Tokenization

In this world of identity fraud and PCI regulations, the need to protect cardholder data is on every merchant’s mind. PCI has defined a clear set of rules (PA-DSS) for software vendors on how to properly manage cardholder data in a payments environment, but many merchants continue to read about new security breaches every day.


Therefore, a number of merchants are seeking more security measures beyond those required by PA-DSS best practices in the pursuit of the ultimate ‘end-to-end’ security solution.


One of the tools being employed towards the goal of end-to-end protection is tokenization. Tokenization is the replacement of card sensitive data using a substitute (token) value to further reduce the risk that a cardholder’s personal card data be compromised by criminals.


Tokenization


ISD now offers a tokenization solution as part of our enterprise payment application.


eCommerce, recurring mail order, and telephone order cardholders making repeat purchases want a more streamlined checkout experience. Entering credit card information on return visits is perceived as a hassle. Securing credit card information that is at-rest is an added risk for the merchant. Automating the future use of credit card information in a PCI-secure environment through ISD’s Payment Switch eliminates pain for the cardholder and the merchant.


A token is generated by the ISD Payment Switch and communicated back to the POS on each authorization response message. This token can be saved by the POS for future use. In a batch settlement method, this token can also be written to the settlement file without the need to call a separate encryption routine.


Transferring the responsibility of creating the token and storing the cryptographic keys for future use to the ISD Payment Switch eliminates the risk associated with maintaining those keys and algorithms by the merchant.


Request Token (RT)


Another feature to enhance the functionality of using a token is the ‘request token’ (RT) message. This feature gives the merchant an opportunity to generate a new token in several situations.

  • If the primary account number associated with the cardholder has changed, send the RT message to the ISD Payment Switch to refresh the token
  • If the expiration date associated with a token has been updated, send the RT message to the ISD Payment Switch to refresh the token


Benefits

  • Enhances the checkout experience for an e-commerce or catalog cardholder on subsequent visits
  • Efficiently and securely manages recurring transactions
  • Eliminates securing and maintaining credit card account numbers at the store by the merchant
  • Eliminates maintaining cryptographic keys and algorithms at the store by the merchant
  • Refresh the token if the primary account number associated with the cardholder’s profile changes
  • Refresh the token when a card expiration date has been updated
  • If the Historical Key Management product is installed, tokenization utilizes the Current-Active-Host-Key for encryption


PABP (PA-DSS) Certification


The tokenization module along with the ISD Payment Switch Framework Authorization and Settlement Suite for Java is validated as PABP (PA-DSS) compliant.


Use in a PCI Environment


Since the token and the life cycles around the token are PABP (PA-DSS) compliant, the token may be embedded into merchant applications or placed at-rest (written to disk) by any merchant application.



© 2010 ISD Corporation
|
Sitemap