
4. Tokenization provides varying degrees of scope reduction in the PCI DSS arena.
5. There are common pitfalls to implementing tokenization correctly, so it’s critically important to partner with a vendor who understands how to implement tokenization correctly across both technology and security/compliance/risk.

I especially echo that final concept. It’s essential to carefully evaluate a provider before jumping headfirst into a new tokenization solution. Perform a risk assessment when selecting a tokenization service provider to ensure you’re contracting with a secure entity. Make sure that service provider is PCI DSS compliant, and follow up with them each year to verify compliance.

For more information about tokenization products and how they could affect your PCI DSS requirements, check out tokenization guidance from the PCI SSC.

Mike Reisen is a Security Analyst and has been with SecurityMetrics for over 2 years, doing PCI DSS assessments. He is a graduate from the University of Utah, and has worked in the IT industry for over 15 years.