Tokens A Tempting Option For Securing Cardholder Data

Tokenization might be the PCI Holy Grail, but the search for it could be just as circuitous
Kindervag says there is a struggle between vendors seeking to get enough critical mass that nobody -- namely the PCI Standards Council or any of the card brands -- can come back and say there is a wrong way to do things and put them out of business. For example, when it comes to defining tokenization, some vendors are fervent about true tokenization being based on a dynamically grown table of PAN values that refer to the tokens.

"There is a lot of confusion in the industry about what tokenization actually is -- the most common miscommunication is around formatted encryption. Encryption is encryption, and it's based on a secret key and mathematical algorithm," says Ulf Mattson, CTO of Protegrity. "Tokenization is not based on a secret key or algorithm that mathematically can get you back to the data. That's its core strength."

But other vendors, such as Voltage, offer a tokenization option that is based on format-preserving encryption (FPE), which can turn a 16-digit PAN into another 16-digit number under the control of a key. Rogaway, who came up with some of the early cryptographic research upon which Voltage based its FPE tokenization, says both ways are equally strong from a security standpoint, but FPE offers greater architectural flexibility for organizations.

For its own part, Voltage does also offer customers the choice between FPE tokenization and more traditional table-based tokenization, but the debate over whether FPE even qualifies for the term will still rage on, even after Visa's best practices were released.

"I wish the document had done a better job establishing the nomenclature," UC Davis' Rogaway says.

Another particularly impassioned battle about tokenization standards is the argument over whether hardware-based or software-based tokenization solutions are best. As Rogaway puts it, vendors, such as Voltage, with hardware-based tools claim that software-based tools, such as those offered by RSA, are not secure enough.

"You've got a face-off there," he says. "We're getting into a Thunderdome kind of match; they're all trying to do the 'two men enter, one men leave' kind of thing."

Heartland, for one, says it chose Voltage specifically because it didn't believe software-based tools -- which do not encrypt PANs in between the time a card is swiped and sent to the processor to be tokenized and returned to the merchant -- were secure enough.

"There are those who believe that you can do tokenization strictly in software at the point of sale, but we don't believe that that is adequate security unless you securely get the card number as soon as the digits leave the magstripe and do that in hardware and software," says Steven Elefant, CIO for Heartland, who believes tokenization should be layered on top of other encryption solutions.

While Forrester's Kindervag says he leans more toward hardware-based solutions, even software-based tools are better than nothing. "Both solutions are an order of magnitude better than the way credit cards are taken today," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading