Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : The use of tokenization continues to climb as customers look to simplify PCI-DSS compliance. With this increased adoption comes a lot of vendor positioning and puffery in order to differentiate their products in an increasingly competitive market. And it s this competitive positioning that often causes confusion with buyers and why I have spent my last two mornings answering questions on FPE vs. Tokenization, and what is the difference between a token vault and a database. Most questions of late center on this later subject, tokenization data vaults, with corresponding vendor hyperbole that s creating some confusion. In this post I will help define what a token vault is, and shed some light on the pro s and cons. The goal is to help you, the consumer, determine for yourself if it s something you need to consider when selecting tokenization solution. So what is a token vault It s where you store your tokens once they have been issued. When using a tokenization solution, the issued tokens along with the credit card numbers they represent need to be recorded. The storage location is what s called a token vault . The token vault usually contains other information, but for the purpose of this discussion, just think of the token vault as a long list of CC -token pairs. And as this debate is mainly applicable to credit card processing token solutions, I ll keep the focus there. A new type of solution called stateless or vault-less tokenization is now available. These systems use derived tokens, or tokens that can be recalculated from some secret value, and need not be stored in a database. The press hype underway is that token vaults are bad, and that you should stay away from them. The principle discussion point is You don t want a relational database as a token vault , or more specifically, An Oracle database token vault is slow and expensive, and customers don t want that . Not so fast. The issue is not that clear cut. It s not that token vaults are good or bad, but like most technologies there are tradeoffs. Token vaults are fine for many types of customers, and they re not so go for others. There are three issues at the heart of this debate cost, scale and performance. Let s take a closer look at each. Cost If you are going to use Oracle, IBM DB2 or Microsoft SQL Server database for your token vault, you ll need a license to operate that database. And as you ll need redundancy, you ll need a couple databases, and correspondingly a couple of licenses. If you want to ensure that the tokenization system can handle large bursts of transactions say holiday shopping periods you ll need big servers. As databases are priced on the capacity of the server, these licenses can get very expensive. That said, many customers running in-house tokenization systems already have database site licenses, so lots of customers simply don t see this as an issue. Scale If you have data processing sites, where your token servers are dispersed across remote data centers that cannot guarantee 24 7 communication uptime, synchronization of token vaults is a serious issue. You want to ensure that credit cards are not being mis-used, that you have transactional consistency across all locations, and that a token is only issued to one customer or transaction. With stateless or vault-less tokenization, synchronization is inherent to the design. If consistency across a scaled tokenization deployment is critical to you, this makes derived tokens incredibly attractive. But some non-derived token systems with a token vault get around this issue by allocating different token sequences to ensure tokens are unique and latency in synching systems is not a big issue. When it comes down to it, this is a critical advantage for very large credit card processors and merchants, but it s not a universal requirement. Performance Some token servers designs require a check into the token vault, prior to completing a transaction, to see if a credit card or token is already present in the database. This is especially true when a single token is used to represent multiple transactions or merchants i.e. multi-use tokens . By and large early tokenization solutions have bad database architectures. They don t provide an efficient means of indexing token CC pairs for quick lookup. It s not the database that was the problem, it was the token vault designer s failure As the number of tokens climbs into the tens or hundreds of millions, lookup operations are really slow. Many customers have a bad impression of the token vault because early implementations got this part wrong. So very wrong. Today, lookup speed is not always a problem, but the customer needs to verify that any given solutions meets their requirements during peak loads. For some customers a vault-less tokenization solution can provide advantages in all three categories. Other customers have deep understanding of relational databases, so security, performance and scalability are just part of daily operations management. No vendor can claim that databases or token vaults are universally the wrong choice, in the same way that no one can claim non-relational solution is always the right choice. The decision comes down to the customer s environment and IT operations. I m willing to bet that the vendors of the solutions I am describing will have some additional comments, so as always, the comments section is open to all who want to add to this discussion. - Adrian Lane 0 Comments Subscribe to our daily email digest

Les mots clés de la revue de presse pour cet article : token storage
Les videos sur SecuObs pour les mots clés : token storage
Les éléments de la revue Twitter pour les mots clé : storage





Les derniers articles du site "Security Bloggers Network" :

- In An Era Of Decline, News Sites Can t Afford Poor Web Performance
- BeautifulPeople.com experiences data breach 1m affected
- Swedish Air Space Infringed, Aircraft Not Required
- Why cybercriminals attack healthcare more than any other industry
- Setting the Benchmark in the Network Security Forensics Industry
- Spotify denies hack users subjected to weird music beg to differ
- The Dangerous Game of DNS
- Threat Recap Week of April 22nd
- Is your security appliance actually FIPS validated
- Deploying SAST Static Application Security Testing

---

S'abonner au fil RSS global de la revue de presse

---