News Stay informed about the latest enterprise technology news and product updates.

First Data, RSA push tokenization for payment processing

The encryption-token service could compete against vendors offering format preserving encryption to secure payment transactions.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

First Data Corp. and RSA announced a new service Tuesday that the two companies claim is the first of its kind...

to combine encryption and tokenization technology into securing payment transactions.

Called First Data Secure Transaction Management, the service uses RSA's SafeProxy tokenization technology to strip credit card data from merchant systems. It adds end-to-end encryption from the point-of-sale (POS) system to the processor while replacing credit card data with RSA tokens. Once a transaction is authorized a token is assigned to replace the credit card number.

Michael Capellas, CEO and chairman of First Data said the service is designed to cut down on the cost and complexities of maintaining compliance with PCI data Security Standards (PCI DSS). First Data is one of the world's largest credit card processors processing more than $1.4 trillion in transactions in 2008. 

Tokenization technology:

Compliance benefits of tokenization:  Tokenization not only keeps confidential data out of the hands of malicious hackers, but also offers a less expensive strategy for achieving PCI compliance. Identity management and access control expert Joel Dubin defines tokenization, examines whether or not it's effective and unveils how the technology can be used as a tool for PCI compliance.

The service uses First Data infrastructure by storing credit card data in secure servers for future retrieval by the merchant if necessary, while returning tokens to the merchant for use in their systems, Capellas said.

"Securing payments has become the top priority of most merchants," he said. "Up until now merchants were forced to find security solutions on their own contracting with various third parties adding bolt-ons to their applications and particularly adjusting their point of sale."

Tokenization technology, invented by Shift4 Corp., is used by some merchants to meet PCI DSS, which mandates that credit card data can't be stored on the retailer's POS system.Tokens are simply a randomly generated set of numbers, designed to represent sensitive credit card numbers. Experts say tokenization technology is cheaper for merchants to deploy than full encryption, since all that is needed is a driver install on POS equipment.

The First Data-RSA service is different in that the tokenization would take place on the processor side, which means few changes would be necessary at the POS, said Ramon Krikken, an analyst at the Burton Group.

"Compared to technologies that would perform a new form of encryption on the PoS this does appear to be an easier-to-implement solution," Krikken said. 

First Data Secure Transaction Management installation:

For countertop terminal merchants, First Data Secure Transaction Management will be fully integrated.  Merchants can take the terminal out of the box, plug in the peripherals, plug in the power supply and follow the activation steps outlined in the documentation.  Public Key rotation will be automated so there will be no special processes or secure environments required to perform this function.  

For merchants running Integrated POS Systems and/or VAR applications, the infrastructure requirements will be minimal.  First Data will provide the merchant or VAR with the public key file to be integrated into their POS software. It will also provide guidance to the merchant on how to implement support for the token being returned to the POS in the authorization response.

 - RSA spokesperson

The initial challenges holding up adoption of tokenization by processors has been the latency, Krikken said. The process of tokenizing would be added to the transaction time. First Data performed performance testing to ensure the tokenization would not push transaction times over their set boundary.

Other payment processors are likely to follow, Krikken said. Still, other methods will compete with the First Data-RSA service. VeriFone Holdings Inc. sells VeriShield Protect, a format preserving encryption technology installed into the payment terminal and also requires a decryption appliance to be installed at the host processor or merchant's switch. Meanwhile, Voltage Security is partnering with Heartland Payment Systems Inc. to use its end-to-end encryption (E3) software format-preserving encryption to protect payment processing.

Kirkken said in-motion encryption and token technology versus format-preserving crypto solve the same problem but in slightly different ways. Merchants will have to evaluate their architecture and methods offered by their processor before deciding which way to proceed. . From the retailer's point of view the effective security should be similar, he said.

Thomas Heiser, senior vice president of RSA's global customer operations said the RSA token technology provides public key encryption for transaction data in motion, storage and during use.

"They no longer have to store credit card numbers on site," Heiser said. "It's unique in that it uses encryption and tokenization at virtually every point of the cycle." 

First Data plans to begin rolling out the service in North America. There are no new hardware deployments or data servers that must be installed in the merchant location. First Data said it would also work with the merchant to tokenize existing transaction data in the merchant's data warehouse to remove it from the environment. RSA and First Data did not release the cost of the new service, but said there would be no separate fee for storage.

While tokenization does help merchants meet PCI, it is not a panacea for compliance John Pescatore, an analyst at Gartner Inc., wrote in a recent blog post on the technology.

"Tokenization does not replace encryption, but in many scenarios it can help reduce the number of places that card data (or any other type of sensitive data) is stored – which is invariably a good thing," Pescatore wrote.

Dig Deeper on Two-factor and multifactor authentication strategies