This month the PCI Security Standards Council released a paper describing the use of tokens in place of the PAN (Primary Account Number).  While this is far from being a magic bullet that solves all security issues inherent in credit card processing, and does not remove the need for PCI certification for card processors, in certain situations it could help considerably.

The fact is, the less frequently PANs traverse networks, the less chance they’ll be snooped.  The basic idea here is practiced all over the Internet already.  Instead of sending the PAN, encrypt it, and send a “token” instead.

The first analogy that comes to my mind is the use of salted hash functions to protect the contents of /etc/passwd on UNIX systems.  Many years ago /etc/passwd, a text file involved in local authentication for UNIX, actually contained the passwords of all the users.  After some time people took to encrypting the passwords with hash and salt, and later moving the encrypted contents out of /etc/passwd entirely into /etc/shadow.

This is similar to the process described here.  Instead of authenticating a purchase by passing the actual PAN data, the PAN is encrypted or tokenized, and then decrpyted/detokenized at the other end.  The analogy isn’t perfect, some tokens are multi-use, etc… but the basic concept is the same – encrypt the PAN so it’s not as often transmitted and stored “in the clear.”