Doing tokenization and cloud computing the PCI way

September 24, 2015 Off By David

Grazed from CSO. Author: Ben Rothke.

When we wrote our first PCI application security article Who’s Guarding the Data Bank? in 2008, commercially available cardholder tokenization was in its infancy. Generally speaking, data tokenization usually refers to a process through which cardholder data (usually the Primary Account Number or PAN) is replaced with a substitute cyphertext value known as a token.

The token is typically generated via a strong, one-way publicly known mathematical hashing algorithm. If the one-way cryptographic algorithm is suitably strong and utilizes a known publicly validated mathematical algorithm, the resultant cyphertext is no longer considered to be cardholder data as defined by the PCI SSC. It does not require additional obscuring or encryption as the process cannot be reversed to reconstitute the original data (in this case the PAN) short of a brute force ‘dictionary’ based attack…

If, however an attacker has access to both the truncated version of the PAN (for example 400000xxxxx67891) and the hashed PAN, then recreating the original PAN becomes easier. This is noted in section 2.3 of the PCI PA-DSS v3.1:…

CategoryNews

Built to fail: System resiliency is not relegated to the cloud

Fujitsu aims to help CIOs master hybrid IT through new functionality