Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Tokenization Posts

As a frequent business traveler, I appreciate the little amenities a hotel can offer me to save me time. One such amenity that’s starting to emerge is the use of smartphones to check-in, order services and check-out.

Imagine this:  On the date you’re set to arrive, you get a welcome text message from the hotel with a web address you can visit to check in. Once the check-in is confirmed, your room number and key is sent to your phone as well as a separate notification telling you when your room is ready. When you arrive at the hotel, you can bypass the front desk all together and go straight to your room where the door may be unlocked using your phone.

Recently, Merchant Link was invited by a hotelier to explore how we might extend the use of tokens so that we’re not only using them to safely store guest cardholder data for payment, but also using them as the primary way to authenticate and track a particular guest in the system and enable advanced applications such as this smartphone app.

With most security solutions, the encrypted card number stored in the database is different every time the guest uses that card. With card-based tokens, the same token is returned for a particular card each time the guest uses it. This functionality provides a way for hoteliers to accurately track guests and provide extended services to them.

I recently came across another partner that is using our card-based tokens to “match and merge” guest profiles to consolidate records and prevent duplicates. This is much more reliable than say, using name or address, which may have been entered incorrectly or incompletely when inputted. This used to be done using card numbers but with encryption this just wasn’t possible without decrypting the card data first and opening a security gap.

The list doesn’t stop there though. Card-based tokens work well for a host of other uses:

  • Velocity checking and fraud prevention
  • Rewards profiles
  • Cross channel tracking
  • Business analytics

What other uses do you have for card-based tokens? Let us know by leaving a comment below.

There is little question these days that tokenization is an effective way to secure sensitive data and potentially lower PCI compliance costs. What people are still debating is HOW you go about implementing a tokenization solution and what considerations must be made in doing so. What is the best token generation method? Should you build an in-house solution or work with a third party vendor? Is the tokenization process and storage facility secure? Do tokens expire? Is it possible for collisions to occur between tokens, or between tokens and real PAN information?

As is frequently the case, the answer to all these questions is… it depends. Safe to say that there is no “one size fits all” solution. In order to find a solution that works best, companies must review their environment, the size and type of their business, and match specific capabilities against their existing business processes.

Today we hope to “demystify” some common tokenization components and uncover the myths surrounding various implementation approaches. Let’s start by defining what is “tokenization”?

Simply put, tokenization is the process by which we replace a valuable piece of information with a meaningless number or token. While all types of sensitive data can be tokenized, for the purpose of this discussion, the data in question is the PAN or Primary Account Number.

Randomly generated tokens are more secure than tokens generated using a sequential method.

According to the PCI Security Standards Council’s Tokenization Guidelines, the most important requirement in generating a token is that you cannot reverse engineer the token to derive the original PAN. Let’s look at an example.

Original Card Number
3872 3789 1620 3675

3898 2783 2990 3675

In this example, another 16 digit number was created where the first 2 and last 4 digits of the PAN were retained and the card type is identified within the newly generated token. (In payment applications it is often advantageous to retain the 16 digit format of the original card number because other systems that use the card numbers need not be altered to accommodate the tokens. This is called “format-preserving” tokenization.) The resulting token cannot be used as a financial instrument and has no value other than as a reference to the original transaction or real account. The 10 digits in the middle can be generated using a random number generator or as a part of a sequential counter. Either way though, what is important is that there is no direct mathematical relationship between the credit card data and the token. As for those who claim the random method is more secure, the probability of someone “cracking the code” when it comes to the sequential method is akin to getting struck by lightning while inside the president’s secret underground bunker. I could go into more detail and explanation, but I’d need more space than this forum allows (and fear I’d lose some readers along the way).

“Vaultless” tokenization is faster and more scalable than a “vaulted” solution.

There have been some articles suggesting that as the token vault grows, performance is affected and token “collisions” may occur. A token collision refers to a scenario where the same token could be generated for two different PANs. Another concern is tokens that are generated that turn out to be the actual PAN of another cardholder.

From the perspective of a traditional database model, it’s not unreasonable to assume that as a token database grows, token generation or retrieval requests could lead to latency issues. However, vendors with vast experience and expertise in “vaulted” tokenization methodology have designed systems to account for growth over time. Their network architecture is well thought out, thoroughly tested, and secure. Their transactions flow in ways that allow for multiple processes to occur in tandem so transactions can be routed immediately for processor approval or funding.

