|
GuestView Columnist David Taylor this week discovered that there’s a lot more than token opposition to tokenization. One of the concerns is that companies have already spent money on encryption. The most popular reason for not implementing tokenization is that companies have already implemented data encryption and key management systems costing hundreds of thousands of dollars, and either they did not feel they needed tokenization or they were unwilling to be perceived by upper management as “changing course” by recommending the removal of the data they just spent all this money to protect. Read more. |
When an order processing snafu shut down the delivery operations of one of the U.K.'s largest grocery chains, the $38 billion retailer acted starkly different than the typical U.S. retailer. The London-based 823-store Sainsbury's grocery chain immediately issued almost a half-million dollars' worth of vouchers.
A new Retail Systems Research report is challenging the way retail IT looks at application development backlogs. The report is based on a survey showing that some 79 percent of retailers have appdev backlogs of at least a year, with one-fifth of those hitting delays of more than two years.
The conventional wisdom has held that China is not likely to embrace E-Commerce, because of the Chinese aversion to credit payments and fears of piracy and poor quality products. But a Forbes story this week makes a powerful argument that E-Commerce—and a credit-card lifestyle in general—will be coming to China very soon and in a big way.
Although the question of RFID safety has been debated extensively over the years, with conflicting study results, a major new medical study released this week points to very specific electromagnetic dangers within nine inches of the transmitter.
In one of the first wide-scale studies of SMS' capability to hold up under volume pressure, the technology fared "surprisingly" poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology's use for mobile communications connecting to both online and in-store.
A U.K. company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online. The Voice Commerce Group's Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. 
A federal appellate court backed a group of retailers Monday (June 23)—including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents.
Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.
Wal-Mart and a handful of others have been trying to do green the right away, with policies that will have a significant environmental impact and that also improve operations.
When Oracle finally introduced its Retail 13 integrated suite this week, after three years of acquisition and integration, the teams working for the world's largest enterprise software vendor might have breathed a sigh of relief.
After three years of acquisition and integration, Tuesday (June 17) saw the official launch of Oracle's Retail Release 13, consisting of some 33 retail applications, only four of which were new. The rollout was billed by Oracle as the be-all and end-all of end-to-end integrated retail application suites, but some analysts said the integration was lacking.
Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.
The Moodys Investor Service has upgraded how important a retailer's E-Commerce activity is when assessing that retailer's overall economic health. Although this isn't a radical change for the financial firm—and the thought that E-Commerce is important is hardly surprising—it's one of several recent moves suggesting that the young teen-age Web is starting to be taken a wee bit more seriously.
North American self-service transactions will process $607 billion this year, a figure that is projected to soar to $1.7 trillion by 2012, according to report published Wednesday (June 18) by the IHL Group. When IHL began work on the report, "I did not expect the acceleration that we're seeing in the out years," said IHL President Greg Buzek. "I did not expect how fast it's growing."
One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it's not as much of a cultural priority as, for example, banking. So it's a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server's breach linked to ATM fraud.
A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what's changed?
One day after lawyers presented a proposed settlement in the Ameritrade 6.2 million-customer data breach, a U.S. federal court judge tentatively rejected the settlement (on June 13), questioning the value of the deal for the consumer victims and the size of the $1.87 million attorneys' fees.
A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.
Just in time for Friday the 13th, Oracle is finally ready to unveil Oracle Retail V 13, with a formal rollout slated for Tuesday (June 17). Oracle's main retail suite is not expected to undergo any radical changes (even the name change is expected to be slight); it's mostly claims of better integration and interoperability.
E-tailers in continental Europe are just now starting to get hit by slower growth, but they are still shining much more brightly than their U.S. counterparts, according to new figures from eMarketer.
Two incidents this week show how much less respect is paid to the online consumer than the brick-and-mortar one. Does the inherent anonymity in the Web cut both ways? Like the site visitors emboldened by their namelessness who post comments and get into flame wars that they would never have the nerve to try in person, are E-tailers treating their customers with a disrespect that they would never dare consider in a physical store?
For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.
E-Commerce leader Amazon.com completely crashed for almost three hours on Friday afternoon (June 6), with one Web site performance tracking firm attributing the crash to excessive site complexity.
When Best Buy launched a Spanish version of its site last fall (2007), E-Commerce officials quickly noticed unexpected activity, such as customers spending twice as much time on the Spanish site.
Note to retailers looking to offer free Wi-Fi: It's a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn't working. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later," said a page shown to site visitors.
The Meijer department store chain—with 182 stores in Michigan, Ohio, Indiana, Illinois and Kentucky—is getting creative with its Web site, food recipes and online coupons.
New York State has started pushing to collect sales tax from e-tailers that have no physical presence in the state, prompting Amazon and Overstock to fight back. But all e-tailers are hoping against the odds that other states don't pull the same revenue-generating attempt. If New York gets legal greenlights, several more states will quickly mimic its efforts, leading to a flood of almost every state within two years.
Welcome to E-Commerce Semantics 101. Your philosophical question for the day: When is a site truly mobile-friendly? Mobile commerce today is in that familiar classic battle of Chicken.com versus Egg.com: Retailers know the mobile users are out there, but they also know that few are trying to use the devices for making purchases.
The worst performance grades were given to Foxnews.com, IGN.com, Gamespot.com, CNN.com, Break.com and ESPN.go.com. The best performance grades were given to Google.com, Live.com, Orkut.com and Craigslist.org.
GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You'd probably fire the person, right? But, what if you couldn't?
Computerworld columnist Frank Hayes has a wonderful column out about why the Wal-Mart RFID effort is still having problems. Hayes makes a great point about how Wal-Mart's $2 per pallet non-RFID penalty reflects a lack of understanding of why suppliers have resisted RFID tagging.
Shoppers at Gap.com will now be able to use a single shopping cart and consolidate shipping at any of the chain's four brands, the Gap announced on Tuesday (May 27). But the change for The Gap, Banana Republic, Old Navy and PiperLime is delicate, as the company still wants those brands to maintain their distinct personalities. Those conflicting goals give the new site a bit of a Jekyll-and-Hyde feel.
Borders this week officially stepped out of the shadow of Amazon and re-launched Borders.com, with an effort that scores points for creativity. The physical side of Borders (as in brick-and-mortar as opposed to Olivia Newton-John) has been trying to arrange its bookshelves to display more of the covers.
Germany's METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired. METRO is placing the inlays into the foam meat packing trays used in their Future Store.
Barnes & Noble on Wednesday (May 28) launched its mobile E-Commerce site, which is pretty much a super-slimmed down version of its regular site. B&N Mobile includes search, store-finder, book availability and order tracking. It's not an especially sophisticated site, but it puts the world's largest physical world bookstore on a very short list of major e-tailers who have bothered to design a version of their site for the cellphone.
Like many ex-cons, when Martha Stewart got out of prison, she had a different outlook on life. So she's going to relaunch her E-Commerce site. But this time, she'll try and do it right by doing as little as possible.
New E-Commerce figures from e-Marketer show continued growth over the several years, but the rate of growth will quickly drop. The firm reported, for example, that last year's E-Commerce sales hit $127.7 billion, a figure that they are projecting to steadily rise to hit $218.4 billion in four years.
The Blockbuster movie-download kiosks—slated to start their trial in June—will download movies directly into consumer-owned portable devices in about two minutes, according to a demo at the company's shareholder meeting Wednesday (May 28).
MasterCard Canada this summer will start a 4-month NFC-phone trial, with the backing of some of Canada's largest retailers, including Loblaw, Petro Canada, Tim Hortons', Pioneer Petroleum, Rabba Foods, a major NHL arena and McDonalds.
At $388 billion in annual revenue, handling Wal-Mart's ERP financial application is nothing if not challenging. But when Wal-Mart last year turned to SAP to take over many of the financial functions that the chain had been handling with in-house software, it was a concession that it can't push its homegrown apps as far as it used to.
Guest View Columnist David Taylor believes that Web application vulnerabilities make up more than 60 percent of all software vulnerabilities. "They are so well known that the Open Web Application Security Project (OWASP) has published a list of these vulnerabilities. They are so easy to exploit that even the most junior hackers can find lists of popular Web application hacks and use them to break into your Web store."
Much has been made recently of TJX firing a store employee who posted public comments about weak security procedures that still exist at the retail chain that was the site of the worst data breach in credit-card history.
Amazon is preparing to expand its entertainment offerings, with a planned streaming video launch "in the next few weeks," according to a speech given Wednesday (May 28) by Amazon CEO Jeff Bezos.
A handful of grocery chains—including PriceChopper and Wegmans—have started using CRM data to alert customers to product recalls, an encouraging move to convince consumers that loyalty cards can be used to help them beyond taking 10 cents off a gallon of milk.
What do you get when you merge a kiosk with a vending machine? I'm not sure. But whatever it is, Macy's is putting it into some 392 stores right away, the chain announced May 22. That represents almost half of the chain's 800 stores.
Jane's contactless loyalty card is detected as the Des Moines attorney approaches the self-checkout. The system knows the counselor's shopping history and anticipates that the counselor likely has a dozen kiwis in her cart. So when she places the barcode-less fruit on the scale, the first fruit it displays in its list is kiwi, followed by the four fruits and vegetables that Jane typically buys.
Nordstrom on Tuesday (May 20) said they would support buy-online-pick-up-in-store for the first time. This e-commerce cross-channel classic has been popular for several years, but Nordstrom--with its stronger than average commitment to customer service--has resisted until now.
The grocery challenge with the theft of moist, fresh products—such as cheese—has frustrated retail loss prevention managers because such products tend to react poorly with EAS tags. Checkpoint and Sealed Air Cryovac announced Wednesday (May 21) one possible way around this issue.
More than 75 percent of enterprises are holding off on deploying server virtualization in the cardholder environment until the PCI Security Standards Council clarifies its stance on virtualization, which they hope will come in the October 2008 release of the 1.2 version of the standards. That is a mistake.
As more consumers use search engines to find products filtered by a single attribute—such as price—shopping cart abandonment rates are increasing, according to E-Commerce vendor MarketLive, which tracks such matters.
Using virtual reality, $18 billion consumer goods giant Kimberly-Clark is creating virtual depictions of stores, shelves, products and displays—even sounds and smells people encounter while shopping—to enhance traditional means of research.
A pair of British shopping centers is experimenting with a creative way to leverage consumer cellphones. The consumers are being surreptitiously tracked by the signals emitted by all mobile devices and a database notes when consumers "enter a shopping centre, what stores they visit, how long they remain there and what route they take as they walked around."
Although this doesn't shed any light on this year's recession, American consumers were certainly spending-friendly last year, having spent with retailers $201 billion more last year than the year before.
To use a chess analogy, many e-tailers today see the strength of their multimedia entertainment offerings as akin to controlling the center of the board. On top of recent moves by Sears, Blockbuser and Netflix, Napster on Tuesday (May 20) announced what it dubbed the world's largest music download site, with some 6 million selections.
Facing a much tighter financial picture (the latest quarterly report saw comparable net income almost cut in half), Sears has turned to online operations as its best hope for better margins.
The RFID market has a healthy future, looking at a 15 percent compound annual growth rate over the next five years, hitting $9.7 billion by 2013, according to a report issued Tuesday (May 20) by ABI Research.
Some British convenience stores are trialing a facial biometric program to try and improve the accuracy of guessing the age of customers for age-restricted alcohol purchases. The systems "capture facial measurements that will be checked against a database of profiles of known offenders."
Tesco's experiment with an all-self-checkout store in the U.S. is delivering surprisingly favorable customer satisfaction stats. Internal Tesco customer surveys for its Fresh & Easy stores are finding some 90 percent of its customers saying they were either "satisfied or very satisfied" with the checkout experience while another 27 percent say that "it doesn't matter" what format the checkouts take.
That which keeps consumers satisfied seems to be part of an E-Commerce site's culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.
It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.
When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry's worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing. No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent.
Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle "to explore the growth of contactless payment systems and the implications for consumer protection policy."
For e-tailers who still think that Web video may be a fad, consider this stat: In March, U.S. Internet users watched 11.5 billion online videos. That's a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.
Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April, besting Yahoo. But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors.
With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it's not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.
Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.
The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.
London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.
Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups. The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe's and Wal-Mart.
Like it or not (place this father defiantly in the "not" category), children are using the Internet's social network sites at a younger age, with retail marketers hovering close by. How young? New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll.
This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. A woman walks up to an ATM at a Hannaford's grocery store. She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves.
With an eye on retailers having to juggle payment systems between many varied environments—far beyond merely online and in-store—a National Retail Federation division this week introduced a set of guidel
May 12th, 2008 at 3:09 pm
I read with interest your article “Opposition to Tokenization a Lot More Than Token.” You made some interesting points, all valid but all can also be countered. I’ll address them in order:
1. Too much money already spent on encryption.
This is very true, too much money has already been spend on encrypting card holder data (CHD). There is a common saying here in Vegas, “don’t throw good money after bad.” While this advice is for gamblers, I also think it applies here. Yes, there are many managers and directors that fear their reputation and job is on the line if they now switch to endorse a less expensive, and many times a significantly less expensive, alternative. But there are other factors to consider, risk being a big one. Under PCI and many of the various privacy laws, loss of an encrypted file that contains CHD, even without the decryption keys, is still considered a breach that must be reported because the data has the potential to be cracked and exposed. Tokens are not considered CHD so the same scenario would not be considered a breach and would not have to be reported.
