TY - JOUR
T1 - A cryptographic study of tokenization systems
AU - Díaz-Santiago, Sandra
AU - Rodríguez-Henríquez, Lil María
AU - Chakraborty, Debrup
N1 - Publisher Copyright:
© 2016, Springer-Verlag Berlin Heidelberg.
PY - 2016/8/1
Y1 - 2016/8/1
N2 - Payments through cards have become very popular in today’s world. All businesses now have options to receive payments through this instrument; moreover, most organizations store card information of its customers in some way to enable easy payments in future. Credit card data are a very sensitive information, and theft of this data is a serious threat to any company. Any organization that stores credit card data needs to achieve payment card industry (PCI) compliance, which is an intricate process where the organization needs to demonstrate that the data it stores are safe. Recently, there has been a paradigm shift in treatment of the problem of storage of payment card information. In this new paradigm instead of the real credit card data a token is stored, this process is called “tokenization.” The token “looks like” the credit/debit card number, but ideally has no relation with the credit card number that it represents. This solution relieves the merchant from the burden of PCI compliance in several ways. Though tokenization systems are heavily in use, to our knowledge, a formal cryptographic study of this problem has not yet been done. In this paper, we initiate a study in this direction. We formally define the syntax of a tokenization system and several notions of security for such systems. Finally, we provide some constructions of tokenizers and analyze their security in light of our definitions.
AB - Payments through cards have become very popular in today’s world. All businesses now have options to receive payments through this instrument; moreover, most organizations store card information of its customers in some way to enable easy payments in future. Credit card data are a very sensitive information, and theft of this data is a serious threat to any company. Any organization that stores credit card data needs to achieve payment card industry (PCI) compliance, which is an intricate process where the organization needs to demonstrate that the data it stores are safe. Recently, there has been a paradigm shift in treatment of the problem of storage of payment card information. In this new paradigm instead of the real credit card data a token is stored, this process is called “tokenization.” The token “looks like” the credit/debit card number, but ideally has no relation with the credit card number that it represents. This solution relieves the merchant from the burden of PCI compliance in several ways. Though tokenization systems are heavily in use, to our knowledge, a formal cryptographic study of this problem has not yet been done. In this paper, we initiate a study in this direction. We formally define the syntax of a tokenization system and several notions of security for such systems. Finally, we provide some constructions of tokenizers and analyze their security in light of our definitions.
KW - Format-preserving encryption
KW - Payment card industry standard
KW - Provable security
KW - Symmetric encryption
KW - Tokenization
UR - http://www.scopus.com/inward/record.url?scp=84955271668&partnerID=8YFLogxK
U2 - 10.1007/s10207-015-0313-x
DO - 10.1007/s10207-015-0313-x
M3 - Artículo
SN - 1615-5262
VL - 15
SP - 413
EP - 432
JO - International Journal of Information Security
JF - International Journal of Information Security
IS - 4
ER -