Before I begin, let me be perfectly clear. I think process patents should go the way of the dodo. I believe that most process patents do nothing more than stifle innovation by giving a monopoly or barrier to competition to the first to file – whether or not the process existed or was in use by competitors prior to the filing. There is a key requirement to patents that, in theory, prevents what I call frivolous patent filings: "Inventive step and non-obviousness." But there is a loophole here: The United States Patent and Trademark Office. Simply make a claim with sufficiently confusing details and jargon, throw in a few references to other parts of the same patent, and poof – patent approved!
Now that I briefly side-tracked this post with my rant on process patents, let me get back to an old favorite subject of mine – and the thing that scared me most about this most recent patent I reviewed. That subject is how scary implementations of tokenization can be thanks to the Great Bastardization of Tokenization by the PCI SSC.
I began my research after receiving this email:
Hey Steve,
I’m no expert on patents, but wouldn’t this fall under prior art from us?
http://www.hispanicbusiness.com/2013/12/4/patent_issued_for_system_for_protecting.htm...
I’m no expert on patents, but wouldn’t this fall under prior art from us?
http://www.hispanicbusiness.com/2013/12/4/patent_issued_for_system_for_protecting.htm...
The article references US patent 8,595,850.
US patents can be very confusing to read. When researching for possible infringement the Claims section is the most important part. The rest of the patent text is used as background info and sometimes claim context to justify to the USPTO that the patent passes their "inventive step and non-obviousness" requirement.
This patent makes 7 claims, but claims 2-7 each refer back to claim 1. So here is claim 1 with the important information highlighted:
- A method of generating a token using computing equipment associated with a token generating organization, comprising: with the computing equipment, receiving a token request from a token requestor over a communications network, wherein the token request includes a number; with the computing equipment, mapping half of the number to a half-token; with the computing equipment, modifying the half-token; with the computing equipment, mapping the modified half-token to an additional half-token; with the computing equipment, modifying the additional half-token; and with the computing equipment, combining the modified half-token and the modified additional half-token to form the token.
These tokens are obviously mathematically related to the PAN and I believe this vendor calls them "vaultless tokens" because the PAN does not need to be stored – they can be recreated (decrypted) from the token and the "half-token" table. This mathematical relationship was specifically forbidden in the original tokenization definition, but PCI SSC – with the help of the Tokenization Special Interest Group (other vendors with non-tokenization solutions that wanted to ride on the tokenization coattails) and in the name of vendor neutrality – allowed for schemes like these to be called tokens.
Now, security wise, here is the difference between tokens generated under this patent, which still qualify as PCI-compliant tokens, and TrueTokens®, which are non-mathematically related. To compromise the tokens generated under this patent, all one needs is a copy of the "half-token" table and all the tokens generated by the table can be decrypted. But with TrueTokens, to compromise the PANs one would need a copy of the entire "vault" which contains both the PANs and the key(s) used to encrypt the PANs within the vault. PCI requires PANs to be encrypted when stored and mandates proper key management – not so with the "half-token" table.
By accommodating mathematically related tokens in PCI's definition of tokenization, they opened the door for weaker tokenization solutions like this. The problem is, QSAs must either dig deep into the details of each tokenization solution they come across to determine whether the merchant is using a legitimate tokenization solution (like TrueTokenization), or a tokenization in name only (TINO) solution, which wears the tokenization name badge but provides non of the security and scope reduction. This type of solution analysis adds costs to an audit. Unfortunately, the QSAs alternative is to assume that every solution is a TINO, which impacts scope (adding another cost).
Obviously, Shift4 does not infringe on this patent, because we wouldn’t release garbage like this if our life depended on it. That's my take on this patent. I welcome your thoughts.
Until next post…
No comments:
Post a Comment