Transparent Tokenization and Detokenization

Transparent Tokenization
And Detokenization

Transparent Tokenization and Detokenization

Reducing Risk and PCI Compliance with Transparent Tokenization and Detokenization

Adding security layers to your shopping or property management system is essential to keeping sensitive customer payment card secure. However, when not properly implemented, the added security can cause confusion to the customer with different interfaces and additional passwords at checkout time, which can lead to shopping cart abandonment and thus lost sales. Properly implemented security keeps the user experience consistent and simple, yet also keeps sensitive data out of back office business systems.

TokenEx Transparent Tokenization and Detokenization literally operates “transparently” between your business environment and your partners’ booking engines and payment processing systems, enabling you to keep sensitive data out of your business and IT environments. Using Transparent Tokenization and Detokenization with secure cloud data vaulting, you can conduct business as usual without affecting your existing third-party integrations, eliminate the risk of data theft, and reduce the cost of PCI compliance. This layer of security is truly transparent to the customer user experience and partners’ business systems.

Download MRC Global Case Study

The purpose of tokenization is to swap out sensitive data—typically payment card or bank account numbers—with randomized numbers in the same format, but with no intrinsic value of their own. This differs from encryption where a number is mathematically changed, but its original pattern is still “locked” within the new code—known as Format Preserving Encryption. Encrypted numbers can be decrypted with the appropriate private key—whether through brute computing force, or through a stolen or mismanaged private key.

Transparent Tokenization and Detokenization tokenizes and vaults the sensitive data when and where payment data is entering your environment, thus keeping payment card data out of your business systems. The sensitive data is detokenized with an API call as data leaves your environment for payment processing or fulfillment. By changing the interface point at which incoming data is received, intercepting and tokenizing the PCI, you effectively take your business and IT environment out of most of the scope of PCI compliance. You only need to change the address in the HTTP header from that to which they are currently sending sensitive data, to the address of the TokenEx Gateway, making integration and changes simple.

Keeping Sensitive Payment Card Data Out of Business Systems

Normally, your business partners—such as a booking engine—send payment card data (PCI) directly to your back-office systems for processing. To keep your business environment out of the scope of PCI compliance, you don’t want to accept payment card data—at all. By using TokenEx Transparent Tokenization and Detokenization, payment data is tokenized before it can enter your back-office databases and applications.

When you are ready to receive fulfillment or booking details from a 3rd party, the API call would pass through TokenEx to keep sensitive data out of your environment.  You simply tell TokenEx where to send the request, and what field within the response to tokenize. TokenEx tokenizes the response from the third-party before it is received in your environment. This is important because if the data touches your environment, then the environment has expanded scope for PCI compliance. By routing the request through TokenEx with Transparent Tokenization and Detokenization , the sensitive data never touches any participants’ back-office systems.

Transparent Tokenization and Detokenization provides the following benefits:

  • Works with all TokenEx supported data sets
  • No new integration with service providers, only changes in packet headers
  • Increase business continuity
  • Significantly reduce regulatory compliance control obligations
  • Avoid risk of data theft by rerouting and storing all sensitive data through TokenEx
  • Choose the Payment Service Provider of your choice, and change Providers easily
  • Improve Only minor changes to existing data flows with no impact to business processes.

Organizations that work with booking engines and payment card data are required to achieve PCI compliance, which is complicated and expensive to attain and retain if payment card data is stored in local business systems. An efficient solution is to implement Transparent Tokenization and Detokenization to intercept payment and personal data coming from the booking engine to internal business systems. This solves several sensitive data processing security and business issues.

For example, not every transaction from a booking engine contains a payment account number (PAN), as when the payment is being made through another service such as PayPal. Also, most tokenization platforms charge to create a token even when payment card data is not available. On average, a booking engine may receive 80,000 requests in a single day, but only 50,000 requests contain payment card information. Using a traditional tokenization vendor, your organization would still be charged for the tokenization and vaulting, even though there is no PAN to store. Using TokenEx Transparent Tokenization and Detokenization, if there is no PAN received in the form from the booking engine, there is nothing to tokenize and vault, therefore there is no charge for that transaction from TokenEx. As with all data stored with TokenEx, there is only one charge for tokenizing and vaulting each datum, and no charge for each access.

