Like most people, you own and use a credit or debit card. You keep your pin under lock and key and your card is never out of sight. You’re protected, right? Maybe not as protected as you might like to be.
It is no surprise that credit and debit card numbers—along with other sensitive data, such as medical records, driver’s license numbers, and financial statements, to name a few—are protected by encryption. The function of most encryption tools and techniques is to hide the original data. Encryption is a method that uses an algorithm to effectively mix up credit card or other important information, making it unintelligible for anyone without proper authorization. So say you make a purchase you’re your home computer to a company’s e-commerce site and the transaction is completed without a hitch. Your original card numbers are still intact on any company’s internal networks where you may have made the purchase, leaving your information potentially vulnerable to hackers and thieves.
Enter tokenization, a new way to safeguard your most precious information. Since end to end encryption can be compromised, many companies are considering tokenization because it is cheaper, easier to use and more secure than encryption. Tokenization involves completely erasing credit card data, or other safeguarded data, from a company’s internal network. In turn, this information is replaced with another set of specialized numbers as a “token”. The token is used by merchants when they need to retrieve the credit card information, all the while keeping the actual numbers stored in a secure, offsite location.
Say, for instance, you go to the gas station and you use your credit card to purchase gas and additional sundries. Three days later, you learn there has been a breach of the credit card information at the gas station. Everyone who has made a purchase with their card at that station is now at risk and you need to worry that some unsavory person has access to your credit card numbers, and potentially your money. Tokenization alleviates that worry; instead of gathering your actual credit card numbers, the robber walks away with a proxy instead.
Tokenization is more widely used than you may imagine. Tokens for the bus or the subway, or a token at an arcade are examples of money being safeguarded and swapped out for a suitable substitute. Another example of tokenization takes place every time you go to a casino and place a bet on a blackjack hand or the roulette wheel. You start off with cash—the real commodity—and trade it in for casino chips, or “tokens”. This protects the casino from theft but protects your interests, as well…you will get $100.00 for that $100.00 chip when you cash it in!
In order for tokenization or data vaulting services to be viable, the tokenization system has to be segregated and divided from any data processing systems that may have previously stored the real data. Part of the beauty of tokenization is there are no “back doors” for hackers to unlock. The tokenization system can create tokens for real data and revert the sensitive data back under tight security controls. As the tokens replace the real numbers or sensitive information, there is less exposure of the true data which reduces the risk of the information being compromised. The computer applications can use the tokens in place of the live data, making the transaction safer.
To protect credit and debit card data, tokenization is just one means of shielding cardholder data while maintaining the ever changing industry standards as well as government regulations. Probably the most common use of tokenization is used in credit card processing where alternate numerals replace the primary account number. Overall the tokenization process is only as strong as the hacker’s ability to guess at the correct credit card number—without clues. If you are planning to utilize the tokenization process in your business, be aware that there are certain regulatory requirements, as well as varying technical or operational limitations.
Tokenization can be a great benefit to cardholders who have monthly reoccurring charges for an online service. If a system is hacked with this system in place, the hacker will receive nothing other than non-decryptable data in place of a cardholder’s personal information. Coupled with end to end encryption, data can be secured en route to the tokenization site, making a hack job that much more difficult.
There are a set of guidelines set up by the Payment Card Industry Data Security Standard, that states that any type of business or organization that houses, processes or transmits card number information must provide a protection system for that information. When using tokenization as the protection system in a credit card situation, for example, the “token” numbers can be formatted to mimic the actual number, say as in a bank account number. One reason businesses like the tokenization method is they do not have to house confidential customer data on their internal networks. Companies that decide to house this information in house risk liabilities and costs not associated with sending this secured information to a third party tokenization site. In all, tokenization protects the client, the vendor and the credit card company from breaches and undue loss. By using the tokenization system, cardholder data becomes useless to hackers, making the overall accountability that merchants are held to dramatically reduced. For companies with antiquated systems, the regulations set forth by the Payment Card Industry Data Security Standard only makes the in house storage of client data that much more difficult. Once a company starts to accept credit card payments, they must become Payment Card Industry compliant. Tokenization would be a smart option for older companies because the encrypted card data is kept in a Payment Card Industry compliant data vault. The merchant no longer has to store the raw data; just the tokens Tokenization protects the data because unlike an encrypted card number, it cannot be reversed to reveal the true credit card number. Tokenization is also Payment Card Industry compliant and reduces the cost and liability to the merchant.