US008739262B2
(12) United States Patent (10) Patent No.: US 8,739,262 B2 Harper et al. (45) Date of Patent: May 27, 2014
(54) TOKENIZED DATA SECURITY 2007/01922.45 A1 8/2007 Fisher et al...... 705/39 2007/0262138 A1* 11/2007 Somers et al...... 235,380 (75) Inventors: Glenn E. Harper, Grapevine, TX (US); 2008/0098001 A1 4/2008 Gupta et al. Kevin B. Bomar, Weatherford, TX (US) 2008/0209534 A1 8/2008 Keronen et al. W. S. s s 2008/0243701 A1 10, 2008 von Mueller 2008/0263.645 A1 10, 2008 Renter et al. (73) Assignee: Sabre GLBL Inc., Southlake, TX (US) 2009,0055531 A1 2/2009 Brown et al. 2009,0249082 A1 10, 2009 Mattsson (*) Notice: Subject to any disclaimer, the term of this 2010, 0191370 A1 ck 7/2010 Trevino et al. patent is extended or adjusted under 35 2010, O257612 A1* 10, 2010 McGuire et al...... T26/26 U.S.C. 154(b) bV 722 d 2010/0306552 All 12/2010 Levine et al. .S.C. 154(b) by ayS. 2011/0035390 A1 2/2011 Whitehouse 2011/OO78782 A1 3/2011 Chan et al. (21) Appl. No.: 12/973,725 2011/O125597 A1 5/2011 Oder, II et al. 2011 0154467 A1 6/2011 Bomar et al. Filed: Dec. 20, 2010 2011/O167255 A1 7/2011 Matzkel et al. (22) 2011/0247062 A1 10, 2011 Zonet al. 2011/0307710 A1 12/2011 McGuire et al. (65) Prior Publication Data 2012/0278339 A1 1 1/2012 Wang US 2011/0154466A1 Jun. 23, 2011 OTHER PUBLICATIONS Related U.S. Application Data U.S. Appl. No. 12/973,751, Final Office Action mailed Apr. 1, 2013. (60) Provisional application No. 61/288,102, filed on Dec. (Continued) 18, 2009. Primary Examiner – Michael S McNally (51) Int. C. (74) Attorney, Agent, or Firm — Alston & Bird LLP H04L 29/06 (2006.01) (57) ABSTRACT (52) U.S. C. USPC ...... 726/9 Provided are devices, methods, systems, computer readable (58) Field of Classification Search storage media and other means for tokenizing data. In some USPC ...... 726/9 examples, credit card numbers are tokenized using a pre See application file for complete search history. generated token map and absent the use of a networked data base that stores a relatively large quantity of credit card num References Cited bers in a central location. The token map may be generated by (56) a token map generator Such that the token map can be used by U.S. PATENT DOCUMENTS a tokenizer to replace a portion of an account number with a token, and by a detokenizer to replace the token with the 5,414,841 A 5/1995 Bingham et al. original portion of the account number. A pre-parser and 6.427,151 B1 7/2002 Chan et al. 7,770,789 B2 8/2010 Oder, II et al. parser may also be used to locate an account number and/or 2002/O120854 A1 8, 2002 LeVine et al. token in a message received over a network. 2005, 0182946 A1 8, 2005 Shatford 2007/0113171 A1 5, 2007 Behrens et al. 20 Claims, 17 Drawing Sheets
604 608 is there Establish a secute secure correction correction setween the between the source No source system and the system and the tokenizef tokerize
Yes i. s 608 Send PAN orportion thereof Record establishment of from the source system to the H- secure connection in parser, tokenizer, etc. tokenizer's log s12 Call pre-parser andlorpre parse all data received to 626 locate PAN (see, e.g., FIG. 5) and record receipt of PAN 624 when found Recore tokanizatio 614 complete Parse PAN into substrings s (see, e.g., FIGS. 7A-8B) 622 ! 616 Send token and for resutting Caitokenizer andlor use at takenized PAN to the source Feastportion of PAN to andlor other system from the tookup token in token map tokenzer (see, e.g., FIGS. 7A-9) 820 S18 record lookup event Replace PAN or portion complete - thereof with retriewed token waiue (see, e.g., FIGS, 7A-9) US 8,739,262 B2 Page 2
(56) References Cited YYATOhcOuuEwcWGog80B5XDuWSbolU4w%3D%3D&tkin set=ygolJ6CUdWJcoW5ytp PsVdeH6FK7Bv3N18gKaliVp7xepzofCJ60VA%3D%3D >). OTHER PUBLICATIONS Shift4(R) Secure Payment Processing: 3 pages; available at
U.S. Patent May 27, 2014 Sheet 2 of 17 US 8,739,262 B2
ZLZ
0LZ
| JOSS3OOJE
`-voz
ZOZ U.S. Patent May 27, 2014 Sheet 3 of 17 US 8,739,262 B2 U.S. Patent May 27, 2014 Sheet 4 of 17 US 8,739,262 B2
322 320
324 Generate a token map of a given size having a number of rows and columns, Encrypt and/or save where each row has an associated token map array location value
326 Yes Sequentially select a row of the token map to be assigned a token value , 340 328 all the rows been Generate a random number assigned a token 330 Go to the row having an array value that is the same as the random number
randomly selected fow's token value the same as 338
Yes the sequentially selected row's Assign the array location sequentially value? selected array
location value as the middle digit value of the randomly selected
is the OW random number the same as he sequentially selected row token Value?
Swap the token value of the randomly Selected row with the token value of the sequentially selected row FIG. 3B U.S. Patent May 27, 2014 Sheet 5 of 17 US 8,739,262 B2
350 Generate an array of predetermined size
352 Sequentially select an index to an element of the array
354 Generate a random number
s the value at arrayrandom number equal to the sequentially Selected index Yes value?
random number 362
Have
equal to the value at all the arraysequentially selected index2 elements been swapped?
Swap the values of
arrayrandom number and 364 arraysequentially selected index Encrypt and/or save array 366 Create token map FIG. 3C using the array
U.S. Patent May 27, 2014 Sheet 7 Of 17 US 8,739,262 B2
Receive message 522
number's length Message still at least 10
length greater than 10?
No
Search the message for a 520 string of numeric digits Remove digits from
having a length of at least the number 10 and less than 20 digits
Such a number found in the
Does message? the string's ength match the length associated with the Vendor Code?
524 Execute confirmatory test(s)
526 Confirmatory test(s) passed?
Yes FIG. 5 U.S. Patent May 27, 2014 Sheet 8 of 17 US 8,739,262 B2
6
606 ls there Establish a Secure SeCure Connection Connection between the between the Source source system and the system and the tokenizer tokenizer?
Yes 61O 608 Send PAN or portion thereof Record establishment of from the source system to the Secure Connection in parser, tokenizer, etc. tokenizer's log 612 Call pre-parser and/or pre parse all data received to 626 locate PAN (see, e.g., FIG. 5) End and record receipt of PAN 624 When found 614 Record tokanization Parse PAN into substrings complete (see, e.g., FIGS. 7A-8B) 622 616 Send token and/or resulting
Call tokenizer and/or use at tokenized PAN to the Source least portion of PAN to and/or other system from the lookup token in token map tokenizer (see, e.g., FIGS. 7A-9) 618 Replace PAN or portion Record lookup event thereof with retrieved token complete value (see, e.g., FIGS. 7A-9) FIG. 6 U.S. Patent May 27, 2014 Sheet 9 Of 17 US 8,739,262 B2
2)/,"$DIH
U.S. Patent May 27, 2014 Sheet 11 of 17 US 8,739,262 B2
902 900 908
904 Determine an ls PAN numeric? N error has OCCurred
Yes
910
PAN have at
least 14 digits and eSS than 20
Does PAN have 13 PAN have 12 digits?
