What is tokenization?
Tokenization is a process in which the PAN is replaced by a value called a token. The security is based mainly on the impossibility of determining the original PAN just knowing that only the value of said substitute and also depends on the strength of the process involved.
The most important advantage of this technique is that it reduces the amount of card data stored in the PCI DSS environment. Instead of them, there will only be arbitrary values of the tokens to mitigate the risk involved.
This solution does not supplant the need to comply with PCI DSS. However, it reduces the efforts necessary to implement the requirements of the PCI DSS standard.
How to generate a token?
The token generation requires a process or method to create it. Generally, its creation includes but is not limited to the following:
- A mathematically reversible cryptographic function based on a known strong cryptographic algorithm and strong cryptographic key.
- A one-way non-reversible cryptographic function (e.g., a hash function with strong, secret salt)
- Assignment through an index function, sequence number or a randomly generated number (not mathematically derived from the PAN).
Tokenization and Security
When assessing security in a tokenization process, it is important to considerer all the elements that are involved in the technologies and mechanisms used in both to capture cardholder data and the processing of the transaction through the business environment.
There are numerous ways to implement a Tokenization solution. As a general principle, Tokenization and de- tokenization operations should occur only within a clearly defined system that includes a process for authorised applications to make Tokenization and de- Tokenization requests.
The tokenization solution should also address the potential of the attack vectors and the risks either created or mitigated by these systems. Merchants and service providers should continue to monitor for new threats and potential risks to their existing use of tokenization.
The systems and processes of Tokenization must be strongly protected with security controls and monitoring to ensure their efficacy.
Being that the token generation is based on a reversible encryption method, where the token is the result of a mathematical function of the original PAN through the use of an encryption algorithm and cryptographic key resulting of this is an encrypted PAN, which is subject to the following considerations:
5 Tips to consider
- The Tokenization process should not be applied to protect authentication data. As explained above, the token contains data is encrypted. Therefore, confidential authentication data (magnetic stripe data or equivalent to the chip, CAV2 / CVC2 / CVV2 / CID and PIN data) cannot be stored through the implementation of a token as explained in PCI Requirement 3.2 DSS
- The PAN tokenised and PAN truncated must not coexist in the same field because there is a risk that a malicious individual will rebuild original PAN data if they have access to both versions of the PAN. If this occurs, additional controls must be implemented to identify the versions that cannot be correlated and allow the reconstruction of the original PAN.
- PAN should not be predictable through the knowledge of one or more tokenized PANs.
- The knowledge of the PAN through its token must be computationally difficult to decipher knowing one or more tokens.
- The ability to recover a PAN in exchange for its associated token must be restricted to specific individuals, applications and/or systems affected. Any system component that you can use to recover PAN data will need to be protected according to PCI DSS. Therefore, they are part of the scope of PCI DSS.
The tokenization solution can be implemented in several ways according to the need of the business you are trying to protect.
In addition, you must implement appropriate security controls, including the assignment of roles and responsibilities and the tokenization and de-tokenization processes to ensure the proper scope of CDE and compliance with the PCI DSS requirements.
If you have any further questions about using tokenization for your organization, please feel free to contact us.
Source: PCI security standards