The weakest point with encryption is key management and this is an ongoing cost. Keeping keys safe turns into a catch-22 situation and many companies do not dedicate sufficient resources to this problem. Encrypted data needs a key. This key must be protected. The obvious solution is to encrypt the key. But now this new key needs to be protected. And so on, and so on – Key management solutions can help but in the end, somewhere the same weakness arises – and these key management solutions can be expensive. Throw in PCI 3.6.4 which requires annual key changes and rekeying (re-encryption) of the data, and the costs go higher.
2. Applications managers won’t give up the data…use card number in many different places in their processes and application.
Again, very true; but at what cost? If you look back at some of the latest breaches, CHD was not exposed from the POS. Ironically, it was exposed from risk management applications or the data in transit to these risk management applications. Tokenization can be used in these other processes and applications and would address both the data in transit problem as well as the data storage problem. I would argue that tokenization, or at a minimum, proper hashing should be required for these ancillary processes and applications and real CHD should not be allowed.
3. Waiting for bank or db vendor…lack of confidence with current tokenization vendors.
Waiting on you bank to offer this may be a long wait and if and when this does happen, the downside is that you would forever be locked into that bank. Having the database vendor do tokenization for you would not help ease your security burden – PCI wise, the database would be housing the CHD and to get the real benefit of tokenization, it needs to be hosted by a third party or at least a remote application.
There are larger vendors offering tokenization. To me, this argument is more of a smoke screen hiding the fact that the merchant simply does not want to change. Depending on the application, tokenization may impact the merchant’s processes and this fear of change translates to lack of confidence.
Whether or not my opinion on this is correct, this issue must be addressed and overcome. When we are speaking directly to a merchant, this issue can be overcome by showing all the advantages these changes will bring (cost and risk benefits) and giving references (in case our fear of change assumption is incorrect, and it really is a confidence issue).
4. Tokenization is too new or unproven.
This is a hard one to argue against because it’s hard to prove a negative. Have any breaches occurred where tokenization was used? Actually, let me rephrase that, has any token ever been used to expose data? I re-phrased my question because technically, with most tokenization implementations, there is an exposure point prior to the token being issued. While I re-phrased my question by narrowing the focus, but to date, no card data exposure has occurred to tokenized solutions using either question.
Since negatives are hard to prove, I get around this argument, simply detailing tokenization and how it works to secure data. It usually does not take much to show someone how a completely random sequence of data is more secure than card numbers, encrypted or not. Add details on the difficulties of encryption key management and this argument usually dissolves.
5. The tokenization vendor is a “single point of failure”…single point of attack.
As to the single point of failure, I can only speak for Shift4 and simply point to our track record. This is a valid concern ;evaluating vendors, uptime, resiliency, redundancy, as well as other factors must be part of a merchant’s criteria.
As to the single point of attack, true but I would argue which is safer: using a single vendor that specializes in payments and security that is scanned and audited regularly; or having the data housed by thousands of merchant locations of varying degrees security – from none to relatively strong? For the most part, the later describes the current environment and breaches are making headlines almost daily – not to mention all the smaller breaches that don’t make the headlines.
6. Tokenization pricing models are immature and too variable.
Again, speaking only for Shift4. Our tokenization comes free with our services – no up’s, no extra’s, no increase when we added tokenization. In fact, we released tokenization to the public domain back in 2005 because we felt that this technology, if properly implemented, is such a benefit to the security of CHD that it should be freely available to everyone.
In conclusion, you make very good points and all points that we (Shift4) have encountered ourselves. I just wanted to point out that all these obstacles can be overcome with the proper information and education.
Steven M. Sommers
Vice President Applications Development
Shift4 Corporation – http://www.shift4.com
May 12th, 2008 at 3:58 pm
Steven,
Thanks a lot for the comments — i believe they are longer than the original column, which appears to be a new record.