Access token map Access token map Access token map for middle digit for middle digit for middle digit length of eight length of seven length of six
Parse a PAN into prefix, middle digits and suffix
Retrieve tokenized PAN from token map and convert middle digits to base36 tokenzied PAN U.S. Patent May 27, 2014 Sheet 12 of 17 US 8,739,262 B2
PAN have 19 digits? 932
928 Obtain two character token
MOD the middle digits with the value 36 and append map version ID that result to front of tokenized Corresponds with current token map
PAN
934
930 Construct token from prefix, Truncate last character of token map version ID, base36 prefix middle digits and suffix (see FIG. 9C)
Length of Length of Length o prefix Version Tokenized suffix
14 2 2 6 4 15 3 2 6 4 16 4 2 6 4 17 5 2 6 4 18 6 2 6 4 19 6 2 6-1 4 FI G. 9 C U.S. Patent May 27, 2014 Sheet 13 of 17 US 8,739,262 B2
10O2 xxx
1004 1 OO6 is there Establish a Secure Secure Connection Connection between the between the Source source system and the system and the detokenizer detokenizer?
Yes 1010 1008
Send token Or tokenized Record establishment of PAN from the Source Secure Connection in system to the detokenizer detokenizer's log
1012 1024 End Pre-parse all data received to locate token 1022 (see, e.g., FIG. 11) and Record lookup event record receipt of token complete
1014 102O Use token data to lookup Send middle digits and/or middle digits (see, e.g., PAN to the source system FIGS. 12-14) from the detokenizer 1018 1016 Replace token with Recorate event retrieved middle digits (see, p e.g., FIG. 14) FIG. 10 U.S. Patent May 27, 2014 Sheet 14 of 17 US 8,739,262 B2
1104 Receive message
Message
length greater than 1 OP
NO Search the message for a 1120 pattern consistent with a token Not a valid token and/or tokenized PAN
Token pattern found in the message? token map identifier
No 1114 Extract token map identifier from Convert base36 portion of the token (see, e.g., FIG. 12) token to base 10 and uses the identified token map 1116 (see, e.g., FIGS. 12-14)
1124
1130 Execute Luhn test
1128 Output detokenized middle 1126 digits value and/or PAN YeS Luhn test passed? FIG. 11 U.S. Patent May 27, 2014 Sheet 15 Of 17 US 8,739,262 B2
1204
Parse the tokenized PAN into prefix, token map identifier, token, and Suffix
Locate and load Correct version token map (see, e.g., FIG. 13)
Use the token map to replace the token with the detokenized base 10 middle digits
Construct detokenized PAN from prefix, middle digits, and suffix
FIG. 12 U.S. Patent May 27, 2014 Sheet 16 of 17 US 8,739,262 B2
Find, retrieve, decrypt and load the token values associated with the token identifier included in the message
NO
all the token values been associated with a middle digits value?
Yes 1312
FIG. 13 U.S. Patent May 27, 2014 Sheet 17 Of 17 US 8,739,262 B2
907 w
8|92999|| V O †7],"SDI s w 90996699
Keluv uo?eooT 90996699 Z?068/99 9|,068/99 66666666 00000000||
--
US 8,739,262 B2 1. 2 TOKENIZED DATA SECURITY to an encrypted file and used as an input in the tokenizing and/or detokenizing processes. CROSS-REFERENCE TO RELATED A tokenizer can comprise a machine configured to tokenize APPLICATION a PAN. For example, the tokenizer can be configured to receive a PAN (and/or other type of code) and a token map as This patent application claims priority to U.S. Provisional inputs, and output a token with the same number of alphanu Patent Application No. 61/288,102, filed Dec. 18, 2009, titled meric characters (or any other type of characters) as the “TOKENIZED DATA SECURITY” which is hereby incor inputted PAN. Alternatively or additionally, the tokenizer may output a token that has a different number of characters porated by reference in its entirety. 10 than the inputted PAN. The outputted token may be substi FIELD tuted in between characters of the original PAN and used for application communications and storage. Such as those related to purchasing goods and services. The token can be Embodiments discussed herein relate to online data secu Subsequently used as input to a detokenizer. Access to the ritv.ty 15 token map, the tokenizer and/or its process can be protected for use by only trusted applications and/or secured hardware. BACKGROUND In some of the exemplary embodiments discussed herein, a tokenized PAN can comprise three parts: a prefix, six to nine Every day millions of people use debit cards, credit cards middle digits (including a token map version identifier and a and other types of devices (collectively referred to herein as token) and a suffix. Alternatively or additionally, the token “credit cards') to purchase goods and services. Credit cards ized PAN can comprise more or less parts and/or each of the usually include a payment account number (“PAN') that parts may comprise more or less digits. includes the credit cards 12-19 digit number. The PAN is The suffix of a tokenized PAN may include the same value often embossed into and printed onto the credit card. Most as the last digits of the original PAN that is received. The credit cards also include a magnetic strip or RFID circuit that 25 middle digits of the tokenized PAN may comprise, for stores data representing the credit cards PAN. example, a randomly generated token that is based on the Once a credit card is used to purchase goods, networked PAN's original middle digits (as opposed to only being based devices may store the PAN maintaining security at the net on when the credit card is used). Systems in accordance with worked devices and availability of the information stored Some embodiments may be configured to dynamically gen thereon is essential to the credit industry, commerce in gen- 30 erate the token such that the total length of the token depends eral, and even modern Society as a whole. on or is otherwise associated with the total length of the untokenized PAN. For example, in response to determining BRIEF SUMMARY the untokenized PAN length is twelve digits, the system may be configured to generate a token that consists of six charac The Payment Card Industry (PCI) compliance currently 35 ters. As another example, in response to determining the PAN requires that steps be taken to protect the PAN from potential length is thirteen digits, the system may be configured to cyber attackers. Some embodiments of the present invention generate a token that has a length of seven characters. As yet include tokenization at the edge systems of a distributed another example, in response to determining the PAN length network, which may reduce the scope of applications that is fourteen to eighteen digits, the system may be configured to would governed by PCI compliance requirements. 40 generate a token that has a token length of eight characters. As As referred to herein, tokenization includes the process of a final example, in response to determining the PAN is nine replacing at least a portion of a PAN with a token to render a teen digits, the system may be configured to generate a token representation of the PAN useless to unauthorized observers. that is nine characters in length. In some embodiments, the tokenization process can produce A detokenizer can comprise a machine configured to, for a tokenized PAN that has a field length (as determined by the 45 example, convert a token generated by the tokenizer into the number of characters in the PAN) that is the same as the original PAN (or other type of code). Access to this process untokenized PAN's field length. When implementing tokeni can be protected for use by only trusted endpoints. The deto Zation in accordance with Some embodiments discussed kenizer may be configured to only be called from applications herein, legacy system components (such as, e.g., applica that need to process the PAN. tions, schemas, Switches, servers, and/or databases) that are 50 Although much of the disclosure is focused on tokenizing currently configured to pass and/or store non-tokenized PANs middle digits values and not tokenizing prefix values and may continue to operate as they are currently configured, even Suffix values, any segment or segments of a PAN or other type if they happen to receive tokenized PANs provided by sys of code may be tokenized, while one or more other segments tems and apparatuses in accordance with embodiments dis remain untokenized. In some embodiments, rather than cussed herein. 55 tokenize a middle digits value (comprised of digits in the Some embodiments discussed herein can be implemented middle of a PAN), a tokenizer may tokenize a “targeted seg using one or more of the following components: a token map ment' that may be comprised of one or more characters generator, a pre-parser, a parser, a tokenizer and a detoken positioned throughout the PAN. The targeted segment may izer. In some embodiments, the above listed components include, for example, two or more characters or portions of and/or processes preformed thereby may be combined and/or 60 characters that are located next to each other, characters dis divided among various components and/or systems. persed individually throughout the PAN, and/or any combi A token map generator can comprise a machine configured nation thereof. Like the middle digits values discussed above, to generate a token map that associates a portion of a PAN to Some embodiments may or may not define the targeted seg a token. In some embodiments, there may be one hundred ment based on character(s) predetermined location(s) within million tokens included in each token map, and any one of the 65 a given PAN. Similarly, rather than not tokenizing a prefix tokens may be associated with any one of the PANs (and/or value (located before a targeted segment of characters) and/or other type of code). The generated token map may be written Suffix value (located after a targeted segment of characters), US 8,739,262 B2 3 4 Some embodiments may have one or more “non-targeted FIG. 11 shows a flow chart implementing an exemplary values” that, like the prefix and suffix values discussed above, detokenization pre-parser process in accordance with some remain untokenized in a tokenized PAN. Likewise, rather embodiments of the present invention: than replace a token with a middle digits value during deto FIG. 12 shows a flow chart implementing an exemplary kenization, the token may be replaced with the targeted seg process for extracting a token map version identifier from a ment. In this regard, a token map may be generated to asso tokenized PAN in accordance with some embodiments of the ciate token values with targeted values and targeted values present invention; with token values. Non-targeted values may also remain the FIG. 13 shows a flow chart implementing an exemplary same when a tokenized PAN is being detokenized. Therefore, process for building a token map for detokenization in accor it is to be understood that the inventions are not to be limited 10 dance with some embodiments of the present invention; and to the specific embodiments disclosed and that modifications FIG. 14 shows a portion of an exemplary token map that and other embodiments are intended to be included within the may be used to facilitate detokenizing the token and/or token Scope of the appended claims. Although specific terms are ized PAN. employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation. 