Copyright © 2008 Shift4 Corporation. All rights reserved.

1ekenlzatlen
The Best Way to Secure Data is to Not Store Data
Authored by Dr. Heather Mark, Ph.D., CISSP and J.D. Oder II
August 2007
Copyright © 2008 Shift4 Corporation. All rights reserved.
STORI NG CREDI T CARD DATA
1
Credit card data theft is a threat to any business
regardless of its size or industry focus. Should a credit
card security breach occur, the affected company can
suffer irreparable damage to its brand image and bottom
line. Credit card data theft is also a domestic security
threat. The Department of Homeland Security, the FBI,
and other agencies report that data theft is a growing
source of revenue for global terrorist organizations.
The growth in the number of compromises has been
accompanied by a corresponding shift in breaches that
target away from payment processors with large amounts
of credit card data to more traditional retail merchants
and especially hotels, restaurants, and other companies
in the hospitality, travel and entertainment industries. The
reason for this change has to do with the thief’s ultimate
objective. While the credit card account number alone
has limited value to a data thief, the data found on the
magnetic stripe of the card is the focus of card thieves
today. Obtaining only the second track of the magnetic
stripe on the back of a credit card will enable the criminal
to create counterfeit cards that can either be used as a
traditional swipe card by the criminal or sold on the black
market to other criminals. In short, obtaining the magnetic
stripe data allows for a greater return with less risk for the
criminal.
The end result is that brick and mortar businesses, as a
general rule, are at greater risk of compromise than e-
commerce merchants. Restaurants, hotels and other
companies in the travel and entertainment segment are
even more attractive targets. Because the primary goal
of data thieves today is to counterfeit cards to be resold,
they are seeking cards with high credit limits and a low
likelihood of fraud being reported by the user. Cards
issued to frequent business travelers fit this description.
Additionally, hotels and restaurants tend to store more
£xecut l v e s ummar y
The information provided herein is for informational
purposes only. This paper is not meant as compliance
advice. Prior to taking any steps that may affect your
compliance status with industry or government mandates
always seek advice from your compliance auditor and/or
legal counsel.
bl s cl al mer
information in order to facilitate tips, late fees and similar
associated charges.
STORI NG CREDI T CARD DATA
2 Copyright © 2008 Shift4 Corporation. All rights reserved.
The Payment Card Industry (PCI) Data Security Standards
sets forth a number of requirements with which members
of the industry must comply. PCI requires that companies
“keep cardholder information storage to a minimum.” In
order to comply with PCI, it is required that all account
numbers be encrypted, truncated, or otherwise rendered
unreadable. Additionally, PCI requires that all sensitive
cardholder data be rendered unreadable anywhere it is
stored, including within system and application log files.
In this environment, securing credit card data and
preventing its unauthorized use, while also preserving
the payment processing systems now in use by millions of
merchants, is a vital concern for consumers, government
and businesses. Shift4 Corporation (www.shift4.com)
developed a technology known as Tokenization that
safeguards credit card data. The primary objective of
Tokenization is to enable businesses to operate normally
while not storing sensitive data that is the target of data
hackers. Payment applications built on Tokenization can
be used on existing systems, so merchants need not buy
new equipment or retrain personnel.
1ekenl zat l en and PCl cempl l ance 1r adl t l enal encr y pt l en
Tokenization is different from encryption, the traditional
method for protecting data. The term “encryption” applies
to the use of cryptographic algorithms to render data
unreadable unless the user possesses the appropriate
cryptographic ‘keys’ to decrypt the data. Generally, there
are two basic methods of encrypting data: symmetric and
asymmetric cryptography. In symmetric encryption, also
known as private-key cryptography, the same cryptographic
key is used to encrypt and decrypt the data. Symmetric
encryption is generally used between two parties that are
known to each other and trusted. Symmetric encryption
is commonly used in database and system file encryption.
In contrast, in asymmetric encryption, also known as public-
key cryptography, one cryptographic key is used to encrypt
the data, while another, mathematically related key is used
to decrypt it. Asymmetric cryptography is commonly used in
email encryption programs where two unknown or untrusted
parties are exchanging data. While the use of encryption
does render data unreadable, it does come with its own set of
issues and challenges.
The most critical issue with the use of encryption is the
management and protection of the cryptographic keys. The
importance of proper key management cannot be overstated,
as the disclosure of cryptographic keys to unauthorized
personnel could result in the compromise of encrypted data.
If sensitive data is encrypted and the keys are compromised,
this data can be viewed as easily as data that has not been
encrypted. The cryptographic keys must be secured at all
times to prevent their misuse and the unauthorized access to
sensitive, encrypted data. In order to ensure the protection
of the keys, a strict set of key management procedures must
be established and followed. Key management entails the
proper storage, use, destruction, creation and dissemination
of the cryptographic keys. In addition, suffcient technological,
administrative and logistical controls must be put in place
around the keys to ensure that unauthorized individuals do
Copyright © 2008 Shift4 Corporation. All rights reserved.
STORI NG CREDI T CARD DATA
3
1ekenl z at l en
In 2005, Shift4 created a new technology known as
Tokenization, and released to the public, free of charge and
without patent. Tokenization was designed to provide even
greater protection to merchants by removing the storage of
all cardholder data while enabling the customer to operate
in a normal capacity. The theory behind Tokenization is
simple: The best way to secure data is to not store data at
all.
The basics of Tokenization are also straightforward. A
transaction is swiped as usual at a point-of-sale (POS)
terminal. Once transmitted to Shift4 for authorization, the
information is converted into a representation of the data
using a proprietary technology developed by Shift4. This
data representation is known as a “Token” and is a globally
unique, randomized representation of credit card data that
is the same length as the original card number. After Shift4
receives the authorization response from the processor,
the Token is then transmitted to the customer while the
sensitive authorization response, containing the actual
card number, remains with Shift4 and is securely stored.
This means that the merchant does not have to store the
cardholder number.
The Token spans the lifetime of the transaction, so it
provides all of the same support for tips, tabs, incremental
authorizations and chargebacks as a stored card number
would. Essentially, the Token is stored on the POS system,
as the cardholder number would be in a traditional setup.
When an incremental authorization is required on the card,
the Token is sent to Shift4. Shift4 then translates that Token
into the card data for transmission to the processor. The
processor returns the authorization response and Shift4
converts the data into a new, unique Token, representing
a new transaction. This new Token is then sent along with
the approval code to the merchant. The authorization is
completed and again no credit card data is stored on the
not have access to them.
In short, although encryption does enable companies to
comply with PCI while allowing the storage of sensitive
data, using encryption alone is not sufficient to protect
data. The cryptographic keys must be treated with the
same care as the data, as a compromise of the keys will
result in a compromise of the encrypted data. It is simply
a case of switching protection from the data, in instances
where it is unencrypted, to the cryptographic keys in
instances where the data is encrypted. In addition to key
management, companies must ensure that the encryption
method selected is of sufficient strength.
STORI NG CREDI T CARD DATA
4 Copyright © 2008 Shift4 Corporation. All rights reserved.
merchant system.
In comparison with other Tokenization-type services
offered by competing companies, Shift4’s Tokenization
offers a greater level of protection against compromise of
cardholder data. Some providers allow their merchants
to collect the card number along with the card identifier
(similar to Shift4’s Token). Still others may require the
merchant to manually register each card identifier. Both
of these practices undermine the primary objective of
Tokenization; namely to enable merchants to operate as
normally as possible while not storing the sensitive data
that is the target of data thieves.
Additionally, some service providers offering Tokenization-
like services do not have adequate applications or
application layer support to enable merchants to operate
in a normal fashion while using a representation of data.
This means that these service providers can not offer the
necessary transaction reporting unless they allow the
merchants to import the card numbers back into their
systems and thereby defeating the purpose of their own
solutions. Each of these competing methods undermines
the purpose and goal of Tokenization: reducing the
likelihood of a data compromise or other serious event.
l mpl ement l ne 1ekenl z at l en
Implementing Tokenization requires some small changes
on the POS or PMS side. For example, an addendum must
be added asking for the Token information instead of the
cardholder account number. The Token can be stored in
the now empty card number field, which is already set up to
receive this type of data. Because the Token includes the
last four digits of the credit card number, all of the POS and
PMS system reports will still be fully functional. The Token
must also be stored, but this is easily accomplished, as
well. From a merchant’s point of view, the implementation
is seamless. In fact, it can be implemented even when
there are pending sales or open tickets remaining.