The tone of the comments is exactly right. When I was doing the interviews for the http://www.PCIKnowledgeBase.com, these are the types of resistance I encountered as I was saying positive things about tokenization, along the lines of what I said in my Feb 8th column.
In order to move the market forward, we have to be able to address each of these objections factually.
The PCI Knowledge Base was founded on the principle of the free exchange of knowledge and experience.
Storefront Backtalk promotes these same ideas, and I’m encouraged to take a position, even a controversial one, in order to promote discussion. I only wish more folks would take the time to present the issues and the facts as you have done.
Thanks, Dave Taylor
Founder, PCI Knowledge Base
David.Taylor@KnowPCI.com
May 12th, 2008 at 4:48 pm
Dave,
I knew that was what you were doing and your points are issues and concerns that we have already encountered. All the points are valid concerns for merchants, as they should be. I was just conveying how we counter the opposition. Keep doing what you do. I would rather have someone like you point out the various issues that can arise and address them than convey a grass is always green message. I equate the later to a sales brochure.
May 16th, 2008 at 12:06 am
As I’ve said before, tokens are much less secure than properly implemented public key based encryption.
Assuming the tokens are generated based on the account number, such as with a cryptographic hash, then the tokens are subject to a simple dictionary attack. If an attacker can freely access the tokenization routine, all the attacker has to do is feed every possible account number into the tokenizer until a match pops out. The attacker does not have to know the technical details of the hash routine (SHA-1 vs SHA-256 or MD5), all they need is access to it.
[ I’ve personally written such an attack against a tokenizer (that was SHA-1 based) and run it from my own desktop PC, and I recover whole account numbers in an average of four seconds. (I fixed a bug that previously kept it spinning for up to 40 seconds.) So I know first-hand that account numbers can be recovered from tokens. ]
So instead of protecting secret keys, you now have to protect this secret tokenization algorithm, in every single place it exists — registers, PIN pads, kiosks, web servers, etc. If you were unaware of this attack, you might not even know that you should be protecting it.
On the other hand, public key encryption is extremely secure, and key secrecy in the field is a non-issue. Public keys are intended to be distributed publicly — that’s the point. It’s the private keys that must be carefully held, but since they are used only at the decryption point they can be securely stored in a single, hardened, dedicated hardware decryption appliance (such as an Atalla box or an IBM mainframe with a cryptographic coprocessor.)
Sure, there are still points to harden in the stores, and a PCI audit is still a useful tool. File Integrity Monitoring can help insure that encryption routines are not tampered with, and that rogue software isn’t poking about where it shouldn’t. Constant patching of the operating system is needed to ensure that the encryption routines remain secure (the cryptographic PRNG is a critical component for security in a public-key protocol.)
That said, encryption is very easy to get wrong, and neither encryption algorithm design nor encryption protocol design should be left in the hands of amateur cryptographers. Any security system like this should be subjected to a rigorous review by several unbiased professional cryptanalysts, and should be based on sound designs with long track records in the cryptographic field.
I don’t mean to say that tokenization is not “better than nothing”. Obviously, recovery of the account numbers from tokens requires technical knowledge of the systems, and certain levels of access. But an insider could certainly figure this out, and without adequate monitoring and other mitigating controls they could be recovering accounts from tokens today.
May 16th, 2008 at 11:53 am
I agree that properly implemented public key encryption or PKI can be one of the best forms of encryption for card holder data (CHD) but there are two issues with this. To get the most benefit out of public key encryption in a point-of-sale (POS) environment, the POS cannot have access to the private key portion of the two keys. The problem is that many payment transaction requests to the banks and processors require two steps: an authorization step and a later settlement step. Both these steps require the CHD and therefore the POS would need access to the private key decrypt the CHD to perform the second step. This negates the biggest advantage of PKI. The second issue is that PKI is probably the most expensive form of encryption to properly implement. By expensive, I’m not referring to licensing costs because there is free code and libraries available. Instead I’m referring to the infrastructure changes required to support the physical and logical separation of roles between the system that house the public and private keys, database changes required to support the storing the encrypted data, all the access controls required for the keys, the annual rekeying of the data if it is archived, PKI is much more CPU intensive than single key encryption techniques (Blowfish, AES, 3DES, etc.), etc. etc. Many of these costs are not PKI specific, but instead are costs associated with housing encrypted CHD.
