What businesses and consumers need to know about this form of security
The primary reason for tokenization is security. As a merchant, you must provide this security, but you also need flexibility. And your requirements shouldn’t compromise your basic business needs.
Mobile wallets and Apple Pay have increased the public’s awareness of tokenization. They like the sound of the term because what they’re hearing is that it’s safe; that hackers can’t steal credit card information from merchants because merchants don’t store it. Here’s what you need to know about this online defense measure in order to fully explain it to your customers.
The benefit statement
Tokenization keeps credit card data safe from external hackers and internal bad employees. The payment processor is the only entity able to decode these tokens. It effectively reduces consumer credit card fraud because if you’re not keeping customer data, it can’t be stolen from you.
Tokenization also means that you don’t have to invest in as many steps to make your payment structure secure. It’s easier to keep PCI-compliant when you’re storing as little financial data as possible on your system.
What many are unaware of is that tokenization can be used for any kind of personal information. It’s mainly used in the U.S. by retailers to protect financial data. But in other parts of the world, it’s used to secure a much broader range of personal information.
The ABCs of tokenization
If you’re a merchant, you know the drill. But let’s make a zero-knowledge assumption here so we’re sure we’re all on the same page:
- A customer comes to your website and wants to make a purchase with their credit card. Whether you ask to save that payment information to make future purchases or just capture it for a single use, you don’t store this data.
- Instead, you pass it to your merchant acquirer.
- The acquirer creates a random number – a token – and returns it to you. They, and not you, store your customers’ private information and link it to the token they sent back to you.
- You use this token to process the customer’s purchase. You’ll use it again in the future if the customer asked you to store their credit card information.
You don’t want to be hacked, of course. But if you are, these tokens are useless to the criminal. The acquirer will only accept them if they come from you.
Great, if it stops there
As soon as we hear the word “encrypted,” we are happy. If you’re a bad guy, you have to jump through a lot of hoops to decrypt information that you steal. Customers want to hear the E-word. What they probably don’t realize is that there’s nothing about tokenization that’s encrypted.
Tokenization assigns random, globally unique alphanumeric values to payment card data after a bank authorization. It has no value outside of your environment. It needs no encryption, as tokenization is completely random. There’s no mathematical pattern to decode or decrypt.
This definition of tokenization is important. It was designed this way to never keep a permanent relationship with a credit card. Tokens aren’t predictable, and the number of alphanumeric permutations means they can never be repeated.
If tokenization is a one-time event, it’s as secure as it can be. This was the original design: A single transaction.
Tokenization, the next (not-so-secure) step
Digital wallets and other processes that use tokenization have taken the “one time only” security of the original process and made it a more permanent relationship (This is a huge simplification. There are many security steps in place).
This type of tokenization protects the cardholder, but not the merchant. Having a token that references the same card number isn’t all that secure. All that’s really been accomplished is that a new number was assigned for use in place of the actual credit card number.
There’s a big difference between using a once-only token and a reusable alias. The latter is a step backward in security.
Tokenization – the real thing
It’s the industry standard. The original one-use method of tokenization protects you, the merchant. As mobile wallets and chip card usage increases, we’ll see tokenization move away from this practice in the name of convenience.
Compliance and security practices will have to compensate for this deviation from the original form of tokenization. Meanwhile, as a merchant, you should remain vigilant about these trends, and your basic information security.
If you’re interested in learning more about tokenization and other essential security protocols for your data, reach out to CloudHesive today.