Hashed PAN Support for the Transparent Gateway

Maintaining the utility of devalued and tokenized data is almost as important as desensitizing it and removing it from your environment in the first place. This functionality is a cornerstone of the TokenEx platform and our Transparent Gateway solution, which enables our customers to share the sensitive data they’ve tokenized, such as a credit card primary account number (PAN), with third-party payment service providers (PSPs) and other desired endpoints.

Occasionally, our customers work with payment processors whose APIs require a hash parameter to ensure the integrity and authenticity of the API requests, complicating what typically would be a simple integration. In short, a hash is a one-way function that produces a unique string based on the original input value, similar to the way a fingerprint is used to identify an individual. If two hashes are the same, that means the two inputs are also the same. This allows entities to confirm that a value, such as the body of an API request, hasn’t been modified. Here’s how a hash is used to verify the integrity of an API call:

  • Company A is using Company B’s API service, and Company B wants to authenticate the user of its API (make sure Company A is actually Company A, not an attacker that intercepted the message or is pretending to be Company A).
  • Company A hashes its API request and includes that hash as a parameter in the request. When Company B receives the request, it will also hash the request and compare what it gets to the hash parameter provided by Company A.
  • If Company A is who it says it is, the hashes should match.

During a Transparent Gateway API call, this process is altered slightly. Because TokenEx replaces a token with the original data, such as the credit card PAN, a hash of the API request generated by our customer (Company A) would be different from a hash generated by the receiving payment processor (Company B), causing the hash-verification process to fail.

One of the strengths of the TokenEx platform is our continuing innovation in support of our customers’ business needs. As a result of this flexibility and ongoing product development, we recently enhanced the Transparent Gateway to generate a hash of an API request after we have detokenized it. We then return this hash of the detokenized request to our customers so they can include it as the hash parameter in the subsequent payment transaction. The result: nearly seamless integration supportive of PSPs requiring hash parameters to access their API services.

Topic(s): data security , tokenization

Keep Up With Our PCI & Privacy Blog