Tokenization reinforces the overall objectives of PCI
standards, as well as specific requirements. First and
foremost, it addresses PCI requirement 3: “Protect Stored
Data.” By returning only Tokens in response to merchant
requests, cardholder information need not be stored on
the merchant system. Nor do merchants have the added
concern of ensuring that the method of encryption used
is of adequate strength and complexity. And, since the
merchant is not required to encrypt the Token, there are
no encryption keys to manage.
PCI requirement 3.4 mandates that all cardholder data be
rendered unreadable using one of several forms of strong
encryption. One of the methods suggested is the use
of truncation. Since only the last four digits of the card
number are used in the Token, the Tokenization process
meets this requirement.
Since the merchant is not using encryption to derive the
Token, the Tokenization process renders requirements 3.5
and 3.6 moot. Requirement 3.5 states that all encryption
keys should be protected against misuse and disclosure.
The Token is sent to the merchant, rather than derived by
the merchant using encryption keys.
Copyright © 2008 Shift4 Corporation. All rights reserved.
STORI NG CREDI T CARD DATA
5
Tokenization provides the ability to eliminate much
of the sensitive data that is usually stored, thereby
protecting merchants and supporting the objectives of
PCI. It is important to understand that while Tokenization
considerably lessens the burden of compliance, it does not
completely remove the obligation to comply with relevant
industry requirements.
Merchants are being targeted more frequently then ever
before and with greater success for the criminal. In addition
to the public fallout and brand damage that inevitably
occurs as a result of a data compromise, current state and
federal legislation exposes merchants to signifcant fnancial
and legal liability should they be unfortunate enough to
experience a data compromise. Keeping abreast of the
new exploits and attack methods makes the protection of
sensitive data a challenging proposition for even the most
security-minded of companies. Those without the internal
expertise to guard against the onslaught of data thieves are
gambling with their company’s assets.
Cencl us l en
Therefore, the merchant has no keys that must be
protected. Similarly, requirement 3.6 mandates the
development and implementation of key management
processes and procedures. Again, since the merchant
uses no encryption, there are no keys to be managed.
This ultimately results in cost savings to the merchant, as
well.
STORI NG CREDI T CARD DATA
6 Copyright © 2008 Shift4 Corporation. All rights reserved.
br. Reather Mark, Ph.D., CISSP
Sr. Vice President
The Aegenis Group
Dr. Mark is an experienced information security and
privacy professional who is both well known and respected
within the Payment Services Industry. Prior to joining The
Aegenis Group, Dr. Mark co-founded a Qualified Security
Assessment Company and worked at various technology
companies supporting PCI efforts. Her expertise helped
develop a variety of assessment methods and practices
that assisted companies in achieving compliance in a
cost-effective, timely manner.
Dr. Mark has spoken at numerous industry events on
topics of information security, privacy and the intersection
between the two. In addition, she is an experienced
instructor and taught for two years at Auburn University
while a Doctoral Candidate. Dr. Mark writes a monthly
article for Transaction World Magazine and has a PhD
in Public Administration and Public Policy from Auburn
University. Her knowledge of public policy and the ability
to analyze the impact of that policy on day-to-day business
practices gives her a unique insight into the compliance
landscape. Dr. Mark holds a certificate in Marketing
Research from the University of Georgia, is a Certified
Information Systems Security Professional (CISSP), and a
Certified Information Privacy Professional (CIPP).
Abeut t he aut her s
J.b. Uder ll
Sr. Vice President of Research & Development and CTO
Shift4 Corporation
J.D. is a founder of Shift4 Corporation, chief designer
of the DOLLARS ON THE NET gateway system and leads
Shift4’s systems operation and development efforts. He
holds degrees in Cognitive Science and Computer Science
with numerous networking and information security
credentials.
J.D. became an early adopter/member of the PCI Security
Standards Council and was recently named as a 2006
Mover and Shaker by Transaction World Magazine. J.D. is
responsible for many innovations, including Tokenization
technology, which revolutionized the payments industry
when it was released in 2005. Following the release of
Tokenization, J.D. and his development team are very
excited to exhibit 4Go SecureSuite™, which represents
the final mile in Shift4’s race to create “Real Security”, an
environment where absolutely no cardholder data exists
at the POS.
