Skip to main content
Skip table of contents

Tokenization

Contents

Tokenization helps in storing sensitive Permanent Account Number information such as Credit Card numbers in a secure format to aid PCI DSS compliance.

Setting up PAN Storage

The PAN numbers are stored in a secure vault. The vault could be a relational database which has a JDBC compliant driver or an external vault provided by a third party.

Database Vault

When a database is chosen as the vault, the PAN number is stored in an encrypted format inside the vault. 

The following properties can be configured for the Database.

Database

The name of the database server where the data needs to be stored. 

Driver

The JDBC driver class name to connect to the said database. This property gets automatically populated when a specific database is chosen.

URL

The URL of the database server which stores the card holder data. Most of the URL is populated when the database is selected. Details like host name and port have to be specified in the place holders. 

Username

The name of the user which enables the user to connect to the database.

Password

The password for the user specified under the attribute Username. The password is stored in an encrypted form.

External Vault

To use an external vault, a custom class needs to be implemented for tokenization operations. The class should be an implementation of the interface shown below. For security reasons, the jar needs to be placed in the gateway server belonging to the CDE (Card holder Data Environment) directly.

Vault Interface

JAVA 
package com.fiorano.api.policies.handlers.security.tokenization;

public interface StoreHandler {
    
    void init() throws Exception;

    void storeToken(String token, String encryptedPAN) throws Exception;

    String getEncryptedPan(String token) throws Exception;

    boolean containsToken(String token) throws Exception;

    String getToken(String encryptedPAN) throws Exception;

    boolean deleteToken(String token) throws Exception;
}

PCI DSS compliance Guidelines

  • The gateway server belonging to the environment in which the projects containing Tokenization Policies are deployed comes under the CDE.
  • The encryption key configuration is not available in the management dashboard to avoid the API Management Server from becoming part of CDE.  
  • The Token Generation and PAN retrieval policies must be part of different API Projects, which in turn should be part of different API Products with separate keys.

Policies

The following policies are part of Tokenization:

Generate Token
Retrieve PAN
Delete Token

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close