From a customer’s point of view, booking reservations at a hotel requires providing a payment card to hold the reservation—usually through the web site of a booking engine. However, the hotel usually does not want to pre-authorize the card only for the cost of the room, since other additional charges may be incurred during the customer’s stay. Using Transparent Tokenization, the payment card data coming from the booking engine is intercepted, vaulted by TokenEx, and tokenized. The hotel receives the token representing the customer’s payment card data and stores that until checkout, when all the charges for the stay are accumulated, at which point the request for payment is sent to the processor with the token. TokenEx will detokenize the PAN before sending on to the payment processor. No sensitive data is held by the hotel, reducing risk of data theft and minimizing the scope of PCI compliance.

Transparent Tokenization and Detokenization is an ideal solution for organizations that work with booking engines and need to keep PCI out of their business systems, maintain a consistent checkout experience, and be flexible in working with their choice of payment processors.

Transparent Detokenization

Add http header information to provide these things:

  1. Desired endpoint
  2. TokenEx credentials
  3. Within the body, wrap the field with three curly braces {{{field}}}
    TokenEx only supports detokenization of a single field.

Transparent Tokenization:

  1. API request begins with client.
  2. Tokenization of sensitive data is handled in the response.
  3. TokenEx can tokenize multiple values in the response, but not multiple fields. An example of a client data flow with a booking engine:

Step 1. Initially booking engine sends one notification to customer with BookingID. There is no sensitive data, so it does not flow through TokenEx.

Step 2. Client prepares one XML request to fetch the booking details. This request to the booking engine will go through TokenEx, and the request is within the header. The customer will provide the following info:

Request headers to add

tx_URL:

tx_TokenExID:

tx_APIKey:

For the preceding three fields, refer to Transparent Gateway API documentation at: http://docs.tokenex.com/#transparent-gateway-api

tx_field: regex to specify the data in the response to tokenize

tx_tokenscheme: refer to Token Schemes documentation at http://docs.tokenex.com/#appendix-token-schemes

Step 3. TokenEx receives the Booking Request message and URL and then posts the booking message to the booking engine with the client-provided URL.

Step 4. Booking engine responds with booking details response, which includes card details.

Step 5. TokenEx tokenizes and vaults the card field specified in the original request, and the card (PAN) is replaced with the token.

Step 6. TokenEx sends the booking response to the client that includes tokenized credit card number.

Transparent Tokenization

Transparent Detokenization

Transparent Tokenization Table

The purpose of tokenization is to swap out sensitive data—typically payment card or bank account numbers—with randomized numbers in the same format, but with no intrinsic value of their own. This differs from encryption where a number is mathematically changed, but its original pattern is still “locked” within the new code—known as Format Preserving Encryption. Encrypted numbers can be decrypted with the appropriate private key—whether through brute computing force, or through a stolen or mismanaged private key.

Transparent Tokenization and Detokenization tokenizes and vaults the sensitive data when and where payment data is entering your environment, thus keeping payment card data out of your business systems. The sensitive data is detokenized with an API call as data leaves your environment for payment processing or fulfillment. By changing the interface point at which incoming data is received, intercepting and tokenizing the PCI, you effectively take your business and IT environment out of most of the scope of PCI compliance. You only need to change the address in the HTTP header from that to which they are currently sending sensitive data, to the address of the TokenEx Gateway, making integration and changes simple.

Keeping Sensitive Payment Card Data Out of Business Systems

Normally, your business partners—such as a booking engine—send payment card data (PCI) directly to your back-office systems for processing. To keep your business environment out of the scope of PCI compliance, you don’t want to accept payment card data—at all. By using TokenEx Transparent Tokenization and Detokenization, payment data is tokenized before it can enter your back-office databases and applications.

When you are ready to receive fulfillment or booking details from a 3rd party, the API call would pass through TokenEx to keep sensitive data out of your environment.  You simply tell TokenEx where to send the request, and what field within the response to tokenize. TokenEx tokenizes the response from the third-party before it is received in your environment. This is important because if the data touches your environment, then the environment has expanded scope for PCI compliance. By routing the request through TokenEx with Transparent Tokenization and Detokenization , the sensitive data never touches any participants’ back-office systems.