1491 Center Crossing Road
Las Vegas, NV 89144-7047
Offce: (702) 597-2480
1453 South Dixie Drive, Suite 250
St. George, UT 84770-5845
Offce: (435) 628-5454
Fax: (702) 597-2499
Sales: (800) 265-5795
http://www.shift4.com

Obtaining only the second track of the magnetic stripe on the back of a credit card will enable the criminal to create counterfeit cards that can either be used as a traditional swipe card by the criminal or sold on the black market to other criminals. Because the primary goal of data thieves today is to counterfeit cards to be resold.S T O R I N G C R E D I T C A R D D ATA Executive summary Credit card data theft is a threat to any business regardless of its size or industry focus. late fees and similar associated charges. restaurants. Prior to taking any steps that may affect your compliance status with industry or government mandates always seek advice from your compliance auditor and/or legal counsel. This paper is not meant as compliance advice. as a general rule. are at greater risk of compromise than ecommerce merchants. the affected company can suffer irreparable damage to its brand image and bottom line. Should a credit card security breach occur. obtaining the magnetic stripe data allows for a greater return with less risk for the criminal. While the credit card account number alone has limited value to a data thief. Credit card data theft is also a domestic security threat. All rights reserved. hotels and restaurants tend to store more  information in order to facilitate tips. Cards issued to frequent business travelers fit this description. travel and entertainment industries. . In short. the data found on the magnetic stripe of the card is the focus of card thieves today. they are seeking cards with high credit limits and a low likelihood of fraud being reported by the user. The growth in the number of compromises has been accompanied by a corresponding shift in breaches that target away from payment processors with large amounts of credit card data to more traditional retail merchants and especially hotels. Copyright © 2008 Shift4 Corporation. and other agencies report that data theft is a growing source of revenue for global terrorist organizations. The Department of Homeland Security. Additionally. the FBI. hotels and other companies in the travel and entertainment segment are even more attractive targets. Disclaimer The information provided herein is for informational purposes only. and other companies in the hospitality. Restaurants. The reason for this change has to do with the thief’s ultimate objective. The end result is that brick and mortar businesses.

while also preserving the payment processing systems now in use by millions of merchants. If sensitive data is encrypted and the keys are compromised. Asymmetric cryptography is commonly used in email encryption programs where two unknown or untrusted parties are exchanging data. Symmetric encryption is generally used between two parties that are known to each other and trusted. administrative and logistical controls must be put in place around the keys to ensure that unauthorized individuals do Copyright © 2008 Shift4 Corporation.” In order to comply with PCI. it is required that all account numbers be encrypted. All rights reserved. truncated. securing credit card data and preventing its unauthorized use.  . so merchants need not buy new equipment or retrain personnel. The cryptographic keys must be secured at all times to prevent their misuse and the unauthorized access to sensitive. government and businesses. PCI requires that companies “keep cardholder information storage to a minimum. as the disclosure of cryptographic keys to unauthorized personnel could result in the compromise of encrypted data. Generally. this data can be viewed as easily as data that has not been encrypted. Tokenization is to enable businesses to operate normally while not storing sensitive data that is the target of data hackers. The term “encryption” applies to the use of cryptographic algorithms to render data unreadable unless the user possesses the appropriate cryptographic ‘keys’ to decrypt the data. The most critical issue with the use of encryption is the management and protection of the cryptographic keys. encrypted data. there are two basic methods of encrypting data: symmetric and asymmetric cryptography. also known as private-key cryptography.shift4. In this environment. In contrast. Tr a d i t i o n a l e n c r y p t i o n Tokenization is different from encryption. Additionally. the same cryptographic key is used to encrypt and decrypt the data. use. in asymmetric encryption. Symmetric encryption is commonly used in database and system file encryption. Key management entails the proper storage. The importance of proper key management cannot be overstated. While the use of encryption does render data unreadable.com) The primary objective of developed a technology known as Tokenization that safeguards credit card data. creation and dissemination of the cryptographic keys. it does come with its own set of issues and challenges. while another. In order to ensure the protection of the keys. also known as publickey cryptography. one cryptographic key is used to encrypt the data. a strict set of key management procedures must be established and followed. including within system and application log files. Payment applications built on Tokenization can be used on existing systems. Shift4 Corporation (www. In symmetric encryption. In addition. mathematically related key is used to decrypt it.S T O R I N G C R E D I T C A R D D ATA To k e n i z a t i o n a n d P C I c o m p l i a n c e The Payment Card Industry (PCI) Data Security Standards sets forth a number of requirements with which members of the industry must comply. sufficient technological. the traditional method for protecting data. destruction. or otherwise rendered unreadable. is a vital concern for consumers. PCI requires that all sensitive cardholder data be rendered unreadable anywhere it is stored.