The devil is really in the details, and rather than lead you down another rabbit hole discussion, suffice to say that you shouldn’t believe every blanket claim you read. Ask prospective tokenization providers about their specific methodology and how they prevent latency and collisions.

Another important question to ask, particularly in a “vaultless” tokenization scenario, is how will you retrieve a PAN if you need it? Problems and issues sometimes occur and it’s important that vendors are able to quickly and securely access information and offer support in resolving any problems. The system requesting the PAN should be a validated system authorized to perform the request. The use of multi-factored or certificate-based authentication can address this need. In addition, there should also be a system of monitoring and alerts to ensure the request is from a valid source and brings awareness to any abnormal activity.

Home grown or premise-based tokenization is better than using cloud-based or third-party vendor hosted tokenization.

As stated earlier, there is no “one size fits all” solution that works best in all circumstances. There are many factors to consider when selecting a tokenization solution that fits your business needs, security and PCI goals. Home grown and premise-based solutions offer you total control over tokenization implementation but require a great deal of expertise not typically found in the average IT department. “Vaultless” tokenization is effective for large data to token conversions and higher volume merchants but additional questions should be considered for the handling of re-occurring payments, credits, refunds and other business practices that require the recall of a specific transaction or card number. Token requests and retrieval of the original payment data can put those segments of the merchant network infrastructure involved back into the card data environment (CDE).

For merchants looking to reduce their PCI scope as much as possible, cloud-based or hosted tokenization is an attractive option. With a cloud-based solution, stored PAN data is completely removed from the local IT environment. The card data is stored in a secure off-site “vault”, safe from hackers attempting to gain access to sensitive information. Hosted tokenization allows the merchant to run their business without the worry of possible data theft as well as the added benefit of reducing PCI scope and costs.

Yes, there is much to consider when selecting a tokenization strategy but the process shouldn’t require the average merchant to spend their valuable time researching every component. By partnering with a reputable and well established solution provider, understanding the basic concepts of tokenization and asking good questions, you can find a tokenization solution that fits both your security goals and your budget. We invite you to share your experiences, questions and comments below.

There has been much discussion on credit card security and the use of card-based vs. transaction-based tokens.  What is the difference exactly?   Transaction-based tokens relate to individual transactions. With transaction-based tokenization, a new token is created each time a transaction occurs.  Card-based tokens are generated for each card number.  In this approach, the same token is reused every time that card number is used.  Hoteliers will find a great deal of value in card-based tokens.  Card-based tokens maintain the history critical to guest satisfaction, loyalty programs and marketing analytics.


Guest Preference and History
For the hotelier, a card-based approach means that you can track all guest transactions within the establishment to one folio/card number.  All guest purchases, from their room charge, dining, spa services or gift shop purchases can be tracked and identified by the card-based token.  Guest preferences associated with the profile will flow to the reservation and tie to the same token.  In addition, even if the guest has multiple stays the token remains the same.  This methodology is extremely useful for multi-property and chain environments where a central reservation system is in use.  All guest stay history can be tracked across the entire chain.   

Technology Footprint
IT departments responsible for maintaining and supporting the property management system environment will appreciate card-based token technology as well.  Card-based tokens do not require as much database storage as transaction-based systems.  The one-to-many relationship used for card-based tokenization uses less database real estate.   

Operations Impact
Accounting and audit functions are also streamlined with card-based tokens.  Credit card batch settlement reports are simplified since all incremental transactions roll up to one card number.  It is faster for accounting personnel to look up charges on guest folios.  Bank statement reconciliation and research is also easier with card-based tokenization by associating one card number with multiple transactions on a folio.

As we all know, credit card security is becoming more complex to manage all the time.  With card-based tokenization hoteliers can achieve the high level of security required while gaining operational advantages as well.    Merchant Link invites your feedback and opinions on this topic.  Please share your experiences or questions in the comment section below.

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

Listen to internet radio with SecurityCents on Blog Talk Radio

Immediately following the New Year, you probably noticed a few changes.  The gym parking lot was jammed packed.  Every other commercial on TV was for some kind of home workout tape or weight loss solution. Nearly every store was highlighting the “new you.”

Not even thirty days have gone by and things are starting to change again.  People are falling off the bandwagon. Grocery stores are replacing the diet products with Valentine’s Day candy and the commercials for diet plans and fitness products have reverted back to ads about fast food chains and cars.

New Year’s Resolutions don’t last very long but there is one resolution that shouldn’t be let go.