Now your whole argument is assuming the “token” = “hash” or “encrypted CHD” and that a hacker, if provided the tokenization algorithm, could de-hash (if that is a word) or decrypt the data. Being the inventor of the term “tokenization,” the definition you are using is incorrect. Shift4 invented the term tokenization, not the concept. The concept has been around long before PCI, CHD or even computers. A token is simply an object or in this case, a piece of data that symbolizes or is used to reference another piece of data – the CHD. A properly implemented token is not related in any way to the original data other than by reference. In law enforcement, case numbers are assigned to cases; most of the time these numbers are simply sequential numbers. The case number itself is a token. There is no way to decrypt the case number to determine the contents of the case. This is why I say we invented the term, not the concept.
Now there are vendors out there that are applying the same definition you did to the term tokenization. Against these implementations, your argument is very valid. But in our minds, these are not tokenization, or at least not properly implemented tokenization solutions – these we classify as hashing or encryption solutions.
Lastly leave you with a challenge. Below are test card numbers and their associated tokens in my testing database. I urge you or anyone to devise an attack on the tokens that reveal the corresponding card number:
AX 373400000000001 0001d7byvlgqmdzf
AX 373400000000001 0001713nfgjb20yt
AX 373400000000001 0001j4nr6pjb2js3
MC 5400000000000005 0005sf9fmmjb2yr3
MC 5400000000000005 0005hw29×2jb2j9z
MC 5400000000000005 0005ylmsg9jb2xnt
VS 4222222222222 2222dxdh61lvq68l
VS 4222222222222 2222f9nk2llvq92x
VS 4222222222222 2222y9wswygqm278
If you can crack this, I’ll buy your algorithm because you would have figured out a way to predict both future and past random events – the implications of which would be mind blowing (not to mention a great money maker ;-).
–Steve
May 17th, 2008 at 1:09 am
First, I’d like to thank you for taking the time to respond. Without any knowledge of how a system or protocol works I always assume the worst (it doesn’t pay to be kind in security), and it’s good to see that yours appears to be carefully designed, and is not merely a simple hash.
I’d like to rebut a few of your arguments against public key encryption, and then do a little analysis based on the data in your challenge.
In a PKI environment, the POS store systems absolutely do not need the private decryption key to reside in the terminal or store. Decryption for authorization and settlement purposes occur only at the headquarters location in a single secured environment.
Archived data should never need to be rekeyed (a dangerously unnecessary operation) unless there is a true breach. As a matter of fact, archived data is quite effectively end-of-lifed by destroying the private key held in the decryption engine, and in all backups of the decryption engine.
Absolutely there are costs associated with securing the private key. But I also assume there are comparable costs associated with securing access to the tokenizer, and especially to validating and authorizing the retrieval of the account numbers when it comes time to authorize and settle the account. I assume there would be little functional difference from the way it would be accomplished in a private key decryption operation.
Now, on to your challenge (the fun part!
Assuming that what I see is a list of unique tokens that each represent the same account number, then your tokenizer(TM) is doing a good thing — you are issuing unique tokens every time data comes in. You are preventing the attack I described, because you’ve not based your solution on a hash. I am gratified to see that.
My attack is based assuming a store local token generator, one that repeatably returns the same token for the same account number (i.e. a hash.) So, you pass that security test.
A little analysis of your tokens’ structure reveals you are fitting them into a 16 character field. Assuming the first four characters represent the last four digits (a good idea), you are filling the remaining 12 characters with a 36 unique value character set (0-9 and a-z), which means you have space for unique numbers up to 36^12, or 18 numeric digits. Not much room in there for a salted hash, but there is room for encryption of up to a 19 digit PAN (omitting the Luhn check digit). By the way, I applaud your choice to exclude case, as case sensitivity requirements make humans much more error prone.
I will note that without a locally available token generator, you cannot generate tokens when offline to your tokenizer, and therefore you must take some other action to protect the data in those circumstances. I do not have evidence to suggest how that might work in this environment. (As a plug, public key cryptography solves that problem nicely.)
But how does the client obtain the token, and still have a recoverable account number for settlement? You must pass the real account number into the tokenizer at some point. Therefore I assume your tokenizer is a service operated at a central location, fronting a token generating database, and that the local tokenizing routine run at the terminals is a simple proxy to this service.
And therefore, you must be transmitting the actual account number over the wire to the tokenizer — just as you would transmit the account number to perform an authorization. You’ve reduced the transmission of the account number from two times (auth and settlement) to one time (tokenization). But it’s still transmitted in a recoverable state to the central tokenizer.