15 DESCRIPTION BRIEF DESCRIPTION OF THE SEVERAL Exemplary embodiments of the present invention are VIEWS OF THE DRAWING(S) described in more detail hereinafter with reference to the accompanying drawings, in which some, but not all embodi Having thus described the invention in general terms, ref ments of the invention are shown. Indeed, various embodi erence will now be made to the accompanying drawings, ments of the invention may be embodied in many different which are not necessarily drawn to scale, and wherein: forms and should not be construed as limited to the embodi FIG. 1 shows a system includes exemplary machines that ments set forth herein; rather, these embodiments are pro can be configured to implement Some embodiments of the vided so that this disclosure will satisfy applicable legal present invention; 25 requirements. Like reference numerals refer to like elements FIG. 2 shows exemplary components of a source device in throughout. accordance with some embodiments of the present invention; As defined herein a "computer-readable storage medium.” FIG. 3A shows exemplary components of a server device which refers to a physical storage medium (e.g., volatile or that may function as a pre-parser, parser, token map genera non-volatile memory device), can be differentiated from a tor, tokenizer, detokenizer pre-parser, detokenizer parser, 30 “computer-readable transmission medium, which refers to and/or detokenizer in accordance with some embodiments of an electromagnetic signal. Additionally, as used herein, the the present invention: term “circuitry” refers to not only hardware-only circuit FIGS. 3B and 3C show flow charts implementing exem implementations including analog and/or digital circuitry, but plary processes that may be used to generate a token map in at least also to combinations of circuits with corresponding accordance with some embodiments of the present invention; 35 Software and/or instructions stored on a computer-readable FIG. 4 shows an exemplary token map in accordance with storage medium. Some embodiments of the present invention; Example embodiments of the present invention may be FIG. 5 shows a flow chart implementing an exemplary configured to Support various security and other functional process that may be used to pre-parse a received message to ities in, for example, an online sales environment, credit card locate the presence of an account number that is to be token 40 sales application, any other type of system, or combination ized in accordance with Some embodiments of the present thereof. Embodiments discussed herein can be implemented invention; using hardware and other machine components implemented FIG. 6 shows a flow chart implementing an exemplary by one or more servers, source devices, any other type of tokenization process in accordance with some embodiments machine, and/or any combination thereof. of the present invention; 45 Embodiments discussed herein solve a number of prob FIGS. 7A and 7B show an exemplary credit or debit card lems. Such as those related to data storage requirements, that includes a sixteen digit, base 10 PAN and how a parser speed and security risks associated with existing centralized may parse the PAN into separate values in accordance with token databases. To overcome these problems, one of ordi Some embodiments of the present invention; nary skill in the art may be tempted to focus on innovation that FIG.7C shows a table that correlates various untokenized 50 leverages the current systems and methods. For example, one PAN lengths with various lengths of middle digits that are to skilled in the art may focus on ways to better encrypt data be tokenized in accordance with some embodiments of the stored in large centralized databases. Some of the embodi present invention; ments discussed herein, however, may be used on their own FIG. 8 shows a portion of a token map that may be used for and/or built on top of existing systems. Such as those that used tokenizing a PAN in accordance with some embodiments of 55 large centralized databases. Among other things, the follow the present invention; ing disclosure includes exemplary embodiments for protect FIGS. 9A and 9B show a flow chart implementing an ing information by using a completely new approach. exemplary process for selecting a token map based on the length of the received PAN in accordance with some embodi Overview ments of the present invention; 60 FIG.9C shows a table that correlates various untokenized Many of the examples discussed herein are related to PANs PAN lengths with various lengths of parts of a tokenized PAN included in credit card numbers. One skilled in the art would in accordance with some embodiments of the present inven appreciate that embodiments discussed herein may be con tion; figured for any type of code, including those other than or in FIG. 10 shows a flow chart implementing an exemplary 65 addition to credit card numbers’ PANs. For example, meth detokenization process in accordance with some embodi ods, systems, computer readable media and/or other means ments of the present invention; similar to or the same as those discussed herein can be used to US 8,739,262 B2 5 6 protect any type of information, including Social security izer that tokenizes or detokenizes the PANs that it receives numbers, bank account numbers, healthcare information, before serving the PANs to the other machines within firewall travel itineraries, any other information, or any combination perimeter 110A. thereof. For example, the machines within firewall 110A may be Credit cards often have between 12 and 19 digit PANs consumer and retail system devices that are used to facilitate depending on the credit card provider. Tokenization of a tar electronic payment, including capturing credit card numbers geted segment comprising at least Some of the PAN. Such as from magnetic strips. Server 104A may be configured to the middle digits, may allow applications to transmit and tokenize all the credit card PANs before sending the PANs to store the tokenized PANs without risking untokenized PANs a machine outside firewall perimeter 110A. being stolen, while still allowing a detokenization process in 10 As another example, the machines within firewall 110A accordance with some embodiments to obtain the original could be machines used by an online vendor, such as an online PAN and/or other type of number (if different from the PAN). travel agency. The online travel agent may make reservations FIG. 1 shows system 100 which includes exemplary and Schedule trips for customers. To help protect its custom machines that can be configured to implement embodiments ers' financial and/or other personal data, the online travel of the present invention. A number of source devices 102A 15 agency may tokenize every PAN it receives from internet 112, can communicate with server 104A via a network, Such as before the personal data is delivered to any travel agents intranet 106A. In FIG. 1, source devices 102A include a networked device (such as source device 102A). As the token computer, a handheld device and a credit card reader, which ized data passes back through server 104A (e.g., after being can each be configured to access intranet 106A via a wired or processed by the travel agent's computer), the data can be wireless connection. Other types of devices, including those detokenized so that external devices (that may not be config that can receive a credit card number and generate a repre ured to implement features of the present invention) are able sentative electrical signal, can be connected to intranet 106A. interpret and correctly process the PAN (or other) data. As Intranet 106A is an example of a network and can be com Such, server 104A may also (or instead) be configured as a prised of any number of public and/or private devices, includ detokenizer. ing routers, servers, databases, antennas, Switches, cellular 25 In some embodiments, two or more servers of system 100 towers, satellite systems, and/or any other machine that facili can be configured to collaborate and implement features of tates wired and/or wireless network communications. Exem the present invention. For example, system 100 can be con plary components of source devices 102A are discussed fur figured to utilize a decentralized or distributed tokenization ther below in connection with, e.g., FIG. 2. architecture (as opposed to or in addition to a central tokeni Server 104A can be a machine configured to