For companies that accept credit and debit card payments, a breach of credit card and confidential customer data is among the most serious risks a business faces. Failure to protect data leads to financial costs, customer defections and loss of reputation — all of which affect the bottom line and public perception.
To protect card data, you might encrypt and you might tokenize it. But many are confused by what tokenization is — how it’s different from encryption, and how they complement each other.
First off, let’s review what the Payment Card Industry Card Data Security Standard (PCI DSS) requires us to do:
PCI DSS applies to everyone who collects, stores and transmits card data — which is the primary account number —or sensitive authentication data — which are the track data from a swipe transaction or the card verification value (or CVV) taken over the phone or through the Web. The card number must be encrypted if a business stores it, and track data and CVV must not be stored at all.
The purpose of most encryption tools and techniques is to render the original data unreadable, then allow the decryption routine to restore the readable data.
Think of it as a code, not unlike one that armies use to send messages to their commanders or allies during wartime. Encryption uses an algorithm to scramble information making it data unreadable to anyone without the decryption key. The encrypted data, often resides on a company’s internal servers or networks.
PCI DSS requires that card data is protected in transit and typically SSL/TLS (now > TLS 1.0 for PCI DSS 3.1) is used for that purpose, encrypting the data in motion. It is the data at rest that is most vulnerable, as it is just sitting there for hackers to try to expose and steal. If a studied hacker is able to decrypt the data, that hacker now has the key to all the data you store. As most merchants aren’t experts at information security, some choose to store the data offsite.
Tokenization replaces credit card data (and in the case of top-tier solutions like 3DSI’s CardVault, bank account data as well) from with a unique, generated placeholder, or “token.” Tokens have no meaning by themselves and are worthless to criminals if a company’s system is breached in any way. For example, if someone’s actual credit card number was 2123 3456 5678 6789, when the token is generated it might become EGHV234AUD54367. The token is randomly generated instead of using an algorithm so there is no way to regain the original card number — crooks can’t reverse-engineer the actual credit card number, even if they were to grab the tokens off the servers.
Tokenization can be done in-house or outsourced.
If done in-house, then the merchant moves the cardholder data to an environment called the token vault, and the tokens are used in the merchant’s business systems to refer to the card. When it is time to process, they send the token to the token vault to retrieve the PAN and forward it to the network for authorization. This scheme reduces the instances of card data around the merchants systems and thus the ability for a hacker to siphon it away.
Outsourced tokenization works in the same way but eliminates the card data from the merchant environment — much like emptying a warehouse so that a thief has nothing to steal. Merchants use only the token to retrieve, access or maintain their customers’ credit card information. Meanwhile their customers’ card data is stored at a highly secure, offsite location by a vendor with PCI certification.
In either case, using tokens doesn’t alter the merchant’s payment processing or channels. Just like credit cards, tokens can be used for MOTO and e-commerce for all transactions including customer sales, refunds, voids and credits.
The key benefit to outsourcing boils down to credit card storage. Removing confidential customer credit card data from their internal networks is one of the biggest reasons why more companies are relying on tokenization. All merchants who accept, transmit, process, or store credit card data online, in a store, by phone or by mail must certify each year that their IT security and processes comply with 12 rigorous PCI DSS requirements.
Companies that collect and store credit card data often find the PCI process to be a huge headache with potentially significant liabilities and costs rather than a convenience for their customers. Because every point at which credit card data is handled must be secured, conforming to these rules as well as building and defending one’s own data fortress can become extraordinarily difficult and prohibitively expensive.
Because outsourced tokenization removes card data completely from the merchant environment there is nothing useful for criminals, and the liability and costs that merchants often associate with PCI compliance is dramatically reduced.
Many merchants find outsourcing to be less expensive than creating a team or diverting employees’ hours to card security and PCI compliance. Typically an outsourced solution will be about one-third the cost of an in-house solution.
- Read more: “How to Build a Business Case for Tokenizing Credit Card Data”
- Request a consultation: Our experts can give you no-hassle answers about tokenization.