The payment system has been one of those that has been developing steadily and progressively for decades. Each era has brought some changes in its development from cash registers to online shopping, from coupons to credit cards. Currently, the priority issues are the security of data and confidential information of buyers and customers. The following article is chiefly related to this issue.
PCI DSS is the international attempt to solve this problem and to create a standardised and appropriate system. There are many different ways to make your organization meet PCI DSS requirements such as tokenization, encryption, network segmentation and many others. Each has its advantages and disadvantages, but while some remain a well-known method, others are a mystery.
Tokenization is usually the way that raises the most questions and doubts, including what token compliance meaning is, how it affects PCI compliance and one of the most common questions about how it works. In fact, this method is one of the most effective, as it minimizes risks, allows you to be flexible and, moreover, in some way may even be called a PCI assessment solution.
The best idea is to start with the definition. So, what is tokenization? To cut a long story short, it is a process in which confidential data is replaced with a non-sensitive element called a token. In case when someone wants to get to the confidential data token is preventing him from doing so. In other words, the token is a barrier between your private data and cyber-scammers.
The token is the replacement of data with random symbols and signs, as it is forbidden to store such data as identification numbers or bank accounts in their original form in the network. It is the token that guarantees the inviolability and security of data. This is especially noticeable during online transactions in which the card is not physically used. Due to tokenization, information about the cardholder and other personal data does not appear and is not used in transactions as well. With the use of a token, information is not stored in online databases, because it does not even have contact with it. The token guarantees security both inside the system and during the transition from one system to another.
The token does not store any confidential information that has been replaced by other random characters. Imagine a situation where cyber-scammers managed to seize the token. Even if it happens, he will not be able to seize any confidential data about either card or its holder.
It is very convenient, easy, fast and flexible to use the token. It can be simply created with a credit card. The transaction process is as well quite easy and very fast. In fact, the original information is stored in special repositories, which are under a strong system of protection. Such repositories are called vaults.
There are several types of tokenization in payment systems. Most common are Acquiring Token, Issuer Token, and Payment Token. According to the PCI DSS, only card numbers can be tokenized, passwords and CVV2 are not subject to tokenization. In addition, PCI DSS requires that tokens should be generated at least one in a million. Rainbow Table is one of the most popular and well-known methods of token data capturing.
But safety is not just an unpredictability. At least this whole protection system is much more complicated than it might seem. to be considered safe enough, token-based PAN must be nearly impossible to predict (with the probability of success being incredibly low, more than one in a million actually). And there is no instrument to capture such data (and to hack the cryptographic hash functions) that enjoys more popularity than Rainbow Table.
There is also an official set of recommendations on how to determine the value of the tokenization product. The first thing that is mentioned is, again, the extremely high importance of confidentiality. If an outsider had access to the PANs, it could be considered a disaster because it would seriously threaten the whole affair. There is a clearly defined data environment of the cardholder, and its “borders” must always be adhered to. The entire structure of the system must be in the internal network, protected from suspicious elements and the traffic which has not been verified. Anything unwanted should be discarded to keep the system isolated. This raises the question of trust: only complete confidence in the message can be considered a condition for his omission. Anything that raises doubts should be strictly prohibited from reaching the system. If you have a need or desire to store the information in one place (or if you would need to transmit it), care must be taken to ensure that it is encrypted. The most reliable way to do this is through the AES-256 algorithm. It has already stood the test of time, so to speak. Care must be also taken with means of access and identification. Monitoring safety and compliance with all conditions (clearly defined in PCI DSS Requirements 7 and 8) are extremely important. Everyone who needs to have access should have a unique identifier. This will weed out those who shouldn’t have access and strengthen protection. It is necessary to protect the system from cyber-attacks and harmful influences. Data should be deleted periodically, but this process should be determined by the special preservation of the necessary data policy. It is important to take into account everything that passes through the network. It would be good to have a defined procedure for emergency notification of experts on suspicious actions (traffic) to prevent unpleasant consequences, or just to check what is in doubt.