operate as, 30 Zation system). To help show an example of the decentralized among other things, a pre-parser, parser, token map generator, embodiments, FIG. 1 includes source devices 102B, server tokenizer and/or detokenizer. For example, server 104A may 104B, intranet 106B, firewall 108B and firewall perimeter comprise one or more apparatuses that are configured to 110B, which can each function the same as or similar to generate and maintain one or more token maps in accordance source devices 102A, server 104A, intranet 106A, firewall with Some embodiments discussed herein. In some embodi 35 108A, and firewall perimeter 110A, respectively. ments, the security of the system is at least partially founded In some embodiments, server 104B can be configured to in the randomness of the token generation and security of a archive server 104Astoken map(s). For example, after estab “token map.” The token map, as referred to herein, is a table, lishing a secured connection (using, e.g., the SSL protocol, or multi-dimensional array, or other means for associating a any other suitable protocol), server 104A can electronically token with a PAN or portion thereof (such as the middle eight 40 transfer its token map(s) to server 104B. Similarly, updates digits of a PAN). Exemplary components of server 104A are can be made to server 104B's backup copy of server 104A's discussed further below in connection with, e.g., FIG.3A and token map(s). The updates can occur periodically (e.g., exemplary embodiments of token maps are discussed in con hourly, daily, weekly, etc.) or in response to a trigger event nection with, e.g., FIGS. 8 and 14. (such as, e.g., server 104A generating and/or updating a token Additionally or alternatively, server 104 may be configured 45 map, a network administrator of server 104A or server 104B to tokenize a PAN before transmitting the PAN to an unse initiating the backup/transfer procedures, etc.). cured system, over a public network or to any other device Similar to or the same as intranet 106A and 106B, internet that may be at risk (or a relatively high risk) of cyber attack. 112 is an example of a network and can be comprised of any Server 104A can be configured to implement and/or be number of publicly and/or privately accessible devices, coupled to firewall 108A, which can also be coupled to inter 50 including routers, servers, databases, antennas, Switches, cel net 112. Firewall perimeter 110A, which shown around lular towers, satellite systems, and/or any other machine that source devices 102A, server 104A, intranet 106A and firewall facilitates wired and/or wireless network communications. 108A, is included in FIG. 1 to show which devices may have Mainframe 114 represents a central tokenization system access to an untokenized PAN received by source devices that includes an internal server and database. While some 102A. For example, server 104A can be configured to token 55 embodiments may sufficiently protect numeric and other ize any data it receives after determining the received data information absent a central tokenization system, other represents a credit cards untokenized PAN. FIG. 5 shows an embodiments can enhance or add another layer of security to exemplary method for determining that server 104A (and/or centralized tokenization systems. For example, mainframe any other device or devices) has received an untokenized 114 can be configured to store, in their entireties, every PAN PAN. The received data may have been generated by source 60 mainframe 114 has every received. Additionally, mainframe devices 102A, one or more other machines inside firewall 114 may be configured to store its own, independently gen perimeter 110A (not shown), and/or one or more other erated token associated with each PAN as well as the algo machines outside firewall perimeter 110A. As such, firewall rithm and instructions for generating a token from a PAN. perimeter 110A can represent, for example, an electronic While the other machines shown in FIG. 1 may appear to boundary including a group of machines that has access to 65 function the same as electronic payment processing systems untokenized PANS or a group of machines that has access (from the perspective of mainframe 114), the other machines only to tokenized PANs, where server 104A acts as a token shown in FIG.1 may be backwards compatible with existing US 8,739,262 B2 7 8 mainframes while also being configured to implement addi purchases may not be authorized if the temporal-based token tional data security protections, some examples of which are assignment database is offline. To keep the token and PAN described herein, on top of at least some of the traditional data available, data redundancy, among other things, can be approaches that may be implemented by mainframe 114. implemented by systems implementing a temporal-based For example, the credit card industry (and/or other business token assignment approach. Accordingly, in Some embodi organizations) may rely on one or more central databases, ments, system 100 may not implement the temporal-based such as PAN mainframe 114, to persistently store and main token assignment approach, and instead only utilize a pre tain the entire PAN for each credit card ever processed by generated token map that randomly associates token values system 100. In addition to the PANs, mainframe 114 can with portions of PAN values. generate and/or store tokens that represent the complete 10 In some embodiments, mainframe 114, firewall 110A, fire PANs (instead of a portion thereof). The central database can wall 110B, some types of the source devices 102, and/or any also (or instead) be configured to tokenize a PAN by, e.g., other device discussed herein may be omitted from system mapping each token to a corresponding complete PAN. The 100. The particular types of devices included in system 100 tokens can then be used instead of or in addition to the PANs and their functionality are intended to be exemplary only. when transmitting credit card information over unsecured 15 FIG.2 shows exemplary components of source device 102. lines using public and/or private networks. As such, the User 202 can enter information into source device 102 using tokens can act as an additional layer of network security when user interface 204. User interface 204 can be any type of performing credit card transactions using mainframe 114. component that can transform user-entered information, In addition to or instead of utilizing a pre-generated token including a PAN, into electrical data that can be transmitted, map that is in accordance with some embodiments discussed stored and/or processed by a machine. For example, user herein, each token can be generated by a centralized tokeni interface 204 can comprise a magnetic strip reader, RFID Zation system in real (or near real) time. For example, server reader (for passive, active and/or semi-passive RFID tags), 104A, server 104B and/or mainframe 114 may be configured keyboard, mouse, touch-sensitive component, display screen, to assign a token based on when a credit card is first used to microphone, imaging device, any other type of input device purchase a good or service relative to when other credit cards 25 and/or any combination thereof. are first used with the system (and instead of or in addition to, The data generated by user interface 204 can be sent to e.g., assigning a token based on the content of a portion of the processor 206. Processor 206 can be any suitable circuitry PAN and a randomly generated token map). configured to, among other things, process data representing When implementing a temporal-based token assignment untokenized PANs, tokenized PANs, detokenized PANs, any approach, System 100 can be configured to search a central 30 other type of data, or any combination thereof. For example, database (such as that included in mainframe 114) to see if the one or more of various processing means or devices such as a received PAN has been previously tokenized. If the compete coprocessor, a microprocessor, a controller, a digital signal PAN is not found in the central database, a random token can processor (DSP), a processing element with or without an be generated based on when the PAN was received relative to accompanying DSP or various other types of processing other PANs. The temporal-based token assignment system 35 hardware including integrated circuits such as, for example, then has to determine new token that is available which can an ASIC (application specific integrated circuit), an FPGA require another search of the database. The searching can be (field programmable gate array), a microcontroller unit costly, in terms of time, money, processing power, and band (MCU), a special-purpose computer chip, or any combination width. If the randomly selected token is determined to have thereof. In some exemplary embodiments, processor 206 may been used previously, the process can be repeated until a 40 be configured to execute instructions stored in memory unique token has been successfully generated for the PAN by device 208 or otherwise accessible to processor 206. The system 100. Once the token is generated, the token can be instructions may be permanent (e.g., firmware) or modifiable stored with the entire PAN in the central database. For the (e.g., Software) instructions can be organized in any manner. temporal-based token assignment system to work properly, Alternatively or additionally, processor 206 may be config system 100 and its central database must be persistently avail 45 ured to execute hard coded functionality. As such, whether able to tokenize and detokenize PANs for every transaction. configured by hardware or software methods, or by a combi Scaling, availability and locality can therefore be limited by nation thereof, processor 206 may represent an entity (e.g., the temporal-based token assignment