From the education session "Hard Codes to Crack: Tokenization, Encryption-at-Swipe and Friends" at the HITEC 2012 conference.
Provides insight into what to consider when purchasing and implementing a tokenization or point-to-point encryption solution to protect payment data, with a particular focus on the hotel or lodging industry.
2. A Flexible, Layered Approach
to Security
• Acquirer Neutral – Enable merchants
and franchisees to process via
the acquirer they prefer
• Encryption Options – Leverage
multiple point of interaction (POI)
devices that can protect both
keyed and swiped data
• Tokenization Options – Support both
single and multi-use tokens
• Freedom to Change - Allow merchants to switch
processors easily, without replacing tokenization
system or encryption devices
3. Encryption-at-Swipe
• OBJECTIVE: Data field encryption should be
implemented at, or as close to card swipe or data
entry as possible – ideally within the device’s read
head or tamper resistant security module (TRSM)
• REQUIREMENT: Merchant is removed from all key
management responsibilities and has no access to
decryption keys or the decryption process
4. Encryption Vendor Selection
• Industry Standard Vendor (no licensing fees)
– DUKPT 3DES encryption (AES forthcoming)
– Every transaction receives a new key
– Encryption occurs within read head
• Proprietary Technology Vendor
– Identity-based encryption eliminates
need for secure injection room
– Works on leading terminals, PIN pads,
wedge, mobile devices
– Supports browser-based page embedded
encryption for secure eCommerce
Both support EMV devices and encrypt manually entered cards
HSMs located in Merchant Link’s data centers
5. Tokenization for Lodging
• Folio Consolidation
– Merge all guest transactions
(room, dining, spa services,
gift shop purchases, etc.)
to one folio/card number
• Guest Satisfaction
– Preferences associated with
the profile can flow to the • Operations
reservation and tie to the – Requires less
same token database storage
• Loyalty / Marketing – Streamlines
– Even if the guest has multiple accounting and
stays (at multiple hotel audit functions
locations with a chain)
the token remains the same
6. Multi-Use Token Design
• Length: 16 digits to easily replace card
numbers in existing systems
• Format: Last 4 digits of the token
are the last 4 digits of the card
number to work seamlessly
with most PMS applications
• Mod-10: Customizable - can be set
to pass or not pass mod-10 validation
• Expiration: Tokens will not expire – the token remains the
same for a card that has been reissued with a new expiration
date (within a particular chain/organization)
• Token ≠ Valid Card #: Tokens should not be mistaken for
legitimate payment card numbers
• Token Boundaries: Only work within specific property/chain
7. Design Considerations
• Bulk Tokenization/Conversion at Implementation
– Automated utility converts all credit card numbers
(historic, current and future)
• Added Security w/Client Certificates
– Helps interrogate which terminals are allowed to
communicate with the vault
• Tokens Used For...
– Incremental and reversal
authorizations
– No show transactions
– Refunds
9. Before You Buy, Consider …
Scope – What Impact will my
decision have on PCI Scope?
Form – Single or Multi-Use
Tokens? Format Preserving?
What are my use cases?
Function – Follow-on
Transactions? Manual Entry?
Offline?
Logistics – Deployment and
Replacement Considerations?
Flexibility – Future Options?
Hardware Provider? Processor?
10. Other Considerations
Service / Support
• Fast access to data and ability to troubleshoot
• Responsive, redundant support centers available 24x7x365
Network Reliability / Financial Strength
• Examine network uptime and throughput
– Redundant data centers?
– Transactions per second?
• Examine stability and strength
of company
Flexibility
• Encryption via various POI devices
• Single vs. multi-use tokens
• Processor choice
• POS vendor/device choice
Editor's Notes
Security experts along with the PCI Council agree, a layered approach to security is best, as there is no one technology that will make you secure or PCI compliant.Encryption and tokenization work together to protect both data in transit and data at rest.