Following the New Year, Hotel News Now featured a series of articles about New Year’s resolutions for hoteliers. One entire article in the series was dedicated to resolutions that hoteliers should consider in the area of data and network security. The highest priority “resolution” for hoteliers was encryption and tokenization of credit card data.

Hotels remain one of the most targeted businesses for data thieves. A quick fix to patch a security gap, or several to get through a PCI audit, simply can’t provide the long term, comprehensive protection needed to ensure that a hotel’s customers are safe from having their sensitive information stolen.

In order to ensure that customer data is safe, hoteliers need to evaluate end-to-end security solutions that can protect customers’ sensitive data while on the move and at rest. Today’s advanced cloud-based tokenization and encryption solutions are enabling hoteliers to become PCI compliant and beyond by removing customer data from the company’s network completely.

These solutions protect data on the move and at rest by encrypting and tokenizing data and storing it off of the network in a secure location. This ensures hotel patrons can rest easy because even if the information is compromised, the tokens are useless to data thieves.

But why is it so important for hoteliers to not give up on their resolution to better protect customer credit card data? Because it’s not just about the damage to the customer or the hotel brand; a data breach can hit a hotelier hard in the wallet.

The cost of data breaches are perpetually increasing. In addition to customers losing faith in the brand, companies that are hacked often find themselves footing the bill for expensive credit monitoring services for victims. They also expend resources on PR campaigns to help mitigate damage to the company’s reputation.

Although this time of year is often when New Year’s resolutions begin to die, hoteliers who made a resolution to better protect their customers’ valuable credit card data need to stay strong. With the cost of a breach rising and the hospitality industry the prime target for data thieves, they simply can’t afford to take their eye off the prize.

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

The top executives of retail companies have a list of business functions, products and services that they’ve been told they, “just have to have.”

Public relations, marketing, advertising…all considered a necessity if you want consumers to know you exist. Information security hasn’t always been at the top of that list, but retail executives are starting to wake up and realize the negative impact a data breach can have on their company.

Why the change? Data breaches are hitting retailers where it hurts – in their wallets.

Just this week, the Financial Times featured an article on the cost of data breaches and the need for data security. The article references British mega-chain, Marks & Spencer, which operates hundreds of M&S department stores and Simply Food markets in the UK, as well as more than 325 locations in countries such as China, India, Indonesia, and South Korea.

Marks & Spencer, which touts that around 21 million people visit its stores each week, was the victim of data thieves that stole customer email addresses from one of the company’s email marketing vendors. The exact cost of the breach wasn’t listed, but the company had to email all of their customers and warn them about the theft, which was undoubtedly a blow to their brand reputation.

Many other retailers that are the victims of data theft don’t get off that easily. Should financial or credit card information get compromised, credit monitoring services are often offered to customers at the company’s expense. Public relations, and crisis communications staff or vendors are then needed to help control the situation and make it “go away.” Information security experts are needed to find vulnerabilities and ensure they are resolved.

It’s this cost to the company that has retailers looking at data security much more seriously. According to the Financial Times article, retailers are even looking at insurance policies designed to help offset the cost of a data breach. However, technology has created an even better “insurance policy” against data theft. Retailers are eliminating the data from their networks completely by utilizing tokenization and encryption solutions. These solutions ensure that the data, should it be stolen, is useless to data thieves.

For retailers of all sizes, data security is more than something that the company “should look into.” As more globally-recognized brands and small merchants alike fall victim to data thieves, the need for data security becomes increasingly apparent. If the Financial Times article is any indication, retailers are starting to wake up and embrace data security, and that can only mean good things for customers all over the globe.

Chartered as a working group of Hotel Technology Next Generation (HTNG), at least sixteen major hotel groups from around the world plan to work together to develop an industry security framework for handling sensitive credit card data – this includes dramatically improving the security of credit card processing by and for hotels while significantly reducing overall costs.

Following is an exclusive podcast with Douglas C. Rice, Executive Vice President and CEO, Hotel Technology Next Generation (HTNG), who discusses this new working group.

Avivah Litan is a vice president and distinguished analyst in Gartner Research and is a renowned expert in the area of payments security.   She regularly publishes key industry research reports with regards to PCI compliance, has a well-read blog and is often quoted in the media discussing PCI compliance and payment security – among other things. Following is an exclusive podcast with Avivah Litan who discusses key payment security trends and highlights the value of end-to-end encryption and tokenization.