Abstracting and encrypting cardholder data are powerful security practices that have the potential to transform the payment industry and benefit all stakeholders in the transaction chain.
Pretty soon, your credit card information will be worthless, and that's a good thing. Credit card security is moving away from creating barriers against theft of cardholder data and moving toward making cardholder data impossible to translate into money. By abstracting the data in such a way that the true cardholder data cannot easily --– or perhaps ever --– be derived from it, it's possible to replace the cardholder data values with abstracted values that only have meaning within the specific context of an individual transaction, which is potentially a much more effective way to protect cardholder data and mitigate credit card risks.
At the forefront of this utopian vision to protect cardholder data are two interrelated, yet independent, technologies:
- Tokenization – the process of extracting valuable data, such as a credit card number, and abstracting that data set to become another numerical value that cannot be monetized.
- Transaction Encryption – the process of encrypting cardholder data from the moment it enters any system, such as a POS terminal or an eCommerce website, and transporting this encrypted value to its destination before it is decrypted for transactional purposes. This makes it impossible for cybercriminals to access cardholder data in a form that is usable to them in open markets.
From a merchant perspective, the goal of tokenization and transaction encryption is to effectively protect cardholder data by eliminating it from merchant environments, reducing the obligation that the merchant has to comply with the Payment Card Industry Data Security Standard (PCI DSS). Although they are still in early stages, many merchants wish to adopt these technologies now. In fact, recent research from Forrester Research Inc. indicates that merchants' appetite for adopting tokenization is outpacing the industry's ability to provide a mature and industry-accepted tokenization product.
Abstracting and encrypting cardholder data are powerful security practices that have the potential to transform the payment industry and benefit all stakeholders in the transaction chain. However, both technologies are immature and there are several steps organizations should take when evaluating tokenization or transaction encryption products. Forrester recommends that security and risk professionals take the following steps:
1. Take it slow -- Security and risk professionals who are considering adopting tokenization need to make certain their chosen provider is contractually obligated to respond to changes in the payment ecosystem that may have an impact on their proposed product. Each vendor implements tokenization differently. It is possible that a particular implementation may be shown to be problematic or insecure in the future as a system is vetted by research and real world attacks. This has happened in other areas of security, such as the discovery that wireless protocols such as WEP and LEAP were insecure. The card brands and the PCI Security Standards Council (SSC) have not fully weighed in on this issue yet, so be aware that any technological product currently extant is merely a guess as to the proper way to implement tokenization.
Currently, companies adopting these types of technologies are buying a highly customized product. Over time, the market will weigh in and stabilize costs, but early adopters should expect to pay a premium. Expect acquiring side entities to implement transaction encryption and tokenization quickly, as the short-term costs will be inconsequential compared to the reduced risk of a data breach and the immediate value to their customers.
2. Review how data is captured in a tokenized system -- It's important to understand the two different ways in which credit cards are used by merchants' card-present and card-not-present transactions. Each type of transaction will need a specialized product in order to take advantage of tokenization technology. While card-present transactions will be the primary use case for tokenization, card-not-present transactions (i.e. online or over the phone) can also be secured by tokenization.
PCI DSS scope reduction may well rest on how the cardholder data is captured and encrypted by a PIN entry device (PED) in a card-present transaction. Make certain that the cardholder data never passes from a PED to any other system in an unencrypted form. Since the overseers of PCI and credit card security have not weighed in on this yet, play it safe and upgrade your swipe devices to ones that are cryptographically enabled and encrypt the cardholder data in hardware at the PED.
3. Find ways to extend the value of tokenization and transaction encryption -- Although most companies are considering adopting tokenization or transaction encryption for PCI DSS compliance purposes, remember that other data may benefit from these technologies. If you deploy one of these technologies in-house, you may be able to tokenize other sensitive data, such as personally identifiable information (PII), or protected health information (PHI). An investment in tokenizing cardholder data can therefore be extended to almost any other type of regulated data, easing your compliance burden overall.
About the author:
John Kindervag is a senior analyst at Forrester Research, where he serves security and risk professionals. He will be speaking at Forrester's 2010 IT Forum in Las Vegas, NV, May 26 – 28.