Credit card data protection

Credit card data is vulnerable and must be protected when the data is at rest (stored), in transit, and in use. Various methods (such as tokenization, PAN truncation, encryption, and address verification) are available to merchants to protect the data. The integration to the supported credit card processors, CenPOS and Stripe, uses tokenization and PAN truncation.

Tokenization

This protection method substitutes a token (or benign alias number) for a primary account number (PAN). The actual cardholder data (CHD) is used in a payment transaction and, “...once the transaction is authorized, the CHD is sent to a centralized and highly secure server called a ‘vault,’ where it is stored securely. At the same time, a random unique string is generated and returned to the merchant’s systems for use in place of the cardholder data. The vault manager maintains the reference database that allows the token to be exchanged for the real cardholder data if it is needed again for, say, a chargeback.” [First Data White Paper, Where Security Fits in the Payments Processing Chain, May 2010, p. 12].

The vault manager is typically a credit card processor who uses additional security tools to protect the vault contents. The merchant’s systems can use the authorization number or the token number for transaction processing, tracking, and reporting.

PAN truncation

The primary account number (PAN), also referred to as “account number,” is a unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account. PAN truncation is a protection method wherein a data segment of the PAN is removed. Typically, PAN truncation displays or prints only the last four digits, the remainder being replaced with asterisks.