Industry Giants First Data And RSA Give Tokenization a Boost

A new data-security service announced on Tuesday by heavyweight players in payment processing and data security?First Data Corp. and EMC Corp.'s RSA unit, known as The Security Division of EMC?is expected to boost a technology called tokenization, the replacement of cardholder account numbers with surrogate numbers or “tokens.” Since the massive data breach at processor Heartland Payment Systems Inc. in December 2007, the PCI Security Standard Council and other industry groups have felt increased urgency to find better ways to protect confidential cardholder information from the point of sale through the authorization process. Two key technologies they are looking at are tokenization and end-to-end encryption. Heartland is in the process of launching an end-to-end encryption technology called E3, but, until today, no major player had announced a data-security technology focusing on tokenization. “It legitimizes the tokenization business,” says David Taylor, founder of the PCI Knowledge Base. He notes that First Data, which processed 1.4 trillion transactions in 2008, and RSA are “the biggest players in their respective spaces.” Although the PCI Security Standard Council has authorized a study on tokenization, results have yet to be released, Taylor says. “This really does make it impossible for the council to ignore,” he says. The First Data/RSA service, called First Data Secure Transaction Management, integrates both tokenization and encryption. It is designed to reduce merchants' cost and complexity of complying with the Payment Card Industry Data Security Standard by removing confidential card data from their systems. The service, which uses RSA's SafeProxy architecture, encrypts payment card data using public encryption key technology at the merchant's existing point-of-sale application. The data remain encrypted until they flow into the First Data authorization switch, where decryption occurs. Once a transaction is authorized at the switch, the card number is replaced by a token value that cannot be linked back to the original card data but otherwise behaves liked a card number. Merchants can access the original card number through a secure vault that First Data maintains for controlled authorized look-ups for chargeback resolution or similar business activities. By using the First Data service, merchants can eliminate card numbers from various business applications without costly application or point-of-sale hardware modifications, a First Data spokesperson says. The service will work with most PCI-compliant terminals and is hardware agnostic, she says. First Data will provide larger merchants and merchants using value-added reseller applications with encryption software libraries and the public encryption keys for integration into their POS systems. The private key used to decrypt the card information at the authorization switch is tightly controlled within First Data and will not be available to anyone outside the company. “Payment card data protection and PCI compliance are some of the most significant challenges that our merchant customers face today,” First Data chairman and chief executive Michael Capellas said at a press conference on Tuesday morning. “The simplicity of integrating encryption with tokenization through the First Data Secure Transaction Management service dramatically redefines how merchants of all kinds manage and protect their customer payment data.” Development of the service is expected to be completed by year end, with merchant pilots scheduled for January 2010 and a product launch by the end of the first quarter, the First Data spokesperson says. Pricing has not yet been worked out. But while tokenization can protect data, no one system has yet proved effective for all types of payment platforms or POS systems, Taylor says. “The hard part about it is when you have large companies offering a solution and they target the small, medium, and large business sizes and multiple platforms, you can't really offer a consistent product right out of the box,” he says. In addition, many merchants operate in multiple channels, including retail POS, online, and call centers, Taylor says. “Tokenization is going to be brought around and introduced to a lot of people as a result of this,” he says. “It becomes incumbent upon the merchants to start asking some really difficult questions of some vendors in the space in terms of how their solution works in a multiplatform, multichannel environment. Those are big issues.”