News Column

Patent Application Titled "System for Protecting Sensitive Data with Distributed Tokenization" Published Online

March 6, 2014



By a News Reporter-Staff News Editor at Politics & Government Week -- According to news reporting originating from Washington, D.C., by VerticalNews journalists, a patent application by the inventors Spies, Terence (Mountain View, CA); Minner, Richard T. (Carmichael, CA), filed on October 22, 2013, was made available online on February 20, 2014.

The assignee for this patent application is Voltage Security, Inc.

Reporters obtained the following quote from the background information supplied by the inventors: "This invention relates to online transactions, and more particularly, to ways to help secure sensitive data during online transactions.

"Online transactions such as purchase transactions often require that entities such as merchants and payment card processors exchange sensitive information. For example, in connection with a typical purchase by a customer, a merchant often obtains the primary account number (PAN) corresponding to the payment card account of a customer (e.g., the customer's credit card number). The merchant then provides the PAN to a payment card processor (payment processor) as part of an authorization request. The payment processor then uses a tokenization server to obtain a corresponding token from a central database that is provided to the merchant if the purchase is authorized.

"Later, when settling the purchase transaction, the merchant may submit the token and the settlement amount to the payment processor. The payment processor may recover the PAN of the customer from the token using the central database.

"In this type of transaction, regional tokenization servers typically process purchase transactions with merchants in a given geographical region. Regional tokenization servers typically request the token corresponding to the provided PAN from a common central database. If no token corresponding token exists in the common central database at the time of the request, a new token is generated and an entry is added to the common central database.

"Purchase transactions originating with merchants around the world are therefore dependent on global communications systems to provide access to the common database. This can be problematic if any portion of a global communications system becomes temporarily unavailable or inoperable.

"In some situations, regional tokenization servers can generate partially tokenized sensitive data at a tokenization server based on one or more previously provided token look-up tables without relying on constant connection to a global communications network. However, these systems typically tokenize only a portion of the sensitive data due to data storage and processing considerations.

"It would therefore be desirable to be able to provide improved ways in which to handle sensitive data such as tokens in connection with online transactions."

In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventors' summary information for this patent application: "Online transactions may involve exchanges of sensitive information between entities and organizations. It may be desirable for an entity such as a merchant or a government agency to protect the sensitive information from exposure (e.g., by maintaining access to the sensitive information without storing the sensitive information).

"An entity may protect sensitive information such as a sensitive number without storing the sensitive information by storing a token that corresponds to the sensitive information. The token corresponding to the sensitive information may be acquired by sending a token request that includes the sensitive information from the entity to a token generating organization.

"A token generating organization may include geographically diverse tokenization equipment. Blocks of tokenization equipment may be located in multiple cities or other geographic locations. Each city (or other geographic location) may be associated with separate tokenization equipment.

"A token may be generated by a tokenization server on one of multiple tokenization systems associated with tokenization equipment in a particular geographic location. Each tokenization system may be implemented on a physically distinct hardware platform. Each hardware platform may include physically separate computing equipment such as a physically a separate power supply, one or more processors, storage and/or other computing equipment.

"Each tokenization system may include a tokenization server and an associated database. A tokenization server may generate the token corresponding to the sensitive information using a fractional token table stored on the associated local database. Each local database at each tokenization system associated with the token generating organization may be provided with the fractional token table.

"The fractional token table may be pre-populated with partial tokens and corresponding partial sensitive numbers. The tokenization table may be used to map portions of the sensitive information such as portions of the sensitive number to partial (fractional) tokens.

"A tokenization server may generate a full token corresponding to sensitive information such as a full sensitive number based on the fractional token table. For example, the tokenization server may perform a predetermined number of rounds of a Feistel network to generate a full token corresponding to a full sensitive number using partial tokens and a partial sensitive numbers stored in the fractional token table. A fractional token table may, for example, be a half-token table (i.e., a table having half-tokens and uniquely corresponding half-sensitive-numbers).

"Once the token has been generated by the tokenization server, the token may be provided to the token requesting entity (token requestor). The token may be temporarily stored at the token requestor. The sensitive information may later be recovered by sending a request from the token requestor to the token generating organization for the sensitive information. The request may include the token and additional information such as a monetary settlement amount associated with a purchase transaction.

"A tokenization server at one of the tokenization systems associated with the token generating organization may recover the full sensitive number from the full token using the fractional token table in the local database at that tokenization system. For example, the tokenization server may perform the same predetermined number of rounds of the Feistel network in reverse to recover the full sensitive number from the full token using the partial tokens and the partial sensitive numbers stored in the fractional token table.

"Sensitive information may include a sensitive number such as a social security number, driver license number, primary account number associated with a credit card, or other sensitive information. Token requesting entities involved in protecting sensitive data for online transactions such as purchase transactions may be merchants (e.g., hotels, online merchants, grocery stores, etc.), universities, government agencies or other entities that use or process sensitive information. Token generating organizations may include banks, credit card companies, government agencies, corporations, payment card processors or other organizations having tokenization systems provided with fractional token tables.

"Further features of the invention, its nature and various advantages will be more apparent from the accompanying drawings and the following detailed description of the preferred embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

"FIG. 1 is a diagram of a conventional online purchase transaction system showing how tokenization servers access a common central database.

"FIG. 2 is a system diagram showing illustrative equipment involved in generating tokens for online transactions in accordance with an embodiment of the present invention.

"FIG. 3 is a diagram of an illustrative fractional token table in accordance with an embodiment of the present invention.

"FIG. 4 is a diagram showing how a Feistel network may be used to generate a full token from a full sensitive number based on a pre-populated fractional token table in accordance with an embodiment of the present invention.

"FIG. 5 is a diagram showing how a Feistel network of the type shown in FIG. 4 may be run in reverse to recover a full sensitive number from a full token based on a pre-populated fractional token table in accordance with an embodiment of the present invention.

"FIG. 6 is a diagram showing how values may be combined using digit-wise addition in accordance with an embodiment of the present invention.

"FIG. 7 is a diagram showing how values may be combined using length-preserving arithmetic addition in accordance with an embodiment of the present invention.

"FIG. 8 is a diagram showing how values may be combined using an exclusive OR function in accordance with an embodiment of the present invention.

"FIG. 9 is a flow chart of illustrative steps involved in handling token requests in accordance with an embodiment of the present invention.

"FIG. 10 is a flow chart of illustrative steps involved in handling sensitive-information-recovery requests in accordance with an embodiment of the present invention."

For more information, see this patent application: Spies, Terence; Minner, Richard T. System for Protecting Sensitive Data with Distributed Tokenization. Filed October 22, 2013 and posted February 20, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=759&p=16&f=G&l=50&d=PG01&S1=20140213.PD.&OS=PD/20140213&RS=PD/20140213

Keywords for this news article include: Voltage Security Inc.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories on investments and markets, please see HispanicBusiness' Finance Channel



Source: Politics & Government Week


Story Tools