This application generally relates to methods, systems, and devices for secure transactions. In particular, embodiments relate to protecting sensitive transaction data using tokenization processes.
More than 280 million payment card records were breached in 2008 alone, and a large percentage of those stolen records were used fraudulently. In fact, the underground economy is teeming with stolen payment card data. Some controls are in place to help card payment processors prevent credit card fraud through increased controls around data and by limiting potential exposure to compromised information records. The Payment Card Industry Data Security Standards (PCI DSS), for example, are widely considered to be a worldwide set of best practices for securing sensitive data. PCI DSS procedures are an essential component in any merchant's holistic risk management program—but they are not without their burdens and limitations.
Merchants have spent more than a billion dollars collectively on PCI DSS compliance as part of their security systems. Indeed, PCI DSS compliance is a resource intensive challenge to businesses of all sizes. According to the analyst firm Gartner, a Level 1 merchant (generally defined as a merchant that annually processes 6 million or more credit card transactions) might spend millions of dollars to initially meet the security requirements prescribed by the PCI Security Standards Council (PCI SSC). Even a Level 4 merchant (commonly defined as a merchant that annually processes less than 20,000 eCommerce or 1 million credit card transactions) might have to spend several thousand dollars on the initial security assessment and new technology and security measures. And meeting the security requirements is just the start; maintaining PCI DSS compliance is a continuous process that requires constant vigilance and incurs ongoing costs.
Despite enormous efforts and vast expenditures since Dec. 2004 when the security standards were first released, hundreds of millions of records with sensitive information have been breached. This clearly indicates that many merchants still have work to do to fully implement standard security procedures and technologies to thwart theft of cardholder data.
In recent years, larger merchants have begun implementing data encryption as a way to protect cardholder data. One of the other aspects of an encryption solution that is often overlooked is that of key management. With an encryption solution, card data may still be present within a merchant's system, protected by encryption. The security of the keys used to perform that encryption is just as vital as securing the data itself. The use of symmetric encryption algorithms (where the same key can be used to encrypt and decrypt data) by most solutions requires vigilant protection of keys, lest they be compromised. “Identity based” key derivation may remove some of the manual management of keys, but does not remove the risk of key theft or compromise. Poor key management practices risk the compromise of the data, or potential data loss if keys are “lost.”
There is thus a need for methods, systems, and devices that allow for secure transactions that may not require entities such as merchants and service providers to maintain sensitive financial data, either in encrypted or unecrypted form.