Secure Stateless Tokenization Three Years Later
– A Conversation with Terence Spies
Our HP Secure Stateless Tokenization (HP SST) solution turns three years old, and we caught up with its inventor, Chief Technologist, Terence Spies to talk about it. HP SST is an advanced, patented, data security technology that provides enterprises, merchants and payment processors with a new approach to help assure protection for payment card data. HP Secure Stateless Tokenization technology is offered as part of the HP SecureData Enterprise data security platform that unites market-leading encryption and tokenization to protect sensitive corporate information in a single comprehensive solution.
Q: Can you give us some context on how HP Secure Stateless Tokenization works inside of HP SecureData?
The most important thing about HP Secure Stateless Tokenization is that it has advanced the evolution of traditional database tokenization. Traditional database tokenization, basically, stores the credit card number and the substitute for that credit card number within a database. This is a conceptually simple way to do something that is complicated by the fact that if you have a multi-data center environment, you have to replicate the token stored between those different data centers. You have the overhead of having to store and look up a token every time you use it, or do a tokenization. Traditional tokenization solutions can actually get slower the more tokens you put into them, because the more tokens there are, the larger the database. In large environments businesses may have millions or billions of credit card transactions that you are tokenizing into Big Data or other environments for analytics.
HP Secure Stateless Tokenization, by contrast, uses a token table that is generated one time, when the system is initialized, and never grows. That means when the table is initially generated, it has enough information in it to generate all Primary Account Number (PAN)-token combinations. This is accomplished by a series of random “look-ups” inside of that table as opposed to having to update a database. What that means is, to access a record takes a constant amount of time, no matter how many tokens you have running through the system. In a situation where you are doing post-authorization analytics inside of Hadoop or HP Vertica, Teradata or other Big Data environments, HP SST can provide a way to use a table to do tokenizations. You are still doing completely random tokenizations but in a way that doesn’t slow down and doesn’t require you to build another tokenization database.
HP SST is a complement to HP Format-Preserving Encryption (HP FPE). HP FPE has some of the same performance characteristics; however, instead of it being based off of tables it is based off of a cryptographic key. Some people will choose to go down a standards-based cryptographic route and others will want to go down the route of using a random table-based approach. HP Security Voltage has both of these technologies incorporated into HP SecureData and both can be accessed essentially with the same APIs, and central administrators can choose which methodology is used to protect the PANS within their systems.
Q: What has changed or evolved since HP SST was first launched in 2012?
The biggest thing that has changed is Big Data and analytics systems have become a core part of business infrastructures. A huge chunk of our customers and prospects are looking at ways to get transaction data into these systems that don’t have the same type of controls that more traditional centralized databases might have. Methods like HP SST and HP FPE have become more critical because it is really the only long-term way that works well to protect data within those environments. What has changed in the market is that there is an increasing demand for data level security solutions because businesses have recognized that their data is going to be going into the cloud and going to these analytic systems such as Hadoop or other Big Data environments. Businesses cannot rely on the protections within these infrastructures to protect data in the cloud or Hadoop; you really have to protect that data at the data-layer itself.
Q: What problem does HP SST solve in the marketplace?
HP SST is about achieving PCI compliance with a minimal amount of operational overhead. Financial institutions want the ability to use that sensitive data to build systems that are going to give you the ability to use the data easily. They want to be able to perform anti-fraud and customer analytics—those kinds of things — within these systems without having to build extraneous databases on top or incur these extra costs of doing tokenization in a conventional kind of way. It is about the most efficient way to get that level of security.
Q: What industries does HP SST best serve?
Primarily financial services, as we previously mentioned, and retail certainly—but HP SST can also can be used by the insurance and health care industries. Insurance and healthcare institutions have a great need to de-identify things such as social security numbers and other types of personally identifiable information (PII) data. Really any industry that deals with personally identifiable information would benefit from HP SST.
Q: You mentioned PCI. How does HP SST fit into PCI compliance, especially the new PCI DSS 3.1 guidelines?
HP SST fits into a general tokenization strategy of removing PAN data from the enterprise or merchant environment, and providing data-centric security. Removing live PAN data from applications can enable PCI audit scope reduction—which can translate to significant reductions in PCI compliance audit costs. One of the more important things I see in PCI DSS 3.1 is that it mandates building a data-map of how this sensitive data travels within your enterprise. Once a business has created that map, they have taken an important first step to getting to a tokenized enterprise where PAN data is removed as much as possible and replaced with tokens. That map is typically the first thing HP Security Voltage would advise customers to do when looking to implement security solutions. When using a solution such as HP SST, a business needs to know how data is traveling, where it is being used and where it is being stored. This way when sensitive data enters your enterprise, it will get tokenized, and the business will have it live in that tokenized form as long as they can. Businesses need that map to understand how the data is consumed to effectively use tokenization.
Q: What do you foresee for the future of HP SST and encryption?
I project we will see HP SST being built into more products as a default way of securing data or having a direct integration with products such as HP SecureData. The payment industry is built on top of a complicated infrastructure so if you look at a merchant, that merchant may have card swipe terminals, Point-of-Sale terminals, store controllers, as well as payment gateway software that is used to optimize various business processes. These have been built on the legacy idea that PAN data is going to be flowing through the system. I think we will start to see more and more of these applications start to recognize that they are going to be seeing tokens as opposed to raw PAN data. Also, I think we will see some joining of this idea of security tokenization with payment tokenization. As solutions such as Apple Pay and Samsung Pay evolve to use payment tokens in place of the actual credit cards on a mobile device, there will be effects such as EMV right now, to merge post-authorization security tokenization with payment tokenization to protect that end-point. I think we will see an increasing effect to get rid of raw PANs throughout the payments system, which will be pure goodness for a variety of reasons.