Monday, June 15, 2009

Tokenization as a means of securing credit card numbers

By: Eric Bushman,Vice President of Solutions Engineering, Paymetric. Inc.

My previous blog post titled Securing credit card account numbers in SAP focused on implementing functionality provided by SAP for encrypting credit card numbers stored in the SAP ERP database. In an update I also included a brief reference to encryption functionality in the SAP CRM database. FAQ OSS notes mentioned in the post provide the necessary information to implement the SAP standard encryption functionality and thus secure the payment card and credit card numbers stored in your SAP applications.

At the end of the post I mentioned several items that you should be aware of when implementing the standard SAP functionality which may prevent compliance with PCI DSS requirements. I then alluded to Tokenization as a means of addressing the additional items. In this post I want to explore the differences between SAP's standard encryption offerings in each application and tokenization as an application independent encryption approach.

Many applications provide encryption functionality which is specific to that particular product. SAP's encryption offering for credit card numbers in the SAP ERP and CRM applications is one such example. The encryption functionality is designed to work only with that application - specifically by encrypting the credit card number data stored in the database. Should data need to be passed between applications, such as order data being replicated from the SAP ERP to SAP CRM system, the data must be decrypted in the source application passed in an unencrypted form (and therefore potentially logged in an unencrypted format) and finally encrypted in the target application. Using this application specific encryption approach has the following weaknesses:
  • Encryption solutions on each application must be setup, maintained and managed
  • Encryption keys in each solution must be managed independent of other solutions
  • Encryption keys must be rotated independently of other solutions
  • Increased number of encryption solutions require additional IT staff time for management and maintenance
  • Disparate encryption solutions increase security risks if maintenance is not always kept current
  • Encrypted data must first be decrypted before being passed to other applications and then re-encrypted before being stored by the target application


A typical enterprise with an SAP system, a web store and a payment application each storing encrypted credit card data locally using application specific encryption applications would have an architecture which look like this:


Implementing a solution which Centralizes and Tokenizes the credit card number data in a secure data vault would change the architecture to look like the following:


This solution would extract the unencrypted card numbers from the various applications, consolidate the application specific encryption functionality into a single, central solution and would simplify key management and key rotation functions. Centralization and Tokenization would specifically help address the following PCI DSS requirements:



Additional advantages to this approach would include the following:

  • One centralized storage location of all encrypted credit card number data
  • All applications would store tokens at the database level rather than unencrypted or encrypted card numbers - Security At Rest
  • All application interfaces could pass tokens rather than encrypted or unencrypted card numbers - Security In Transport
  • Rotation of encryption keys would be performed centrally and would be transparent to other applications as the tokens would remain unaffected
  • Centralized logs can be kept of all decryption attempts from all source systems thereby providing a valuable audit trail
  • If an external, third-party solution is used the risk of data loss in a breach of internal systems is greatly diminished - only tokens would compromised, not the encrypted data or encrypted keys

Finally, let's take a look at how the workflow of processing of a credit card authorization would look in an enterprise using SAP along with a Centralization and Tokenization solution:


As enumerated above, there are clearly many advantages and benefits to using a token-based solution for securing credit card details not only in SAP by across the enterprise. The token-based approach is currently not supported by standard SAP functionality, but is supported by solutions from third-parties like Paymetric.

As scrutiny increases surrounding how companies are securing sensitive customer data, such as credit card numbers, serious consideration should be made of token-based solutions. Merchants who choose to outsource the storage of this sensitive data have less risk of embarrassing data loss in the event of a system breach as only tokens would be stored locally. All encrypted data and keys would be stored by the external solution this greatly diminishing a Merchant's exposure and potential public relations nightmare.

6 comments:

  1. The securing credit card numbers is really pretty cool post. And i have learn from you. Thanks for the insight! There is a lot of helpful information within those links.


    borrowernews

    ReplyDelete
  2. Great article, love the images, really makes it easier to understand. Also thanks to Victoria for sharing borrowernews.com

    ReplyDelete
  3. i don;t see why the second architecture won;t be adopted by the most of the websites. It's curious how we like to complicate things instead of making them simpler.
    credit card machine

    ReplyDelete
  4. I always forget everything and my credit cards number I wrote it in a book it was mess because I lost the book but when I found it my husband had it because he was visiting Viagra Online and he paid with my credit card. it was the best robbery that I had had in my whole live from my husband.Generic Viagra Buy Viagra

    ReplyDelete
  5. Credit card works differently from the debit card. It is issued after a credit card application has been made to the issuer.Most credit cards are having almost the same shape and size around the globe.
    Membership card printing

    ReplyDelete
    Replies
    1. If you have applied for a number of charge cards, and keep getting rejected, it may be time to look elsewhere. If you apply for a bad credit history one, your odds of getting approved for it are much better than with various other choices. Home Depot Credit Card

      Delete