The Yin-Yang Of Tokenization, Vendors Now Splitting Into Two Camps

In recent months, an encrypted laundry list of vendors has announced products in the so-called end-to-end encryption space and/or the tokenization arena. But this week added two key announcements into the mix, from Voltage Security and a combo rollout from First Data and RSA Security. The reason they're key is that, for the first time, two of the largest players are offering true differences, ones that speak more to retail security philosophy than anything else.

These two rollouts—from very competitive interests—also happen to agree on something that signifies a maturation of the retail security space. They agree that PCI is likely to insist that retailers deploy some combination of some form of encryption and tokenization, a position that should end months of bickering between the end-to-end vendors and the tokenization vendors.

The philosophical differences come down to how retailers want to—or, more precisely, decide that they need to—interact with payment card data. For the last couple of years, the retail rallying cry has been that the card brands and/or acquiring banks are in a much better position to hold that cyberthief-attracting data than retailers. Getting rid of the card data, in theory, would make retailers less attractive to data thieves, might get them out of all of that nasty PCI paperwork and assessor arguments, and allow them to focus on selling stuff.

The approach from First Data and RSA is a service that takes the card payment information and converts it into a token and then stores the sensitive data in its system. The First Data argument is that this leaves the retailer with no sensitive card data and, therefore, far fewer associated risks and hassles. The position is that the burden of protecting that data is now lifted entirely from the retailer.

The Voltage approach is more of a software package (they like to call it a framework) that lets the retailer control how the data is tokenized, but it's the retailer that stores and controls that data. The rationale here is that the retailer is the business that accepted the card, so the liability stays with the retailer. As long as the merchant is going to be held responsible, that chain might as well call the shots as to how that data is protected and controlled.

"What happens to the tokens if the provider goes bankrupt or gets acquired?" asked Wasim Ahmad, Voltage's Vice President, Marketing. "They're doing it as a service, which means that [that retailer's payment] data will be off in a cloud somewhere. Putting all of the numbers in a vault paints a big target on them."

Looming behind these philosophical debates is the PCI Council, which is expected to unveil its next version of the PCI guidelines in about a year. This version is almost certain to include guidance about how the council wants retailers to deal with encryption and tokenization. The key issue at play: Will the PCI Council consider a token to be within the scope of PCI? Is it payment card data that is merely masked? Is the fact that these tokens are made from real card numbers—and can easily be converted back into real card numbers at the retailer's whim—going to be used to justify keeping tokens within scope? And, as a result, will retailers be forced to continue just as much of the paperwork as before?

Although the tokenization methods vary slightly from vendor to vendor, the tokens can't be converted back through a key or an algorithm. But the software has a way of matching each token to the actual card number, for chargeback and other purposes. The vendors will argue that tokens should be out of scope. But that's not likely to be an argument that the card brands or the PCI Council will find persuasive.

Let's look at each offering a little closer.The First Data approach is slated to go into pilot in January 2010 and be offered for mass market use by March. The company has offered no meaningful details about pricing or about the security it is deploying to protect the card data it is asking to guard.

Unlike an approach being pushed by Heartland, the First Data approach requires no hardware, and its public key encryption service is supposed to sit atop whatever infrastructure (card swipe, POS, etc.) the retailer already has, "as long as you're running reasonably newer devices" accepted by current PCI guidelines, said Craig Tieken, vice president of merchant product management at First Data. "This public key encryption will work within those devices."

There is a brief period after the swipe where the data is unencrypted, he said. But it wouldn't likely be of value to anyone attacking the retailer's network, because the data is never stored there. It could be at risk for thieves who physically tamper with the swipe devices in-person. However, that's the kind of data theft this service was designed to thwart, Tieken said.

"If you're going after device-level tampering, that's a whole different model," he added. "Even full Chip- and PIN-compliant devices have been tampered with. This isn't going to prevent you from stealing" in that way.

Neither First Data nor RSA provided many technical details about their approach, and a promised diagram of the transaction process never materialized. Tieken said that First Data is prepared to change the system depending on what the industry—especially the PCI Council—pushes for. "This isn't something that will be a static offering," he said, adding that if PCI had other preferences, "we could migrate to something else, such as AES."

The Voltage approach is slightly more specific as to pricing--$65,000 and higher—but not in terms of the number of transactions that fee covers, which tends to make the price meaningless. Their package is designed to allow retailers to create their own packages, but it includes a key server, transformation routines and a management console, among other pieces of software, Voltage's Ahmad said.