April 22, 2010
Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption. Part 1 was an introduction into the topic and Part 2 provided some action items for companies to consider during their evolution of these technologies. Respected security blogger, Martin McKeay, commented on Part 1. Serendipitously, Martin was also in Dallas (where I live) last week and we got an opportunity to chat in person about the report and other security topics.
Martin’s post highlighted several issues that deserve some response. He felt that I, “glossed over several important points people who are considering either technology need to be aware of.” Let me review those items:
Comment: “This is one form of tokenization, but it completely ignores another form of tokenization that’s been on the rise for several years; internal tokenization by the merchant with a (hopefully) highly secure database that acts as a central repository for the merchant’s cardholder data, while the remainder of the card flow stays the same as it is now.”
Response: Tokenization and Trans-E are huge topics that could command an entire book. The purpose of the reports was to provide an introduction into a very complicated issue. Our immediate goal was to provide a definition of the terms and issues and not to answer every potential question that our clients might have. Since Forrester clients are primarily interested in outsourcing their credit card processing in a manner which reduces their PCI scope, we, therefore, focused upon that type of tokenization. Clearly there will be multiple use cases for this type of technology and we will address the expansion of this research as needed.
Comment: “Another criticism I have of the paper is that while it does a good job of explaining that true end-to-end encryption is from the POS to the acquiring bank, it doesn’t do as good a job in explaining the complexities and pitfalls of point-to-point encryption (P2P).”
Response: The debate on just what to call the type of encryption used in these solutions is both volatile and complex. For the purposes of this research we wanted to extract ourselves from the semantics of the debate and focus on the core concepts. This is why we used the term “Transaction Encryption.” All of the potential issues involving how encryption will be done – end-to-end or point-to point – is a lively topic that was not particularly useful for this particular research. The report does spend a fair bit of time introducing several of the transaction issues including the specific nomenclatures and the current status of various encryption standards bodies. The important thing we wanted to emphasize is that tokenization and transaction encryption are interrelated technologies that together can form a solution that increases security and eases the compliance burden.
Thanks Martin for engaging in this dialog about this important topic. This type of discussion is important to all of the participants in payment card security and I hope others will jump into the debate.