ENTERPRISE VAULTLESS TOKENIZATION ™
Worlds first and only Vault-less Tokenization as a Service
Enterprise Vaultless Tokenization
Whether or not to implement a security measure always boils down to money. “How much risk is acceptable vs. the cost of prevention?” It’s a simple formula really; if the cost to protect against a vulnerability is greater than the estimated loss due to it being exploited, then its beneficial just accept the risk, otherwise try to mitigate, avoid, or transfer it. When you survey the multitude of products and solutions on the market that address data-level security or if you have had first hand experience owning them after implementation, you know there are always hidden and unanticipated costs which rarely get refactored back into the equation. Some of these costs include licensing of supporting hardware, licensing of virtualized infrastructure, getting the solution properly monitored and reported on, tuned for your SLAs, simply training and investing in human capital who understand and can operate the solution, and the list goes on. Moreover, you might not be surprised to learn that in many cases though the time and money is spent on implementing security solutions, the true risks are never fully addressed.
The goal of the Enterprise Vault-less Tokenization (EVT) Service is to relieve you of those data security burdens and empower you to invest your resources in becoming the best innovative and productive business you can be. As an extension to that purpose, by leveraging the EVT Service you can get all the things you want to build and support such as high availability, consistent performance experience, data-level security auditing, and follow leading practices in security management all without any of the headaches and surprise costs. All our services are subscription based so if you decide you don’t like it or it doesn’t add enough value, your not locked in; we will even help you migrate off. You have very little to lose by using our EVT service but a lot more if you choose not to.
We built our own payment service where we could manage different PSP (Payment Service Providers) on the backend. This allowed us to be completely agnostic to what PSP would be used to acquire a credit card transaction and avoid any relationships with similar products such as stripe.com. Still we wanted to provide a wallet type of experience for our customers. Each PSP provided credit card tokenization and a wallet functionality but we didn’t want to be locked into any of those relationships. This is where NXT-Security’s Vaultless Tokenization really shined for us. We were able to use it to protect our customer’s credit card transactions and may PCI compliance a breeze. Using Tokenization from NXT-Security completely removed the persistence attack surface from our infrustructure since no real credit card data is stored; only tokens. We still have the scope of Processing and Transmission but we found those areas very easy to monitor, audit, mitigate risk, and pass PCI certifications. API integration was simple and the speed and capacity is outstanding. Performance and load tests before and after implementing the Tokenization service showed virtually no increase latency. I would completely recommend using NXT-Security.
In my opinion this is the only real cost effective solution out there for any environment that has legacy equipment and software. By implementing a vaultless tokenization solution, it is not necessary to modify the applications because a company will not have to have a database of encrypted credit cards. A company simply has to deploy the vaultless tokens and compliance with the PCI compliance requirements follows for considerably less cost to the business.
The Admin Portal is your secure self-service management console for your service subscriptions. All activity is safely logged and auditable. You may create users assign role based access controls, configure your service settings, view reports, manage invoices, and get help and support all from anywhere in the world.
Creating and managing your token definitions is performed through simple settings which adjust and dictate how the tokenization algorithm will behave. You may choose to create reversible, irreversible tokens or tokens only reversible in a specific time frame. You will define the token type which will allow give you type specific options such as preserving case or spacing, or forcing a luhn check to fail or pass, or configuring date ranges for dates. In this portal you will also define the layout of your token. For instance a value of “T*” will tokenize every element in a value requested to be tokenized. Alternatively a value of “CCCCT*CCCC”, would preserve the first four and last four characters in the resulting token and substitute only those characters in between. The service also supports the concept of Masking for each token definition. Similar to the Layout parameter, you may assign a masked layout that (if you allow getting a masked version of the token), can optionally supply more but not all real information of the real value.
Creating the security policy is easy as well. While the interface is simple, the security policy allows for as much access control that is needed. Your able to restrict clients by IP address and configure session timeouts. For any API call, a client must first create a temporary session in which subsequent operations can be invoked. So you can be as restrictive as 5 seconds to as tolerant as 1 hour. The shorter the life of your policy sessions the safer you are from replay attacks.
Creating your access control list is quick and painless. Simply assign the tokens and actions to the security policy.
After all is configured how you think it should be, you may test your settings with the built in Test Console. There is no magic here, just a simple GUI that takes your parameters and issues a SOAP web service call. If a value is not tokenized correctly, or you feel something needs to be changed, you can go make the changes immediately and retest until you have it just right.
Having tested your configurations, your ready to hook EVT into your existing application(s) or process(es). We have pre-build packages for mainstream languages to give you a boost implementing. When using languages like .Net or Java it will simply be a library drop and adding a callout in your code. Using another language? Fear not, we’ll be there to help. Creating a webservice client is not a difficult task.
A proxy definition is unique to the EVT service. Leveraging this feature allows you to transmit a structured payload to the EVT proxy service containing a protected value, and the proxy engine can perform an operation on that value in transit and outside the scope of your network, then transmit the resulting value and payload on to your configured destination. This feature is useful in those instances where the business process requires that the real value be received by external vendors such a payment processors.
Keywords: mobile payment, payments tokens, tokenization process, cardholder data, cloud based, payment processing, industry standards, tokenized data, credit card numbers, connected devices
Contact us to learn more.