What is Tokenization in the Credit Card Payment Industry?
"Passwords are like underwear; you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers," wrote Chris Pirillo. As I embark on my new journey as a content writer for a merchant services company, such data security thoughts are always at the from of my mind.
In the tech world, the more data gets passed around, the more opportunities there are for it to be stolen or misused. An increasingly popular approach for the protection of sensitive data is the use of a token (or alias) as a substitute for a real credit card number.
The need for such measures becomes more evident with every security breach. For example, between Nov. 27 and Dec. 15, 2013, 40 million credit and debit card numbers were stolen from Target. 70 million records that included names, addresses, email addresses and phone numbers of Target shoppers were compromised. Credit unions and community banks spent hundreds of millions of dollars reissuing tens of millions of credit cards.
What is Tokenization
In my journey into the world of moving money from one place to another, this process was one of the first key terms to regularly pop up. With Tokenization, financial and other sensitive records are transferred between parties in reordered strings of letters and numbers. These unique identification symbols, or tokens, retain all the essential information without compromising its security.
When the cardholder swipes their card at a merchant, the card and transaction data flow through the merchant acquirer to the cardholder’s bank, which confirms that the cardholder is authorized to make the transaction. This structure was invented and is perpetuated by Visa and Mastercard, which serve as the information switches between the four parties.
An Overview of Tokenization & the Credit Card Industry with Akamai Chief Security Officer Andy Ellis
Inside the Process
Hypercomplexity in the computers leads to simplicity for businesses. Mathematical formulas and random number generators create characters that are of no value to a hacker. In this fashion, Tokenization reduces the amount of data a business needs to keep on hand. It has become a popular way for small and mid-sized businesses to bolster the security of credit card and e-commerce transactions. At the same time, it lowers the cost and complexity of compliance with industry standards and government regulations.
A payment card is used in a transaction and, once authorized, the cardholder data is sent to a centralized and highly secure server called a “vault.” Next, a random unique number is generated and returned to the merchant’s system. The token can be used in various business applications as a reliable substitute for the real card data.
Encryption and Best Practices
A secure cross-reference table is established to allow authorized lookup of the original value, using the token as the index. Encryption tools and secure key management complements this approach by protecting the original value within this environment. To anyone who doesn’t have authorization to access the vault, the token value is totally meaningless. Random characters don't help a thief.
The tokenization system must be secured and validated using security best practices applicable to sensitive data protection. These include secure storage, audit, authentication and authorization. The tokenization system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.
Tokenization Adds Value
Sensitive data can’t be breached if it’s not there in the first place. At a time when cardholder data loss is at an all-time high, tokenization is extremely valuable for businesses, including those who have previously passed their PCI DSS audits. Even merchants who have full encryption solutions are investigating how the addition of tokenization can benefit them.
"The benefits of tokenization far outweigh the barriers to adoption as exhibited by the monetary losses associated with security breaches at major retailers," according to Jay Weber at PaymentsLeader.com. "As new payment technologies are emerging to protect ... customer’s personal financial information, take advantage of the opportunities presented and find a way to make them work for you."