This is page 2 of:
The Yin-Yang Of Tokenization, Vendors Now Splitting Into Two Camps
The First Data approach is slated to go into pilot in January 2010 and be offered for mass market use by March. The company has offered no meaningful details about pricing or about the security it is deploying to protect the card data it is asking to guard.
Unlike an approach being pushed by Heartland, the First Data approach requires no hardware, and its public key encryption service is supposed to sit atop whatever infrastructure (card swipe, POS, etc.) the retailer already has, “as long as you’re running reasonably newer devices” accepted by current PCI guidelines, said Craig Tieken, vice president of merchant product management at First Data. “This public key encryption will work within those devices.”
There is a brief period after the swipe where the data is unencrypted, he said. But it wouldn’t likely be of value to anyone attacking the retailer’s network, because the data is never stored there. It could be at risk for thieves who physically tamper with the swipe devices in-person. However, that’s the kind of data theft this service was designed to thwart, Tieken said.
“If you’re going after device-level tampering, that’s a whole different model,” he added. “Even full Chip- and PIN-compliant devices have been tampered with. This isn’t going to prevent you from stealing” in that way.
Neither First Data nor RSA provided many technical details about their approach, and a promised diagram of the transaction process never materialized. Tieken said that First Data is prepared to change the system depending on what the industry—especially the PCI Council—pushes for. “This isn’t something that will be a static offering,” he said, adding that if PCI had other preferences, “we could migrate to something else, such as AES.”
The Voltage approach is slightly more specific as to pricing–$65,000 and higher—but not in terms of the number of transactions that fee covers, which tends to make the price meaningless. Their package is designed to allow retailers to create their own packages, but it includes a key server, transformation routines and a management console, among other pieces of software, Voltage’s Ahmad said.
-Marc
September 24th, 2009 at 9:35 am
The only question about tokenization is “Why did it take so long?” The greatest vulnerability to customer card data occurs when it is in “clear text” format. The sooner it is encrypted, hopefully before it is first recorded, the more difficult it will be to steal. Tokenization based on a private encryption key that is unique for each retailer will reduce the vulnerability of data. Even if some programmer in a particular retailer figures out how to decrypt the data stored in their files they will not have the private keys of other retailers and be able to use customer cards anywhere but their own stores.
But both the approaches discussed here have their merits. While card data needs to be encrypted as soon as possible, the retailer has the need to encrypt other customer data they carry in their databases. Should every programmer be able to read customer names and addresses in their frequent shopper databases? A tool (or framework) that simplifies the management of public and private keys to support encrypting of various data elements would be helpful for everyone.
September 24th, 2009 at 11:56 am
There are many trade-offs between end to end (E2E) and tokenization (TOK).
As this article points out, even within the TOK world, there is a difference between a hosted and an on-premise solution. Like all cloud computing, the sticking point always comes down to security, privacy, and liability. FDR [Editor’s Note: We assume this is a reference to First Data and RSA Security] certainly has the ability to provide as strong a security for the token server as anyone, but what will they offer in a contract?
The key concern about TOK is the security of the token server and performance. The security issue is obvious, since it would be the motherlode of card data. The performance issue comes into play any time a client system needs to convert to or from a token. This would be similar to the performance characteristics of going to an external HSM for PIN processing, except the I/O path to token server might be much longer. It would all depend on how often the conversion was needed.
The key concern about E2E is the strength of the card data encryption algorithm. Typically, this is format preserving encryption (FPE) that uses a crypto algorithm like AES in a new mode. Several have been submitted to NIST (http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html) but none are yet approved, either by NIST or ASC X9. It would be terrible to widely deploy an E2E solution, only to find that the bad guys can crack it.
And finally, as the Smart Card Alliance pointed out, why spend a ton of money as a nation on new terminals and systems, when contactless EMV makes the card number worthless? And the main answer is that E2E or TOK can be done on a piecemeal basis, whereas EMV requires adoption by issuers, consumers, merchants, processors, acquiring banks, and the brands. Unless someone finds a value prop that pulls all those entities together, soon, E2E and TOK make the most commercial sense.
September 24th, 2009 at 7:02 pm
There are two big hurdles that the Voltage will need to overcome — price point and PCI scope. This article was the first I saw the $65K price tag and if this is the case, it will make their solution only financially feasible for level 1 & possibly level 2 merchants. PCI scoping wise, a merchant hosted solution, in most cases, does not reduce the risk profile for the merchant since the cardholder data still resides at the merchant’s location. It may help some with specific applications, but overall it’s just moving the risk around within the merchant location.
To me, the First Data/RSA approach has a much broader marketplace because it’s financially feasible for level 1-4 merchants and offloads much of the risk. Shift4 has been in the tokenization arena since the inception of the phrase so we have first hand knowledge of the hurdles that will need to be overcome for any company just stepping into the arena.