Research And Implementation On Security Technologies For Payment Tokenization System

With the purpose of reducing the amount of cardholder data transmission and storage among cardholder mobile device and merchant environment,PCI SSC introduces a Payment Tokenization System to generate Payment Token,which is a surrogate value that contains no information about original user PAN.Before payment transaction,a Tokenization Request is launched,during which user’s original PAN is passed to TSP for the purpose of generating a corresponding Payment Token.In the process of payment transaction, a De-Tokenization Request is launched by Payment Network to obtain user’s original PAN from TSP.In both procedure,sensitive information is transferred and stored among payment roles within the Tokenization system,this makes TSP a main target of security attacks.As a conclusion, the security of Payment Tokenization System is a momentous problem.In order to solve the security problems and accomplish secure data transmission and storage in Payment Tokenization System,the research and contribution of this thesis are listed as follow:1.Research on the security risks of Payment Tokenization System and propose a security framework for Payment Tokenization System,the framework takes all the roles into consideration and guarantees the security of sensitive information.2.Research and analyze on the data transmission problem outside the TSP server,and then design a secure communication model based on SSL protocol,which solves the data transmission problem between the roles outside TSP.3.Research and analyze the data transmission problem within the TSP components, and then design a secure communication model based on challenge-response which solves the data transmission between TSP components and Vault.4.Research and analyze the data storage problem within the vault, and then design a secure data storage mode based on symmetric cryptography to solve the problem.5.Research and analyze the logging problem and then design a logging model using AOP technology,which allows TSP to record all the invocation of Token Service APIs.6.Design and implement a suit of security components which are capable of providing security services for the roles withinthe Tokenization System, including a certificate managing system,a symmetric key managing system,a logging system and a set of user APIs.Finally solves the security problems by using the security components implemented mentioned above.