According to Verizon’s 2012 Data Breach Investigations Report, the most common external breach techniques utilize a combination of hacking and malware (61%). Along the same lines, Trustwave reported that hackers are having a far greater degree of success stealing data “in transit” (62.5%) versus stored data (28%) in their 2012 Global Security Report.Merchant Link’s objective, well before PCI published its P2PE solution requirements, was to completely remove merchants from key management and the decryption process.
When looking at options to protect data in-flight, we chose not to reinvent the wheel but rather to partner with industry leading vendors.Our aim is to provide the most secureand flexible point-to-point encryption solution in the marketplace today.Our goal is to support various points of interaction POI with interfaces to different hardware vendors to offer merchants as much choice as possible.Unlike processor-based encryption, oursolution allows merchants to switch processors easily and without changing tokenization or encryption methodologies.DUKPT = Derived Unique Key Per Transaction =a key management technique in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction data are still protected since the next or prior keys cannot be determined easily.
Hoteliersfind a great deal of value in multi-use tokens.
Other key aspects we considered when designing into our tokenization solution:Bulk Tokenization / Conversion at Implementation: Merchant Link provides a bulk Get Token only transaction to speedily convert many card numbers to tokens during tokenization installation. Many currently operational hotels have future reservations, current guests, and X number of past historical credit cards that they want to retain and turn into tokens. Added Security w/Client Certificates: Merchant Link deploys client certificates to further secure the communication between the hotelier’s systems and our data vault. Client certificates help interrogate which terminals are allowed to communicate with the vault.Tokens Used For...Incremental and reversal authorizationsNo show transactionsRefunds
Scope:Am I aligned with industry best practices? What will my QSA say? Have I addressed manual entry? Gift Cards? Private Label?Form:Single Use or Multi-Use? What are the use cases?Function: Does my tokenization solution support follow on transactions, especially no show charging? Do your systems have a reservationthat tokenizes for multiple hotelsand is there a need to share tokensbetween hotels PMS or a reservation system?Do I have systems that allowcustomers to post a card number to a loyalty membership? Does it make sense if a husband and wife have two loyalty memberships to have different tokens if it’s the same credit card number? Logistics:How many devices to I need to obtain? What happens if the encrypting device fails? How long is the injection/shipment/delivery process for a new device?General Have I identified all the use cases ofhow credit cards interact with mysystems?Do I have the IT personnel tosupport the technology I’m goingto deploy?EncryptionIs POI a tamper-resistantdevice? Solution should be alignedwith industry best security practices for data field encryptionHow many devices to I need to obtain? What happens if the encrypting device fails? How long is the injection/shipment/delivery process for a new device?How does the encrypting device handle non-payment cards? (gift cards, membership cards, employee sign in cards, etc…) Should I buy encrypting devices that are EMV and contactless-capable?Do I need a solution that supports multiple hardware vendors?TokenizationHow much historical data do I really need to keep? (We recommend you purge as much unneeded data as possible.)Do my systems and applications that consume credit cards require mod 10 passable cards or not?Do I have systems that would benefit from having a consistent token to perform customer tracking and purchase behavior/history?Do I have systems that allowcustomers to post a card number toa loyalty membership?Do your systems have a reservationthat tokenizes for multiple hotelsand is there a need to share tokensbetween hotels PMS or a reservation system?Does my tokenization solution support follow on transactions, including no show charges?
A few other things to keep in mind...Implementing these technologies will further distance you from the actual credit card numbers – which is a good thing for security and compliance – but it means is that having high-touch service and support is more important. Make sure your provider has support that is responsive, available 24x7x365, that can help you track down and immediately resolve problems. Second, take a look at the company’s network reliability and financial strength.And finally, in today’s payments landscape where security threats and payment methods are constantly evolving, I would encourage you to invest in solutions that offer multiple options and flexibility in terms of the devices, points of interaction (POI) and processors supported.