database. physically embodied in a machine) capable of performing As a result, a temporal-based token assignment database operations according to embodiments of the present invention often requires costly security and storage. Much innovation 50 while configured accordingly. Thus, for example, when pro has thus far been focused on how to block hackers from cessor 206 is embodied as an ASIC, FPGA or the like, pro accessing the large central databases, while still storing mil cessor 206 may be specifically configured hardware for con lions of complete credit card numbers that Source devices can ducting the operations described herein, including those efficiently access. Additionally, there has been much research associated with pre-parsing, parsing token map generation, into development of how to decrease database access time. 55 tokenization and detokenization. Alternatively, as another Despite the layers of security and risk of potential jail time, example, when processor 206 is embodied as an executor of the large amount of credit card numbers together in a central Software or firmware instructions, the instructions may spe database attracts hackers. Large organizations have experi cifically configure processor 206 to perform the algorithms enced major financial, legal and publicity problems after its and/or operations described herein when the instructions are temporal-based token assignment databases were hacked, 60 executed. Processor 206 may include, among other things, a and tens of millions of complete credit card PANs were sto clock, an arithmetic logic unit (ALU) and logic gates config len. In addition to credit card databases, other types of large ured to support operation of processor 206. central databases (such as those that store personal informa Memory device 208 may include, for example, one or more tion, financial information, Social security numbers, etc.) are nontransitory computer readable storage media that can com also at risk. 65 prise Volatile and/or non-volatile memories. For example, Data availability is almost, if not just as, important as data memory device 208 may be an electronic storage device (e.g., security to business operations. In many instances, credit card a computer-readable storage medium) comprising gates (e.g., US 8,739,262 B2 10 logic gates) configured to store data (e.g., bits) that may be application (as discussed in connection with FIGS. 10 retrievable by a machine (e.g., a computing device including through 14), which includes receiving and analyzing a token a processor such as processor 206). Memory device 208 may ized PAN and outputting a detokenized PAN. In some be configured to store information, data, applications, embodiments, the detokenized PAN may be the same as the instructions or the like for enabling processor 206 to carry out 5 untokenized (and/or original) PAN. A third application is the various functions in accordance with exemplary embodi Luhn check application, which can be used to receive and ments of the present invention. For example, memory device analyze the tokenized PAN and output a signal. Such as a true 208 may be configured to buffer input data for processing by or false (logic 1 or 0) signal. A fourth application includes processor 206. Additionally or alternatively, memory device configuring the tokenizer to determine the issuer (e.g., bank, 208 could be configured to store instructions for execution by 10 credit institution, etc.) based on, for example, a bank identi processor 206. fication number (“BIN”) of the PAN, which can include Communications interface 210 can be configured to facili receiving and analyzing a tokenized PAN and returning the tate any type of wired and/or wireless communications. For issuing identifier of the PAN. example, communications interface 210 can facilitate com In some embodiments, one or more of the applications munications through direct or dial-up telephone infrastruc 15 included in tokenizer 310 may be implemented in a stand ture, cable modems, fiber optic cables, satellite systems, cel alone device, in separate component and/or at least partially lular networks, WANs, LANs, and/or through an additional included in a device/component other than server 104 and/or network component which may be used to form network 212. tokenizer 310. For example, the detokenize application may Network 212 can be the same as or similar to intranet 106A or be implemented in a separate detokenizer that may be con 106B or internet 112 of FIG. 1. figured to communicate directly with server 104's processor FIG. 3A shows exemplary components of server 104, and/or other components. As another example, the detoken which may be the same as or similar to servers 104A and/or izer may include its own hardware (including, e.g., processor, 104B discussed in reference to FIG. 1. memory, etc.), software, firmware and/or any other compo Network 302 is shown as a source of incoming data that is nent that may be needed or useful for detokenizing data. received by communications interface 304. Network 302 can 25 Similarly, functionality of other components of server 104 be comprised of anything discussed in connection with, e.g., (and/or any other apparatus discussed herein) may be imple network 212, intranet 106A, intranet 106B and/or internet mented as a stand alone device and/or be at least partially 112. Communications interface 304 can be comprised of implemented by a device/component other than server 104. anything discussed in connection with, e.g., communications For example, token map generator 318 may be configured to interface 210. Similarly, processor 306 can be comprised of 30 generate token map 314 (which is discussed further in refer one or more of the components discussed in connection with, ence to FIG. 3B). Token map generator 318 may be imple e.g., processor 206, though processor 306 may be configured mented as a component of server 104 as shown in FIG. 3A, to be optimized primarily for server functionality, while pro including processing circuitry, memory, and/or any other cessor 206 may be configured to be optimized primarily for nontransitory hardware (some examples of which are dis client functionality. Memory 308 can be comprised of one or 35 cussed above in connection with processor 306 and/or more of the components discussed in connection with, e.g., memory 308). memory 208, though memory 308 may be configured to be Alternatively or additionally, the functionality of token optimized primarily for server functionality (e.g., including map generator 318 may be implemented by processor 306, RAID or other server-grade storage) while memory 208 may any other component of server 104, and/or any other compo be configured to be optimized primarily for client and/or user 40 nent external to server 104. For example, token map 314 may device functionality. In some embodiments, memory 308 can be received from a networked device using communications be configured to store the token map 314, which may be interface 304, and/or from a peripheral device using input/ received by communications interface 304 and/or input/out output interface 316, among other things. Input/output inter put interface 316 or which may be generated by token map face 316 may include, for example, one or more ports, such as generator 318. 45 a universal serial bus (“USB) port and/or any other data Tokenizer 310 can be dedicated circuitry responsible for port(s) (including wireless ports) that can receive transitory tokenizing and detokenizing data, Such as PANs, in accor data from an external source. Such as from an external non dance with embodiments of the invention, some of which are transitory storage medium by which token map 314 may be discussed below. In some embodiments, tokenizer 310 can be generated, modified (including encrypted) and/or stored. a module, Software, firmware, hardware, and/or anything else 50 Additionally or alternatively, input/output interface 316 may implemented by and/or able to communicate with processor include, for example, one or more ports and/or other physical 306 via an internal bus or other type of communications path. components enabling a keypad, touch display screen, and/or In some embodiments, tokenizer 310 may be included in other input/output components to be coupled to server 104. server 104 as shown in FIG. 3A. Although the discussion herein generally focuses on the Alternatively or additionally, tokenizer 310 may be its own 55 components shown in FIG. 3A as well as the tokenizing, device and/or at least partially included in a device other than detokenizing, parsing, and pre-parsing being implemented in server 104. In such embodiments, tokenizer 310 may include a server, the same and/or similar components may also be its own hardware (including, e.g., processor, memory, etc.), implemented in a source device (such as source device 102A), Software, firmware and/or any other component that may be a central mainframe (such as mainframe 114), and/or any needed or useful for tokenizing data. 60 other device. For example, a Smart telephone, peripheral In some embodiments, tokenizer 310 can be configured to device (such as card reader that is coupled to a portable execute four (or any other number) of applications. Each device) and/or other computing device may have an applica application can be implemented using, e.g., an application tion loaded thereon that enables the hardware of the comput layer interface. One application is a tokenize application, ing device to function as a token map generator, tokenizer, which enables the tokenizer to take an untokenized PAN, and 65 detokenizer, parser and/or pre-parser. In some embodiments, return a tokenized PAN (as discussed in connection with every electrical device may have one or more of its own token FIGS. 4A through 9C). Another application is the detokenize maps assigned by a central system