free of charge and without patent. representing a new transaction.S T O R I N G C R E D I T C A R D D ATA To k e n i z a t i o n not have access to them. It is simply a case of switching protection from the data. as a compromise of the keys will result in a compromise of the encrypted data. Once transmitted to Shift4 for authorization. In addition to key management. companies must ensure that the encryption method selected is of sufficient strength. Essentially. The theory behind Tokenization is simple: The best way to secure data is to not store data at Copyright © 2008 Shift4 Corporation. This new Token is then sent along with the approval code to the merchant. so it provides all of the same support for tips. incremental authorizations and chargebacks as a stored card number would. The basics of Tokenization are also straightforward. When an incremental authorization is required on the card. and released to the public. This means that the merchant does not have to store the cardholder number. tabs. the Token is then transmitted to the customer while the sensitive authorization response. as the cardholder number would be in a traditional setup. After Shift4 receives the authorization response from the processor. remains with Shift4 and is securely stored. Tokenization was designed to provide even greater protection to merchants by removing the storage of all cardholder data while enabling the customer to operate in a normal capacity. In short. the information is converted into a representation of the data using a proprietary technology developed by Shift4. Shift4 then translates that Token into the card data for transmission to the processor. The Token spans the lifetime of the transaction. The cryptographic keys must be treated with the same care as the data. A transaction is swiped as usual at a point-of-sale (POS) terminal. Shift4 created a new technology known as Tokenization. using encryption alone is not sufficient to protect data. although encryption does enable companies to comply with PCI while allowing the storage of sensitive data. in instances where it is unencrypted. to the cryptographic keys in instances where the data is encrypted. the Token is stored on the POS system. all. The authorization is completed and again no credit card data is stored on the  In 2005. This data representation is known as a “Token” and is a globally unique. the Token is sent to Shift4. unique Token. The processor returns the authorization response and Shift4 converts the data into a new. . randomized representation of credit card data that is the same length as the original card number. All rights reserved. containing the actual card number.

PCI requirement 3. but this is easily accomplished.6 moot. From a merchant’s point of view. some service providers offering Tokenizationlike services do not have adequate applications or application layer support to enable merchants to operate in a normal fashion while using a representation of data. Both of these practices undermine the primary objective of Tokenization. Since the merchant is not using encryption to derive the Token. as well as specific requirements. This means that these service providers can not offer the necessary transaction reporting unless they allow the merchants to import the card numbers back into their systems and thereby defeating the purpose of their own solutions. For example. Tokenization reinforces the overall objectives of PCI Additionally. there are no encryption keys to manage. The Token must also be stored.S T O R I N G C R E D I T C A R D D ATA I m p l e m e n t i n g To k e n i z a t i o n merchant system.4 mandates that all cardholder data be rendered unreadable using one of several forms of strong encryption. standards. rather than derived by the merchant using encryption keys.” By returning only Tokens in response to merchant requests. an addendum must be added asking for the Token information instead of the cardholder account number. as well. Because the Token includes the last four digits of the credit card number. Requirement 3. The Token is sent to the merchant. Some providers allow their merchants to collect the card number along with the card identifier (similar to Shift4’s Token). First and foremost. In fact. . Copyright © 2008 Shift4 Corporation. namely to enable merchants to operate as normally as possible while not storing the sensitive data that is the target of data thieves. Nor do merchants have the added concern of ensuring that the method of encryption used is of adequate strength and complexity. it addresses PCI requirement 3: “Protect Stored Data. All rights reserved. In comparison with other Tokenization-type services offered by competing companies. which is already set up to receive this type of data. the Tokenization process meets this requirement. cardholder information need not be stored on the merchant system. Since only the last four digits of the card number are used in the Token. the Tokenization process renders requirements 3. The Token can be stored in the now empty card number field.5 and 3. And. it can be implemented even when there are pending sales or open tickets remaining.5 states that all encryption keys should be protected against misuse and disclosure. Still others may require the merchant to manually register each card identifier. the implementation is seamless. Shift4’s Tokenization offers a greater level of protection against compromise of cardholder data. all of the POS and PMS system reports will still be fully functional. One of the methods suggested is the use of truncation.  Implementing Tokenization requires some small changes on the POS or PMS side. Each of these competing methods undermines the purpose and goal of Tokenization: reducing the likelihood of a data compromise or other serious event. since the merchant is not required to encrypt the Token.