Therefore, your security is equal to that of your line security. I assume that you transmit over an encrypted line. (If you’re transmitting the account number in clear text to the tokenizer, that would be an Epic Failure to protect the data.)
I’m basing the rest of this analysis on the assumption that you do not send the account number in the clear to the tokenizer.
Your security now rests on the strength of the transmission encryption OR (not and) the strength of the security surrounding the token database. If either point is successfully attacked, account numbers can be recovered.
Regarding transmission, there are three general ways you can protect the data: you can use TLS (by which I mean SSL or any flavor of public key encryption) with certificates, TLS without certificates, or secret key encryption.
Since you’ve expressed concern over both certificate handling and the performance of public key cryptography, it makes me suspect you’re using secret key encryption to perform the transmission of the account number. And if you are using secret key encryption, the secret key must be available to (or embedded in) the token-sending-proxy. That can be recovered by an attacker who gains access to the machine or disk image.
If you are using TLS without certificates, your tokenization is subject to a man-in-the-middle interception attack. It’s not particularly easy for a layman to do, but it’s certainly not difficult. And it can be done without access to the POS terminal at all.
Lastly, if you’re using TLS with certificates, congratulations, you’re using PKI.
So in the final analysis, it appears to me that your security rests on encryption technology. Yes, it’s transient; yes, it’s a one-time shot; and yes, the data storage is as secure as your token database. But your solution can not escape the reality of securing the data in flight any more than any other encryption solution. Plus it introduces the still unknown (unpublished?) security of your token database.
Now, if I’ve made any incorrect assumptions, please let me know. Without seeing the architecture and the interfaces to each system, I can only make educated guesses, but I could certainly be wrong at many, many points in the above analysis.
Lest you leave think I’m entirely negative, there are other factors working in your favor, and I’d like to reiterate those for anybody else still reading at this point. The most important is that your solution appears to be technically “available” to a typical retailer looking to purchase a solution. As this discussion illustrates, engineering a secure solution is not easy, and therefore it is expensive.
I also assume that you’ve done the “hard work” of securing access to your centralized tokenizing equipment, providing retailers with not only the hardware but a simple to follow script of “type this here, put this smart card here, type this there, and now you’re secure”. Simple instructions that lead to 99% protection are much more effective in the real world at securing most data than a theoretically secure solution that requires an army of professional cryptographers to implement.
May 19th, 2008 at 1:45 pm
Wow, I rarely come across posters that can keep up with me in text length and put as much thought as you have in what they type – want a job? I’ll try my best to summarize your points prior to my response so other readers don’t have to jump back and forth (too much).
WARNING: Much of the detail that follows describes the Shift4 implementation of tokenization. Because of this, it may come across as a sales pitch. This is not my intent; it just happens to be the implementation that I am most familiar with and the only one I can speak on with any authority.
PKI decryption/centrally located secure environment at headquarters – I was not assuming that you were talking about this level of a merchant. I usually gear my arguments for all merchants but especially level 4 merchants because they are the ones feeling the most pain. Many merchant that we target do not have the resources or the expertise to create the secure centrally secured CHD environment so I was assuming that all the work was being done at the POS. We released the tokenization concept to the public domain so merchants and others could do there own HQ type payment environment but for many merchants, outsourcing this central system is much less expensive.
Archive/rekeying – Destroying the key is a compliant and effective way to force an end-of-life on the data. But PCI 3.6.4 requires annual rekeying of the data as long as it still lives or is accessible. In our system it is 2 years. I’ve heard some merchants require up to 7 years. IMHO, this rekeying requirement in PCI adds more security problems than it solves. I understand what they are trying to address but there are much better ways to accomplish the same goal – but that’s another topic. But since this requirement exists, it must be addressed either by shortening the life or the data to under 12 months, rekeying the data or some other compensating control. Tokens (at least outsourced tokens) do not have this issue.
Tokenization costs vs. PKI costs – When I refer to costs, I am talking about merchant using our outsourced gateway solution. Assuming that there is a PKI outsourced gateway equivalent (which I’m not aware of), the cost difference is in the modifications required for the POS to handle the token or PKI encrypted data. As you noted further down, our token is alphanumeric and fits within 16 bytes, which just happens to be the length of most existing card numbers and the same length most POS applications have reserved to store CHD. On the other hand with PKI, I’m not sure if it is possible to fit the encrypted data in the same POS database size limitations.