and/or generated locally US 8,739,262 B2 11 12 by the electrical device. For example, a central system (Such loaded, and executed at a time. In some example embodi as server 104 and/or mainframe 114) may assign source ments, retrieval, loading and/or execution may be performed device 102 a token map version identifier and provision in parallel such that multiple instructions are retrieved, Source device 102 to generate its own token map. Source loaded, and/or executed together. Execution of the program device 102 may then function as discussed in connection 5 code instructions may produce a computer-implemented pro with, e.g., FIG.3A and tokenize/detokenize PANs based upon cess such that the instructions executed by the computer, its locally generated token map. processor, other programmable apparatus, or network thereof provides actions for implementing the functions specified in Token Map Generation the actions discussed in connection with, e.g., process 320 of 10 FIG. 3B shows process 320, which may be used in accor FIG. 3B. dance with Some embodiments to generate token map 314. Process 320 starts at 322. At 324, the processor (which may Like Some other processes discussed herein, process 320 is be comprised of more than one can physical component) can represented by a flow diagram in accordance with some be configured to generate an array of a predetermined size. exemplary methods, computer program products and/or sys 15 The array may be considered an unsigned token map. For tems discussed herein, including token map generator 318. It example, an unassigned token map may have 100,000,000 will be understood that each operation, action, step and/or rows with one or more columns comprised of empty ele other types of functions shown in the diagram, and/or com ments. Each row of the array may be associated with an array binations of functions in the diagrams, can be implemented location value (e.g., sequential integers 1 through 100,000, by various means. Means for implementing the functions of 000) and a token value (e.g., sequential integers 0 through the flow diagram, combinations of the actions in the dia 99.999,999). grams, and/or other functionality of example embodiments of FIG. 4 shows an exemplary token map 314 that has been the present invention described herein, may include hardware populated by a process such as process 320. After 324 and and/or a computer program product including a computer before 326, token map 314 may include a populated array readable storage medium (as opposed to or in addition to a 25 location column 402 and a populated token column 404 as computer-readable transmission medium) having one or well as two or more unpopulated data array columns, such as more computer program code instructions, program instruc middle-digits column 406 and check-digits column 408. All tions, or executable computer-readable program code instruc the data array columns can be configured in memory loca tions stored therein. For example, program code instructions tions for easy lookup. associated with FIG. 3B may be stored on a storage device, 30 Returning to FIG. 3B, at 326, the processor can be config such as memory 308, and executed by one or more proces ured to sequentially select array location values that are each sors, such as processor 306 and/or token map generator 318. associated with a row. Any algorithm may be used to select an Additionally or alternatively, one or more of the program unassigned rows array location value at 326. For example, code instructions discussed herein may be stored and/or per the processor may select the row having the Smallest array formed by a component external to server 104. As will be 35 location value that has not yet been reassigned a random appreciated, any such program code instructions may be token value (as discussed below). loaded onto a computer, processor, other programmable At 328, the processor can be configured to generate a apparatus (e.g., processor 306, token map generator 318, random number. For example, the processor may generate a among other things) or network thereof from one or more random integer ranging from 1 to 100,000,000 inclusive. Any computer-readable storage mediums (e.g., memory 308, 40 other bounds may be used, which may or may not be the same memory included within processor 306, and/or memory as the bounds used for the original array location values. The included in token map generator 318, memory external to random number generator may be seeded at the start with the server 104, etc.) to produce aparticular machine. Such that the current time to obtain a unique random number that would be particular machine becomes a means for implementing the hard to duplicate. In some embodiments, a new seed may be functions of the actions discussed in connection with, e.g., 45 introduced to the random number generator every predeter FIG. 3B and/or the other drawings discussed herein. As such, mined number of iterations to further obscure the random the drawings showing other flow charts included herein may CSS. likewise represent program code instructions that may be At 330, the processor locates the row having the array value loaded onto a computer, processor, other programmable that matches the random number generated at 328. For apparatus or network thereof to produce a particular machine. 50 example, if the random number is “5”, the processor will go to The program code instructions stored on the program the row of token map 314 that has “5” as its array location mable apparatus may also be stored in a computer-readable value. In some embodiments, the random number may act as storage medium that can direct a computer, a processor (Such a pointer to a memory location. as processor 306, token map generator 318, tokenizer 310, At 332, a determination is made as to whether or not the etc.) and/or other programmable apparatus to function in a 55 randomly selected rows token value is the same as the particular manner to thereby generate a particular article of sequentially selected rows array value. If the randomly manufacture. The article of manufacture becomes a means for selected rows token value is the same as the sequentially implementing the functions of the actions discussed in con selected row, a new random number is generated at 328. nection with, e.g., FIG. 3B and the other flow charts included In response to determining the randomly selected rows herein. The program code instructions may be retrieved from 60 token value is the same as the sequentially selected rows a computer-readable storage medium and loaded into a com array value, a determination is made at 334 as to whether or puter, processor, or other programmable apparatus to config not the randomly selected rows array location value is the ure the computer, processor, or other programmable appara same as the sequentially selected rows token value. tus to execute actions to be performed on or by the computer, In response to determining the randomly selected rows processor, or other programmable apparatus. Retrieval, load 65 array location value is the same as the sequentially selected ing, and execution of the program code instructions may be rows token value, a new random number is generated at 328. performed sequentially such that one instruction is retrieved, In response to determining the randomly selected rows array US 8,739,262 B2 13 14 location value is different than the sequentially selected rows middle digits value is but one type of exemplary targeted token value, process 320 proceeds to 336. segment that can be tokenized. In some embodiments, the Executing 332 and 334 may help assure that the tokenized tokenized PAN may assume a different format. Such as, e.g.: PAN is different than the untokenized PAN. In other embodi non-targeted value1+targeted segment+non-targeted value2+ ments, this functionality (and/or any other functionality) may Version ID+targeted segment+non-targeted value3. be omitted and the tokenized PAN may have the potential to The two character token map version identifier can also be be the same as the untokenized PAN. Additionally or alterna a base36 number, a letter and a number and/or formatted any tively, other functionality may be employed to help assure other way. The token map version identifier may be used by, that the tokenized PAN is different than the untokenized PAN. e.g., the tokenizer and detokenizer to identify the token map For example, the randomization criteria may also or instead 10 that was used to tokenize the PAN and can be used for deto include logic that may be used to generate token values hav kenizing the PAN. In addition to being encrypted, the token ing a length of 6 or 7, instead of 8. map may also be protected by limiting the devices that are At 336, the token value of the randomly selected row is allowed to access the token map. At 342, process 320 ends. swapped with the token value of the sequentially selected In some embodiments, rather than or in addition to execut row. In this regard, the randomly selected row will now have 15 ing 330 after 328 (or otherwise after each swap is executed), a token value that was previously associated with the sequen all values can be checked collectively after determining that tially selected row and the sequentially selected row will now all the rows have been swapped. The collective check can be have a token value that was previously associated with the used to make Sure each token value is not in its original randomly selected row. As such, the token map can be gen position and/or is not equal to its associated location array erated by randomly iterating through the rows and Swapping value. If it is determined that a token value is in its original values at the iterator location with a value at a random loca position, then the token value can be swapped with a random tion. location as discussed above. The