Tokenization in mobile environments

US 9,514,457 B2
Filed: 10/16/2014
Issued: 12/06/2016
Est. Priority Date: 02/10/2012
Status: Active Grant

First Claim

Patent Images

1. A method for tokenizing data, comprising:

establishing, by a hardware input/output interface of a communication system, a temporary communication session with a mobile device via a communication channel between the communication system and the mobile device;

receiving, by the hardware input/output interface, data from the client system via the communication channel and during the temporary communication session;

identifying, by an interface controller of the communication system, a portion of the received data for tokenization;

accessing, by the interface controller, session information uniquely identifying the temporary communication session between the communication system and the client system;

selecting, by a token server of the communication system communicatively coupled to the hardware input/output interface via a first hardware communication bus and configured to receive the session information via the first hardware communication bus, one or more token tables from a set of token tables stored within a memory of the token server based on the accessed session information, every token table in the set of token tables mapping, for an input string of a particular length and for a particular set of input string characters, every possible input string value to a different token before the temporary communication session is established;

receiving, by a security engine of the communication system communicatively coupled to the token server via a second hardware communication bus and communicatively coupled to the hardware input/output interface via a third hardware communication bus, the second one or more token tables via the second hardware communication bus;

receiving, by the security engine, the identified portion of the received data via the third hardware communication bus;

tokenizing, by the security engine, the identified portion of the received data using the selected one or more token tables; and

outputting, to a client system external to the communication system via a second communication channel between the communication system and the client system, the tokenized data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Data can be protected in mobile and payment environments through various tokenization operations. A mobile device can tokenize communication data based on device information and session information associated with the mobile device. A payment terminal can tokenize payment information received at the payment terminal during a transaction based on transaction information associated with the transaction. Payment data tokenized first a first set of token tables and according to a first set of tokenization parameters by a first payment entity can be detokenized or re-tokenized with a second set of token tables and according to a second set of tokenization parameters. Payment information can be tokenized and sent to a mobile device as a token card based on one or more selected use rules, and a user can request a transaction based on the token card. The transaction can be authorized if the transaction satisfies the selected use rules.

Citations

16 Claims

1. A method for tokenizing data, comprising:
- establishing, by a hardware input/output interface of a communication system, a temporary communication session with a mobile device via a communication channel between the communication system and the mobile device;
  
  receiving, by the hardware input/output interface, data from the client system via the communication channel and during the temporary communication session;
  
  identifying, by an interface controller of the communication system, a portion of the received data for tokenization;
  
  accessing, by the interface controller, session information uniquely identifying the temporary communication session between the communication system and the client system;
  
  selecting, by a token server of the communication system communicatively coupled to the hardware input/output interface via a first hardware communication bus and configured to receive the session information via the first hardware communication bus, one or more token tables from a set of token tables stored within a memory of the token server based on the accessed session information, every token table in the set of token tables mapping, for an input string of a particular length and for a particular set of input string characters, every possible input string value to a different token before the temporary communication session is established;
  
  receiving, by a security engine of the communication system communicatively coupled to the token server via a second hardware communication bus and communicatively coupled to the hardware input/output interface via a third hardware communication bus, the second one or more token tables via the second hardware communication bus;
  
  receiving, by the security engine, the identified portion of the received data via the third hardware communication bus;
  
  tokenizing, by the security engine, the identified portion of the received data using the selected one or more token tables; and
  
  outputting, to a client system external to the communication system via a second communication channel between the communication system and the client system, the tokenized data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the identified portion of the received data comprises one of:
    - communication data entered at the mobile device by a user of the mobile device and authenticating data identifying the mobile device or the user of the mobile device.
  - 3. The method of claim 1, wherein the accessed session information comprises a count of previous communication sessions between the mobile device and the communication system.
  - 4. The method of claim 1, wherein the accessed session information comprises a date and time of a previous communication session between the mobile device and the communication system.
  - 5. The method of claim 1, wherein selecting one or more token tables comprises:
    - identifying a seed value based on the accessed session information; and
      
      generating the one or more selected token tables using the identified seed value.
  - 6. The method of claim 1, further comprising:
    - identifying a number of tokenization iterations based on the accessed session information;
      
      wherein tokenizing the identified data using the selected one or more token tables comprises performing a number of tokenization operations on the identified portion of the received data equal to the identified number of tokenization iterations.
  - 7. The method of claim 1, further comprising:
    - identifying an initialization vector (“
      
      IV”
      
      ) based on the accessed session information; and
      
      modifying the identified portion of the received data using the IV before tokenizing the identified portion of the received data.
  - 8. The method of claim 1, further comprising:
    - identifying an encryption key based on the accessed session information; and
      
      encrypting the tokenized data using the identified encryption key prior to outputting the tokenized data.

9. A communication system for tokenizing data, comprising:
- a hardware input/output interface configured to establish a temporary communication session with a client system external to the communication system via a communication channel and to receive data from the client system via the communication channel and during the temporary communication session;
  
  an interface controller configured to;
  
  identify a portion of the received data for tokenization; and
  
  access session information uniquely identifying the temporary communication session between the communication system and the client system;
  
  a token server communicatively coupled to the hardware input/output interface via a first hardware communication bus and configured to receive the session information via the first hardware communication bus and select one or more token tables from a set of token tables stored within a memory of the token server based on the accessed session information, every token table in the set of token tables mapping, for an input string of a particular length and for a particular set of input string characters, every possible input string value to a different token before the temporary communication session is established; and
  
  a security engine communicatively coupled to the token server via a second hardware communication bus and communicatively coupled to the hardware input/output interface via a third hardware communication bus and configured to;
  
  receive, via the second hardware communication bus, the selected one or more token tables;
  
  receive, via the third hardware communication bus, the identified portion of the received data;
  
  tokenize the identified portion of the received data using the selected one or more token tables; and
  
  output, to a second client system external to the communication system via a second communication channel, the tokenized data.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The communication system of claim 9, wherein the identified portion of the received data comprises one of:
    - communication data entered at the client system by a user of the client system and authenticating data identifying the client system or the user of the client system.
  - 11. The communication system of claim 9, wherein the accessed session information comprises a count of previous communication sessions between the communication system and the client system.
  - 12. The communication system of claim 9, wherein the accessed session information comprises a date and time of a previous communication session between the communication system and the client system.
  - 13. The communication system of claim 9, wherein selecting one or more token tables comprises:
    - identifying a seed value based on the accessed session information; and
      
      generating the one or more selected token tables using the identified seed value.
  - 14. The communication system of claim 9, wherein the token server is further configured to:
    - identify a number of tokenization iterations based on the accessed session information;
      
      wherein tokenizing the identified data using the selected one or more token tables comprises performing a number of tokenization operations on the identified portion of the received data equal to the identified number of tokenization iterations.
  - 15. The communication system of claim 9, wherein the security engine is further configured to:
    - identify an initialization vector (“
      
      IV”
      
      ) based on the accessed session information; and
      
      modify the identified portion of the received data using the IV before tokenizing the identified portion of the received data.
  - 16. The communication system of claim 9, wherein the security engine is further configured to:
    - identify an encryption key based on the accessed session information; and
      
      encrypt the tokenized data using the identified encryption key prior to outputting the tokenized data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Protegrity US Holding LLC
Original Assignee
Protegrity USA, Inc. (Xcelera Inc.)
Inventors
Mattsson, Ulf, Rozenberg, Yigal
Primary Examiner(s)
LE, CHAU D

Application Number

US14/516,489
Publication Number

US 20150039519A1
Time in Patent Office

782 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/606   by securing the transmissio...

G06F 21/6245   Protecting personal data, e...

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/3223   Realising banking transacti...

G06Q 20/326   Payment applications instal...

G06Q 20/34   using cards, e.g. integrate...

G06Q 20/367   involving electronic purses...

G06Q 20/382   insuring higher security of...

G06Q 20/3821   Electronic credentials

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/4014   Identity check for transact...

G06Q 20/405   Establishing or using trans...

G06Q 2220/00   Business processing using c...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0428   wherein the data content is...

H04W 12/02   Protecting privacy or anony...

H04W 12/03   Protecting confidentiality,...

Tokenization in mobile environments

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Tokenization in mobile environments

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links