6 mandates the development and implementation of key management processes and procedures. the merchant has no keys that must be protected. . current state and federal legislation exposes merchants to significant financial and legal liability should they be unfortunate enough to experience a data compromise.S T O R I N G C R E D I T C A R D D ATA Conclusion Therefore. requirement 3. as well. It is important to understand that while Tokenization considerably lessens the burden of compliance. Again.  Copyright © 2008 Shift4 Corporation. All rights reserved. Those without the internal expertise to guard against the onslaught of data thieves are gambling with their company’s assets. since the merchant uses no encryption. it does not completely remove the obligation to comply with relevant industry requirements. In addition to the public fallout and brand damage that inevitably occurs as a result of a data compromise. Similarly. This ultimately results in cost savings to the merchant. Merchants are being targeted more frequently then ever before and with greater success for the criminal. Keeping abreast of the new exploits and attack methods makes the protection of sensitive data a challenging proposition for even the most security-minded of companies. thereby protecting merchants and supporting the objectives of PCI. Tokenization provides the ability to eliminate much of the sensitive data that is usually stored. there are no keys to be managed.

Her expertise helped develop a variety of assessment methods and practices that assisted companies in achieving compliance in a cost-effective. which represents the final mile in Shift4’s race to create “Real Security”. J. In addition. she is an experienced instructor and taught for two years at Auburn University while a Doctoral Candidate. is a Certified Information Systems Security Professional (CISSP). Oder II Sr.D. is responsible for many innovations. Mark has spoken at numerous industry events on topics of information security. J. Prior to joining The Aegenis Group.S T O R I N G C R E D I T C A R D D ATA About the authors Dr. Her knowledge of public policy and the ability to analyze the impact of that policy on day-to-day business practices gives her a unique insight into the compliance landscape. Ph. Mark writes a monthly article for Transaction World Magazine and has a PhD in Public Administration and Public Policy from Auburn University. including Tokenization technology. became an early adopter/member of the PCI Security Standards Council and was recently named as a 2006 Mover and Shaker by Transaction World Magazine. Dr. J. and his development team are very excited to exhibit 4Go SecureSuite™. Following the release of Tokenization. is a founder of Shift4 Corporation. Dr.D. Dr. Mark co-founded a Qualified Security Assessment Company and worked at various technology companies supporting PCI efforts.D. privacy and the intersection between the two. Vice President The Aegenis Group Dr. Heather Mark. Copyright © 2008 Shift4 Corporation. an environment where absolutely no cardholder data exists at the POS.  . He holds degrees in Cognitive Science and Computer Science with numerous networking and information security credentials. Mark is an experienced information security and privacy professional who is both well known and respected within the Payment Services Industry.D.. Mark holds a certificate in Marketing Research from the University of Georgia. CISSP Sr.D. J. and a Certified Information Privacy Professional (CIPP). Dr.D. chief designer of the DOLLARS ON THE NET gateway system and leads Shift4’s systems operation and development efforts. timely manner. which revolutionized the payments industry when it was released in 2005. All rights reserved. Vice President of Research & Development and CTO Shift4 Corporation J.

George.shift4. Suite 250 St.1491 Center Crossing Road Las Vegas. NV 89144-7047 Office: (702) 597-2480 1453 South Dixie Drive. UT 84770-5845 Office: (435) 628-5454 Fax: (702) 597-2499 Sales: (800) 265-5795 http://www.com .

Sign up to vote on this title
UsefulNot useful