Transparent Tokenization and Detokenization provides the following benefits:

  • Works with all TokenEx supported data sets
  • No new integration with service providers, only changes in packet headers
  • Increase business continuity
  • Significantly reduce regulatory compliance control obligations
  • Avoid risk of data theft by rerouting and storing all sensitive data through TokenEx
  • Choose the Payment Service Provider of your choice, and change Providers easily
  • Improve Only minor changes to existing data flows with no impact to business processes.

Organizations that work with booking engines and payment card data are required to achieve PCI compliance, which is complicated and expensive to attain and retain if payment card data is stored in local business systems. An efficient solution is to implement Transparent Tokenization and Detokenization to intercept payment and personal data coming from the booking engine to internal business systems. This solves several sensitive data processing security and business issues.

For example, not every transaction from a booking engine contains a payment account number (PAN), as when the payment is being made through another service such as PayPal. Also, most tokenization platforms charge to create a token even when payment card data is not available. On average, a booking engine may receive 80,000 requests in a single day, but only 50,000 requests contain payment card information. Using a traditional tokenization vendor, your organization would still be charged for the tokenization and vaulting, even though there is no PAN to store. Using TokenEx Transparent Tokenization and Detokenization, if there is no PAN received in the form from the booking engine, there is nothing to tokenize and vault, therefore there is no charge for that transaction from TokenEx. As with all data stored with TokenEx, there is only one charge for tokenizing and vaulting each datum, and no charge for each access.

From a customer’s point of view, booking reservations at a hotel requires providing a payment card to hold the reservation—usually through the web site of a booking engine. However, the hotel usually does not want to pre-authorize the card only for the cost of the room, since other additional charges may be incurred during the customer’s stay. Using Transparent Tokenization, the payment card data coming from the booking engine is intercepted, vaulted by TokenEx, and tokenized. The hotel receives the token representing the customer’s payment card data and stores that until checkout, when all the charges for the stay are accumulated, at which point the request for payment is sent to the processor with the token. TokenEx will detokenize the PAN before sending on to the payment processor. No sensitive data is held by the hotel, reducing risk of data theft and minimizing the scope of PCI compliance.

Transparent Tokenization and Detokenization is an ideal solution for organizations that work with booking engines and need to keep PCI out of their business systems, maintain a consistent checkout experience, and be flexible in working with their choice of payment processors.

Transparent Detokenization

Add http header information to provide these things:

  1. Desired endpoint
  2. TokenEx credentials
  3. Within the body, wrap the field with three curly braces {{{field}}}
    TokenEx only supports detokenization of a single field.

Transparent Tokenization:

  1. API request begins with client.
  2. Tokenization of sensitive data is handled in the response.
  3. TokenEx can tokenize multiple values in the response, but not multiple fields. An example of a client data flow with a booking engine:

Step 1. Initially booking engine sends one notification to customer with BookingID. There is no sensitive data, so it does not flow through TokenEx.

Step 2. Client prepares one XML request to fetch the booking details. This request to the booking engine will go through TokenEx, and the request is within the header. The customer will provide the following info:

Request headers to add

tx_URL:

tx_TokenExID:

tx_APIKey:

For the preceding three fields, refer to Transparent Gateway API documentation at: http://docs.tokenex.com/#transparent-gateway-api

tx_field: regex to specify the data in the response to tokenize

tx_tokenscheme: refer to Token Schemes documentation at http://docs.tokenex.com/#appendix-token-schemes

Step 3. TokenEx receives the Booking Request message and URL and then posts the booking message to the booking engine with the client-provided URL.

Step 4. Booking engine responds with booking details response, which includes card details.

Step 5. TokenEx tokenizes and vaults the card field specified in the original request, and the card (PAN) is replaced with the token.

Step 6. TokenEx sends the booking response to the client that includes tokenized credit card number.

Transparent Tokenization

Transparent Detokenization

Transparent Tokenization Table

Secure Your PCI Today!

Contact us to learn how TokenEx can help tokenize your sensitive business data.