Token format? – Our token is comprised of the last four digit of the card number followed by twelve bytes of random alpha data. In reality, the “random” data boils down to nothing more than a sequential number run through a big prime number calculation simply to produce pseudo-random looking results. Security wise, 2222idkdhjgeesqm followed by 2222japposidmdss is no more or less secure than if we returned 2222aaaaaaaaaaaa followed by 2222aaaaaaaaaaab. Like in my analogy, we think of a token as a case number that references CHD. The pseudo-random looking token is used to impress and make it look challenging to decipher. What I described here is our implementation of token assignment. Our public domain release of tokenization did not describe this level so other merchant and vendor implementations will differ.
Local token generation – Very good catch; many don’t catch this! During normal online conditions, our data center assigns the tokens and these are passed back to the POS. During offline conditions, our UTG (which I describe as a proprietary VPN end-point on steroids) has the ability to generate local tokens and store these tokens with the associated CHD in an offline database using PKI. Once online conditions are restored, the offline file is transmitted to our data center and the local file is deleted. The local offline storage file is using PKI but it’s transparent to the merchant and the POS (provided the POS already supports our API and tokenization).
Obtain token for settlement – With our API, the CHD is never returned back to the POS. Instead, the POS should use the token as the CHD. When the POS performs the settlement, they send us the token. Behind the scenes, we access the original CHD using the token and send it off to the bank or processor. When you design or compare tokenization solutions, this is a key point to consider. INHO, CHD should never be returned to the POS or any application you are trying to protect using tokenization. Doing so simply opens up a whole that can negate all the benefits of tokenization.
Encryption and Data pipe security (TLS) – As a rule of thumb, most all our encryption pipes use a hybrid model where we use PKI for the initial handshake and then a shared secret using a DUKPT like model (derived unique key per transaction). The PKI handshake is used to pass a dynamically assigned random key page for the DUKPK session.
Man-in-the-middle attack – We use various levels of authentication to prevent this which includes our own certificate signing, locking down access to specific IP addresses, locking down access to specific mac addresses, and more stuff that is beyond my expertise.
To everyone, again, I’m sorry if this sounds like a sales pitch; it’s not the intent. I’m arguing the advantages of tokenization vs. a PKI only solution for handling CHD. At this level the only way I can think to convey the advantages is to give details and for this I have to stick to what I know most intimately. Hopefully you can equate how Shift4 accomplishes tokenization to how to properly implement tokenization with or without Shift4 in the mix (obviously I’m hoping in the mix ;-).
May 22nd, 2008 at 12:27 am
Again, I appreciate your reply, and I’d like to say I’m impressed by your solution.
Regarding 3.6.4, it certainly does NOT say that you must re-encrypt the data. (We all know that’s a security loophole a mile wide.) It says “Periodic changing of keys — at least annually”, which means you must change *encryption* keys at least annually. By cycling a different public key through on a periodic basis, a PKI system is compliant. The encrypted data can remain safely encrypted with the old key for its lifetime. Merchants are merely prohibited from adding new data with the old key after one year. Of course, if you were encrypting the data with a secret key algorithm such as AES and used only one key for all encryptions and decryptions without benefit of a key identifier, you would be unable to change the encryption key without re-encrypting the data itself. That way lies madness.
And regarding encrypted CHD size, you’re correct that a PKI solution produces a larger data block — much larger, in fact. A two-phased encryption, such as PGP uses, requires the generation of a random session key used in a traditional symmetric key encryption of the data like 3DES or AES, plus the encryption of the session key via DH, RSA or other public key algorithm. The encrypted data can be encoded to fit in its original size, but the encrypted session key will be at least 1024 bits (128 bytes) long, and you’d be wise to use a 2048 bit (256 byte) key. In order to decrypt it, you’ll want to add a public key identifier so you can find the right decryption key. It easily amounts to over 300 bytes per account number for a very simple solution. And you’re absolutely correct in assuming that does not fit into existing retailer databases very well.
I’m glad you took the time to describe Shift4 in greater detail. As I mentioned before, without disclosure of the mechanisms there is no way to trust a simplistic description, and in the vacuum of facts I had made some incorrect assumptions. I feel much more comfortable about the Shift4 algorithm now.
As you’ve already figured out, I’m associated with a firm larger than a level 4 merchant, so I’m not looking for a job right now
We have already implemented a compliant PKI-based solution, so we’re not shopping for a different tokenizing system at this time. But I’ll keep this in the back of my mind. Thanks again!