Browser-based encryption for mobile payments and ecommerce

Securing and tokenizing sensitive data with browser-based encryption

Your ecommerce and mobile payment channels are probably the most important ways your organization takes payments. Countless hours are invested in these technologies to ensure your customers have the best buying experience possible while interacting with your digital assets. Because of this, you are very protective over these technologies, and the likelihood of new technologies introduced by third parties entering these environments is very unlikely. That is, until security and compliance come into play, right?

Does the following statement sound familiar? Between trying to provide the best possible buying experience for our customers AND meeting security and compliance requirements, our job is really hard!

Because of this balancing act, TokenEx has developed multiple ways to secure and tokenize payment card data in ecommerce and mobile environments. From customized hosted payment pages to JavaScript implementation, TokenEx has a solution to meet your requirements. To that end, we would like to introduce you to our browser-based encryption solution. Not only will we discuss the basics, but since we know you are the kinds of people who want to hear about the nuts and bolts, we are also going to get a bit technical. So if you’re that person who knows your organization’s environment and technologies inside and out, you will quickly understand how implementing this solution could help you balance the “culture vs. compliance” challenge.

What is browser-based encryption in the TokenEx world?

At a very high level, browser-based encryption is a JavaScript technology. It is embedded in our customers’ ecommerce or mobile payment pages to securely accept and encrypt payment card data. After payment card data is encrypted (using RSA public-key cryptography), within the client’s browser on form submission, the encrypted value is sent back to your website, where it can then be passed to TokenEx for decryption, tokenization, and vaulting. At this point, our customers take the lead in validating the inputs (e.g., order total, address, email), and executing any further TokenEx Web Service functions (like those used to process payments for purchases).

On the backend, interfacing with the processor(s) is a separate series of steps. Today, we are focusing on the granularities of the frontend technology and payment processing with ecommerce tokenization.

How does browser-based encryption secure data both through capture and transmission?

For capturing sensitive data, whether PCI or PII, you will want to encrypt the form fields on your website that will be accepting this sensitive data. Since browser-based encryption is client-side, upon form submission the sensitive data is encrypted using the TokenEx public key within the browser before it is sent to your web servers. Because neither you nor your customers have the private key, this data cannot be decrypted by either party. Only TokenEx can decrypt the data, as we hold the private key.

During transmission, only data encrypted with the TokenEx public key is being transmitted using secure protocols like Transport Layer Security, or TLS. Essentially, we are transmitting data encrypted using RSA encryption through an encrypted TLS tunnel. What this means for you is reduced risk to your data.

Even if a man-in-the-middle attack were to occur, bypassing TLS, the attacker would only retrieve encrypted data that is useless to them—unless they can break RSA public key encryption with a 2048-bit key strength. We’re pretty good at this stuff, and our position is that this is a very secure method for protecting data at capture and during transmission.

How do you implement browser-based encryption?

From an implementation standpoint, you will start by embedding our JavaScript library in your payment page or acceptance page. When your customers check out by clicking the form submit button (like “Pay Now” or “Process Now”), that will instantiate the encryption function within our JavaScript library, encrypting the sensitive values you want secured. With the sensitive values now encrypted, you will add the resulting cipher text to the page, making the POST (or AJAX) call to your server.

Next, now that your web servers have the cipher text, you will make a single API call to exchange the cipher text for a token with TokenEx. Keep in mind that the sensitive data will be vaulted along with the token in our environment for later use with other functions like payment processing for payment data or detokenization for PII data. Additionally, we want to reiterate that your data is sent using secure protocols like TLS to protect your data.

How does tokenization help with compliance?

Now that we’ve talked about what browser-based encryption is and how it is implemented, let’s look at what this technology can do for your company. Specifically, how is this technology going to help you balance maintaining the culture of your digital acceptance channels vs. your security and compliance obligations?

The browser-based encryption implementation model allows sensitive data accepted in traditional ecommerce and mobile environments to be secured before it ever leaves the consumer’s system.Your web servers do not receive any unencrypted sensitive data, but you still maintain maximum customization, flexibility, and a positive user experience. Essentially, your customers will never know what’s happening in the background unless they view your page source to see what’s under the hood.

Although the process is secure and your web servers no longer receive unencrypted sensitive data, they are still serving up the payment or acceptance form. Because of this, the PCI Security Standards Council does still consider some aspects of this environment ‘in-scope’ for PCI compliance. For each of the parties under compliance, as well as various data sets, we explain exactly what this means for you.

Specific to compliance requirements, please see the bullets below:

PCI Compliance: Merchants

  • If you are a Level 1 Merchant*, you will still need a PCI On-site Assessment performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). However, if you are an ecommerce-only merchant, you can effectively reduce your control set obligations to those controls present within the SAQ A-EP.
  • If you are considered a Level 2-4 Merchant*, you can leverage the Self-Assessment Questionnaire Form A-EP, (SAQ A-EP), to validate your PCI compliance.

PCI Compliance: Service Providers

  • If you are a Level 1 or 2 Service Provider and are an ecommerce-only Service Provider, you can effectively reduce your control set obligations to those controls present within the SAQ A-EP.

All Other: PII, NPI, FI, ACH, or otherwise

  • Fortunately, there are no hard and fast compliance obligations around these data sets today. However, leveraging browser-based encryption to reduce risk to your data is highly recommended. Additionally, considering recent moves by Federal, State, and Industry organizations surrounding protecting these types of data sets, having a strategy in place to address business and technology requirements is going to be paramount. 

Why should I use tokenization with Javascript instead of some other web technology?

To summarize the above, browser-based encryption is the best solution for organizations that are interested in balancing control with compliance reduction. The reason you should use browser-based encryption is because you get the most balance out of this technology than any other technologies in the marketplace today. You maintain complete control of the culture of your website while cutting over half of the control obligations for PCI compliance out of annual assessment.

Moreover, from a risk standpoint, browser-based encryption is layering security throughout the entire data-acceptance and tokenization process. From the clients’ browser through to TokenEx, data is encrypted client-side, transmitted through an encrypted tunnel using secure protocols, and is tokenized and vaulted in a secure environment at TokenEx.

Using browser-based encryption, you will experience nirvana between the business, technology, security, risk, and compliance organizations within your company. TokenEx is the industry leader in cloud tokenization and data security. Follow us on Twitter and LinkedIn.

*To find out what level of merchant you are, please visit the link below:

Topic(s): encryption , tokenization