Essential Components for Securing Payments with Tokenization

Tokenization replaces sensitive information with non-sensitive data. Tokenization in payments secures and removes friction in transactions in addition to meeting most PCI DSS compliance standards. The advent and growth of tokenization over the last decade has revolutionized securing sensitive card data.

As a technology solution to secure payments, you can build or buy Tokenization – a larger topic for another day but there are several nuts and bolts that keep the solution stitched and let us look at some familiar jargons that often complement a Tokenization solution with some simple use cases.

These techniques or methodologies complement each other and help constructing a robust Tokenization system across the ecosystem.

HSM (Hardware security Models):

• HSMs are used to securely generate, store, and manage cryptographic keys and perform secure cryptographic operations. The HSM is used in conjunction with encryption and plays an important role in tokenization.
• When a sensitive payment card number (Primary Account Number, PAN) is received, the HSM generates a token, which is a surrogate value that replaces the PAN.
• The HSM ensures that the tokenization process is secure and that tokens cannot be reverse-engineered to reveal the original PAN (e.g, via randomization algorithms)
• HSMs also manage and store the cryptographic keys used in the tokenization process. These keys are stored in a secure environment, ensuring that they are protected from unauthorized access.
• The HSM are also used to store the mapping of PANs to tokens in a secure token vault. The token vault is encrypted and managed by the HSM to prevent unauthorized access.
• HSMs can be bought off the shelf or bespoke but must be certified to meet industry standards (e.g., FIPS, PCI DSS). HSM can be used for securing data at rest and in transit (e.g., HSMs manage certificates for secure protocols like SSL/TLS) and can be used anywhere between the customer entering sensitive information through the merchant, acquirer, issuer or card network (suggested read article to understand the entities in payment schemes)

Point to point Encryption:

• A Point to point encryption (P2PE) that is compliant with PCI DSS (and other ANSIX, ISO) standards can be used for encrypting card when customer swipes, inserts, or taps (or enters online) their card information.
• The encrypted data is then transmitted through the payment network to the payment processor/acquirer. The data is then decrypted only at secure endpoints, such as the payment processor's systems, ensuring that sensitive information is not exposed during transmission.
• ?Once decrypted, the payment processor receives and processes the decrypted payment data, it replaces the sensitive card information (e.g., PAN) with a unique identifier called a token.
• These tokens can be stored in databases and used for future transactions without needing to store the actual sensitive data. ?Only the payment processor or a secure tokenization service can map the token back to the original sensitive data, ensuring that unauthorized parties cannot access the actual payment information.
• P2PE is generally applied between the merchant and acquirer and encrypts data in transit.

Hashing:

• When?customer makes a payment, their sensitive data (e.g., PAN) is?first hashed using a secure hash function (e.g., SHA-256). This creates a unique, fixed-size hash value that cannot be reversed to reveal the original data.
• The original sensitive data (credit card number) is then sent to a tokenization service, which generates a unique token to replace the sensitive data. The tokenization service securely stores the mapping between the token and the original data.
• The hash value and the token are stored in the merchant's database. The original sensitive data is not stored, reducing the risk of exposure.
• Hashing is generally applied on merchant, acquirer and issuers for securing data storage (data at rest) or securing logging and audit trails.

?Access Control:

Static Data:

• It is important to define the roles within your organization and the permissions associated with each role this will include accessing token vaults or databases that store tokens. Access control must be authenticated via multi-factor authentication (MFA) to enhance security.
• ?Allowing only authorized systems to reverse the tokenization process and retrieve the original data or accessing token and vaults must be controlled via access management through Role-Based Access Control (RBAC): Assign roles and permissions to users based on their job functions OR Attribute-Based Access Control (ABAC): Make access control decisions based on attributes like user role, time of access, and data sensitivity.

Data in transit:

• When customer enters sensitive information via a website or mobile app, the payment information is encrypted using SSL/TLS before being transmitted to the server.
• Upon receiving the payment information, the server tokenizes the sensitive data, replacing it with a token. One point to note is to ensure your server is configured to use SSL/TLS. This typically involves obtaining an SSL/TLS certificate from a trusted Certificate Authority (CA) and configuring your web server to use it.

Access control and authentication is used at all levels of payment transaction lifecycle – starting with the customers, merchants across acquirers, issuers.

Data Anonymization:

• Data anonymization involves altering sensitive information in a way that it cannot be traced back to the original data subject. This can include removing or modifying personal identifiers. Some of the common techniques include masking (replacing data with similar data usually in non-production environments), generalization, and data perturbation.
• Determining which data fields are sensitive and need to be anonymized or tokenized will be a key decision to take and a combination of anonymization with tokenization can be used depending on the use case.

The article is my endeavor to summarize on a comprehensive topic and does not represent my organization's view on this subject.