collective position check At 338, the sequentially selected rows array location value can be repeatedly performed until all tokens are in a new can be assigned as the middle digits value (or any other type position in the token map. Once this is complete, the build of of targeted segment) associated with the randomly selected 25 the token map may be ready for use as discussed elsewhere row. This may enable the token map to be used for detokeni herein. Zation. Further to the discussion above in connection with, e.g., In some embodiments, rather than or in addition to assign operation 328 in process 320, the token map generator and/or ing each middle digits value after assigning each token value, other processor(s) may be configured to create a token map the processor may be configured to assignall the middle digits 30 that can tokenize various sized PANs or portions thereof. For values after assigning all of the token values. In yet other example, because token map 314 is shown as being config embodiments, the processor may be configured to assign the ured to tokenize eight digits of a PAN, token map 314 is middle digits values before assigning the token values, either approximately 1,000,000,000 bytes in size (four bytes for individually or collectively. each set of middle digits in middle digits column 406; four Process 320 may proceed to 340, where a determination is 35 bytes for each token intoken value column 404; and two bytes made as to whether or not all of the rows have been involved for the check digit value in check digits column 408). That is in a token value Swap and/or used by the processor as the a total often bytes per row of token map 314. Ten (bytes per sequentially selected row. In response to determining at 340 row)x100,000,000 (possible middle digits) would require that one or more rows have not, process 320 may return to 326 less than one GB (which is typically 2' or 1,073,741,824 and repeat the steps discussed above until 340 has been sat 40 bytes) of memory per token map as shown in FIG. 4. In other isfied. words, the middle digits may include 100,000,000 values In response to determining at 340 that all the rows have (when comprised of eight digits). After converting each been involved in a token value Swap and/or used as the middle digit value and token value to a long (e.g., four byte) sequentially selected row, process 320 may proceed to 340 number, (100Mx4 bytes--100Mx4 bytes), results in approxi and encrypt, save, transmit and/or otherwise output the com 45 mately an 800 MB of memory requirement. Adding a two pleted token map. In some embodiments, token map 314 can byte check digit, as shown in check digits column 408 of be encrypted using any suitable approach (Such as, e.g., RSA token map 314, can still enable a token map to be stored on key manager or “RKM) and may only be stored or otherwise less than approximately 1 GB of memory. The relatively low exist within the PCI Vault of the server (as mentioned above). memory requirement (e.g., approximately 1 GB) for a credit For example, token map 314 can be loaded into the server's 50 card security database allows token map 314 to be kept in (or other type of tokenizers) dedicated memory at startup faster memory which may in turn facilitate faster processing and, in some embodiments, token map 314 need not change (e.g., tokenizing and/or detokenizing) by, for example, server thereafter. The encrypted token map may be stored such that 104. both an authorized tokenizer and detokenizer can access and Token map 314 can also be generated to enable a detoken read the token map. 55 izer to execute a token-to-middle digits algorithm. For In some embodiments, the token map can be given a file example, one at a time for each row, the token map generator name at 340 that includes a unique two character identifier (or other machine) can convert each token value to a corre that identifies the token rendering version. In order to main sponding array pointer. The token map generator can be con tain the original PAN length and include a two character token figured to store the middle digits value in the resulting array map version identifier, the token can be converted into a 60 location. Once complete, the token-to-middle digits mapping base36 number (e.g., A-Z and 0-9). This may make two portion of token map 314 may also be complete and token character positions available to store the token map version map 314 may be ready for use without the check digits por identifier. As discussed further below, the original PAN length tion. can be used to determine the length of both the prefix and The check digits column 408 may be populated by going middle digits value used as a basis for the Base36 token. The 65 through the resulting token-to-middle digits portion of token tokenized PAN can assume the following format: Prefix map 314 and middle digits-to-token portion of token map Version ID+Base36+Suffix. As noted elsewhere herein, the 314, one row at a time, and using as inputs the token value and US 8,739,262 B2 15 16 middle digits value of the same row. For example, check digit card processing operations can increase performance and column 408 may be populated based upon the values in token stability of server 104 and/or the entire credit card processing value column 404 and middle digits column 406 that are system. associated with the same array location value. The check digit The security provided by some embodiments may depend value can then be calculated by adding each digit to the next upon and/or be enhanced by the randomness of the token for all numbers in the token and middle digits. When eight generation and security of token map 314. As mentioned digits are used in the middle digits, this will result in a number above, the tokenizer, token generator and/or any other pro between 0 and 198 (9x16 digits), which can be stored in the cessor(s) can be configured to create random tokens and map corresponding array location row in the check digit portion of the tokens to numbers prior to actually tokenizing a PAN. token map 314. 10 This differs from some traditional tokenization systems that As mentioned above, in some embodiments, it is critical to use the randomness of credit card usage to assign tokens in a protect the security of the final token map. For recoverability, relatively large central database. However, unlike such tem multiple copies of the token map can exist, since the token poral-based token assignment systems, because token maps map cannot be recreated due to its inherent randomness. in accordance with some embodiments discussed herein are Creating multiple copies can be accomplished in a number of 15 matrices of the middle digits values and the token values, ways. For example, the token map(s) can be replicated via a complete PANs do not need to be (although they could be) secure connection to one or more additional servers and/or stored anywhere in systems inaccordance with some embodi other machines. This can keep the token map only in memory. ment. Furthermore, there is no need for some embodiments to As another example, the token map can be stored on remov (although some could) transmit complete PANs (tokenized, able memory (such as a disk, flash drive, DVD, etc.). The encrypted and/or otherwise) anywhere within the system (at token map can be encrypted when copying the token map least for the tokenization process). Similarly, there is no need onto a disk that has adequate space and/or places the token to transmit a complete, untokenized PAN over public net map at a higher risk for theft and unauthorized access. works. PANs can be tokenized by the server that maintains the Once the token server is operational and the token map is firewall for an intranet, as discussed above. Some token map loaded into the tokenizer's and/or the server's memory, look 25 embodiments discussed herein, can be used in combination ing up the token or middle digits can be executed using a with legacy systems, including temporal-based token assign direct memory access. For example, to convert middle digits ment systems. Some token map embodiments may also be to a token, the tokenizer can be configured to use the middle used to tokenize an encrypted PAN and/or other code. digits as a pointer to an array position and directly access a FIG. 3C shows another exemplary process, process 346, long integer (four bytes) which contains the corresponding 30 for generating a token map. FIG. 3C begins at 346. At 348, the token. To revert back to the initial middle digits, a token can processor (which may be comprised of more than one can be converted to the middle digits by using the token as the physical component) can be configured to generate an array pointer for a direct memory access. Using the token as an of a predetermined size (e.g., 100 million elements). The array pointer and using the long integer at that location as the array may later be combined with one or more additional corresponding middle digits can allow some embodiments to 35 arrays to construct token map 314. implement direct memory access procedures. As such, access At 352, the processor can be configured to sequentially to the token and middle digits can be a direct memory access. select an index to an array element. For example, the proces No indexes, such as array location values, need to be created Sor may be configured to loop through the array elements or read to find the corresponding item. from Smallest to largest. In embodiments where the token contains non-numeric 40 At 354, the processor can be configured to generate a characters, those tokens can be calculated at after retrieving a random number. For example, the processor may generate a token or converting a token to a numberprior to looking up the random integer ranging from 1 to 100,000,000 inclusive. Any middle digits. other bounds may be used, which may or may not be the same The check digit can also be based on a direct lookup, using as the bounds used for the original array location values. The the same multiplier and a different memory offset. For 45 random number generator may be seeded at the start with the example, the check digit can be calculated and checked current time to obtain a unique random number that would be before any return to the calling application. hard to duplicate. In some embodiments, a new seed may be Because the creation of the token map can be separate from introduced to the random number generator every predeter and/or prior to the operation of the tokenizer, there can be a mined number of iterations to further obscure the random division of responsibilities. For example, only the creator of 50 CSS. the token map may know how the token map’s creation was At 356, the processor can be configured to determine achieved. As such, the token map creation logic can be opera whether the value assigned to the element located at the array tionally separate from any of its server's other processing element having an index equal to the random number is the equipment and even be implemented on its own, dedicated same as the value of the sequentially selected index value. If server and/or other device. 