1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IDG Contributor Network: Doing tokenization and cloud computing the PCI way

Discussion in 'CSO' started by RSS, Sep 24, 2015.

  1. RSS

    RSS New Member Member

    When we wrote our first PCI application security article Who's Guarding the Data Bank? in 2008, commercially available cardholder tokenization was in its infancy. Generally speaking, data tokenization usually refers to a process through which cardholder data (usually the Primary Account Number or PAN) is replaced with a substitute cyphertext value known as a token.

    The token is typically generated via a strong, one-way publicly known mathematical hashing algorithm. If the one-way cryptographic algorithm is suitably strong and utilizes a known publicly validated mathematical algorithm, the resultant cyphertext is no longer considered to be cardholder data as defined by the PCI SSC. It does not require additional obscuring or encryption as the process cannot be reversed to reconstitute the original data (in this case the PAN) short of a brute force ‘dictionary’ based attack. If, however an attacker has access to both the truncated version of the PAN (for example 400000xxxxx67891) and the hashed PAN, then recreating the original PAN becomes easier. This is noted in section 2.3 of the PCI PA-DSS v3.1:

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page