A Cryptographic Study of Tokenization Systems

Sandra Díaz-Santiago, Lil Maria Rodriguez-Henriquez, Debrup Chakraborty

Abstract

Payments through cards have become very popular in today’s world. All businesses now have options to receive payments through this instrument, moreover most organizations store card information of its customers in some way to enable easy payments in future. Credit card data is a very sensitive information and its theft is a serious threat to any company. Any organization that stores such data needs to achieve payment card industry (PCI) compliance, which is an intricate process. Recently a new paradigm called “tokenization” has been proposed to solve the problem of storage of payment card information. In this paradigm instead of the real credit card data a token is stored. To our knowledge, a formal cryptographic study of this new paradigm has not yet been done. In this paper we formally define the syntax of a tokenization system, and several notions of security for such systems. Finally, we provide some constructions of tokenizers and analyze their security in the light of our definitions.

References

  1. Bellare, M., Ristenpart, T., Rogaway, P., and Stegers, T. (2009). Format-preserving encryption. In Jr., M. J. J., Rijmen, V., and Safavi-Naini, R., editors, Selected Areas in Cryptography, volume 5867 of Lecture Notes in Computer Science, pages 295-312. Springer.
  2. Brier, E., Peyrin, T., and Stern, J. (2010). BPS: a format-preserving encryption proposal. NIST submission. Available at http:// csrc.nist.gov/groups/ST/toolkit/BCM/documents/ proposedmodes/bps/bps-spec.pdf.
  3. Halevi, S. and Rogaway, P. (2004). A parallelizable enciphering mode. In Okamoto, T., editor, CT-RSA, volume 2964 of Lecture Notes in Computer Science, pages 292-304. Springer.
  4. Hoang, V. T., Morris, B., and Rogaway, P. (2012). An enciphering scheme based on a card shuffle. In SafaviNaini, R. and Canetti, R., editors, CRYPTO, volume 7417 of Lecture Notes in Computer Science, pages 1- 13. Springer.
  5. Morris, B., Rogaway, P., and Stegers, T. (2009). How to encipher messages on a small domain. In Halevi, S., editor, CRYPTO, volume 5677 of Lecture Notes in Computer Science, pages 286-302. Springer.
  6. PCI Security Standards Council (2008). Payment card industry data security standard version 1.2. Available at https://www.pcisecuritystandards.org/ security standards/pci dss.shtml.
  7. PCI Security Standards Council (2011). Information supplement: PCI DSS tokenization guidelines. Available at https://www.pcisecuritystandards.org/documents/ Tokenization Guidelines Info Supplement.pdf. White paper (2012). Tokenization: What next after PCI. Available at http:// www.emc.com/collateral/white-papers/h11918-wptokenization-rsa-dpm.pdf.
Download


Paper Citation


in Harvard Style

Díaz-Santiago S., Maria Rodriguez-Henriquez L. and Chakraborty D. (2014). A Cryptographic Study of Tokenization Systems . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 393-398. DOI: 10.5220/0005062803930398


in Bibtex Style

@conference{secrypt14,
author={Sandra Díaz-Santiago and Lil Maria Rodriguez-Henriquez and Debrup Chakraborty},
title={A Cryptographic Study of Tokenization Systems},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},
year={2014},
pages={393-398},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005062803930398},
isbn={978-989-758-045-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - A Cryptographic Study of Tokenization Systems
SN - 978-989-758-045-1
AU - Díaz-Santiago S.
AU - Maria Rodriguez-Henriquez L.
AU - Chakraborty D.
PY - 2014
SP - 393
EP - 398
DO - 10.5220/0005062803930398