Hardening tokenization security and key rotation

摘要

A method of using a hardware security module and an adjunct application programming interface to harden tokenization security and encryption key rotation is disclosed. In various embodiments, the method comprises receiving encrypted data at a processor of a computer system, decrypting the encrypted data to cleartext in the processor, and issuing a unique token associated with the data.

主权项

1. A method of tokenization of payment instrument data in a hardware security module (HSM) implemented at least partially by a computer, the method comprising:
receiving, from a client computer system, a first encrypted secret at a tokenization server, wherein the first encrypted secret is an encryption of a cleartext secret that comprises information associated with a user of the client computer system; processing a request for tokenization using an application programming interface (API) of the HSM; decrypting the first encrypted secret inside the HSM to generate the cleartext secret, such that the cleartext secret resulting from the decryption is present only within the HSM; subsequent to decrypting the first encrypted secret inside the HSM to generate the cleartext secret, modifying the cleartext secret by marking up the cleartext secret to incorporate information indicating that the cleartext secret includes at least one of: (a) personal information related with a financial account of the user, or (b) financial information associated with the user; subsequent to modifying the cleartext secret, encrypting the modified cleartext secret within the HSM using an HSM key and a set of encryption rules to create a second encrypted secret; assigning a token to the second encrypted secret, wherein the token acts as a database record identifier of the modified cleartext secret; sending the token to a storage device external to the HSM; and sending the second encrypted secret to the storage device external to the HSM.