55 the determination at 354 has affirmative result, process 346 Because token map 314 is created by, e.g., token map returns to 354. If the determination has a negative result, generator 318 and/or can otherwise be received by tokenizer process 346 proceeds to 358. 310 in its complete form prior to executing tokenization or At 358, a determination is made as to whether or not the detokenization (as opposed to being retrieved and/or added to random number is equal to the value of the array at sequen each time a new credit card is initially used with a system) and 60 tially selected index. If the determination at 358 has affirma because token map 314 can be configured to be stored in the tive result, process 346 returns to 354. If the determination server's faster-access memory (albeit often much smaller has a negative result, process 348 proceeds to 360. than slower-access memory), at least one type of legacy data At 360, the value of the array at randomly element is base may be omitted when implementing some embodiments Swapped with value of the array at the sequentially selected of the present invention. Eliminating the dependency on the 65 element. relatively large legacy databases (such as mainframe 114) At 362, a determination is made as to whether or not all of and/or other persistent storage devices during normal credit the array elements have been involved in a Swap. In response US 8,739,262 B2 17 18 to determining at 362 that one or more elements have not been be configured to extract the vendor code from the string of Swapped (e.g., the processor has not looped through all 100 numeric digits at 514. The vendor code may be, for example, million elements), process 346 may return to 352 and repeat the first two, three or four numeric digits in the string. The the steps discussed above until 362 has been satisfied. Vendor code may be a universal bank identifying number In response to determining at 362 that all the elements have (“BIN). been involved in a Swap (e.g., the loop is completed), process At 516, the processor can be configured to determine the 346 may proceed to 364 and encrypt, save, transmit and/or length of the string of numeric digits, which may include otherwise output the completed the array. removing spaces, dashes, dots and other non-numeric char At 366, a token map can be created by first generating a acters that may have otherwise been included in the mes second array (e.g., the middle digits value array), initializing 10 Sage's numeric string. the array created using the previous steps of process 346, and then initializing second array using the following logic: At 518, the processor can determine whether the length of Second arrayfirst array index index; the numeric digits corresponds with the length of a PAN Second arrayfirst array O=0; associated with the vendor code. For example, an American Second array5000-0 (assuming value at first arrayIO is 15 Express BIN should be associated with a 15 digit numeric 5000); PAN, while a MasterCard BIN should be associated with a 16 Second arrayfirst array1=1 m; digit numeric PAN. The test executed at 518 may be based on, Second array4000-1 (assuming value first array1 is for example, a finite list of BIN codes. 4000). In response to determining at 518 that the length of the Token Map may then contain the first and second arrays. In numeric digits does not correspond with the predetermined this example, the token array (e.g., first array) with token length of PAN associated with the vendor code, the processor values is generated first and middle digits array is constructed may be configured to remove digits from the PAN. For using the token array values as its subscript values. Then the example, the processor may remove digits representing the two arrays can be combined to create the token map. expiration date from the string of numeric digits. 25 At 522, a determination is made after the digits have been Pre-Parsering removed as to whether the length of the string of digits is still at least ten. In response to determining the string length is less Before the token map is used to tokenize a PAN, some than ten, process 500 returns to 504. In response to determin embodiments may include one or more pre-parser processors ing the string length is at least ten process 500 returns to 518. and/or other types of processor(s) that execute a pre-parser 30 After a determination is made at 518that the string's length process, which can include locating, extracting, validating matches the length of a PAN associated with the vendor code, and outputting a PAN from data signals received by the server one or more confirmatory tests may be executed at 524. For and/or other machine. In some embodiments, the pre-parser example, the Luhn test can be executed at 524. A determina process may be performed by a physical component included tion is then made at 526 as to whether or not the confirmatory in a server or other type of machine, a stand alone machine 35 test(s) passed or failed. In response to determining the con that processes data independent from other devices, software, firmatory test(s) failed, process 500 returns to 504. In firmware, and/or combination thereof. FIG.5 shows an exem response to determining the confirmatory test(s) passed, pro plary pre-parcer process, process 500, which starts at 502. cess 500 proceeds to 528 and the processor masks the string of At 504, the processor may receive a message that may or digits and logs the event. Process 500 then ends at 530 and, in may not include at least one PAN. The message may be 40 Some embodiments, the string of digits may be Subsequently received from, for example, known message-oriented tokenized and/or otherwise processed by an electronic middleware, such as IBM's MQSeries(R). As another example, device. the message may be received in accordance with known pro tocols such as hypertext transmission protocol (“HTTP). Tokenization At 506, the processor can be configured to determine 45 whether the message received at 504 has a length that is at The tokenization process can receive a PAN as an input and least a predetermined number of characters. For example, the output a token. The tokenization process may be performed processor may be configured to determine whether the mes by one or more processors configured to function as a parser sage is at least ten characters in length. and a tokenizer. In some embodiments, the token can be In response to determining at 506 that the message length 50 generated using a token map, such as token map 314 dis is the predetermined number of characters or less (e.g., ten cussed above. The token may uniquely represent the original characters or shorter), process 500 proceeds to 508 and ends. PAN and be the same length as the original PAN. In some In response to determining at 506 that the message length embodiments, the processor that executes the tokenization is more than the predetermined number of characters (e.g., process may be parser hardware running a tokenizer applica more than ten characters), the processor can be configured to 55 tion programming interface (API). search the message at 510 for a string of numeric digits having A tokenizer API may receive, for example, a twelve to a length that is within a predetermined range (e.g., at least ten nineteen String of numeric digits from a pre-parser. If the numeric digits and less than twenty numeric digits). Addi tokenizer API receives non-numeric digits, the tokenizer API tional and/or different criteria may also be used at 510 by the may be configured to generate an error. Other exemplary error processor. 60 conditions may include the String of digits having a length At 512, the processor can be configured to determine less than twelve (or any other minimum value) and a length whether a string of numeric digits of the appropriate length greater than nineteen (or any other maximum value). In some and/or otherwise meeting the criteria of 510 has been found in embodiments, a tokenizer API may be a web API and/or be the message received at 504. In response to determining no configured to accept one or more PANS in a single tokeniza Such string of digits is included in the message, process 500 65 tion request. Below is an example of an XML payload that returns to 504. In response to determining that Such a string of shows how multiple PANs can be passed to the tokenizer to numeric digits is included in the message, the processor can create tokens. US 8,739,262 B2 19 20 received from source devices and/or any other device. The pre-parser may be implemented as a dedicated physical com