Card fraud at the Point-of-Sale (POS) has been on the rise as the security chip provides little protection for data stored after the purchase, and especially when mobile payments are factored in. This is where tokenization becomes relevant.
[Editor’s note: This is a guest article submitted by Lori Ciavarella]
Enticing Targets for Cyber Thieves
The end of 2013 through to 2014 was a difficult time for merchants and data security. Huge corporations like Target and Home Depot experienced significant data breaches, leading to millions of compromised card numbers. In both cases, the numbers were most at risk while “at rest,” – sitting on a server. Although these numbers were encrypted while stored, as they are required to be by the Payment Card Industry Data Security Standard (PCI DSS), they were still enticing targets for cyber thieves.
EMV has been introduced in the US to thwart card fraud at the Point-of-Sale (POS) but the chip provides little protection for data stored after the purchase, and especially when mobile payments are factored in. This is where tokenization becomes relevant.
What is Tokenization?
To understand tokenization, let’s start by reviewing what has been the standard method for card processing to date – encryption. Think of encryption as hiding a credit card number in a room behind a locked door in a public building with many rooms. The key is also somewhere in the same building. If you have the key, or can find it, you can open the door and obtain the number. It’s as simple as that.
But what if that room in the same building was filled with random letters and numbers, and the actual card number was hidden away in a lockbox? And that lockbox is not only hidden, but it’s hidden in a different, private building, nowhere near the original building? You wouldn’t even need the locked door, because you aren’t storing anything of value in the room. This is tokenization.
[Click on the picture above for a larger view]
Instead of storing a scrambled version of the card number that can be reverted into the original, tokenization creates a completely random number, or token, and stores that on the server instead. The actual number is stored elsewhere, onsite or offsite, in a better secured location or vault.
This isn’t a perfect analogy, of course, since encryption and tokenization aren’t mutually exclusive. Instead, they are two security methods that can work well together [much like in Bitcoin]. Encryption protects data in motion, while tokenization is effective for data while it’s being stored. Few organizations are using the methods in conjunction, but it’s a likely scenario in the near future.
How the Payment Industry Sees Tokenization
Due to the increase in hacking attempts and the cost of data breaches, the payments industry is highly motivated to define and implement a standard for tokenization. EMVCo, formed in 1999 and overseen by American Express, Discover, JCB, Mastercard, UnionPay and Visa, collaboratively published tokenization standards for the payment industry in 2014.
Thanks to the increasing popularity of mobile payments, tokenization will only become more crucial for the industry. Of utmost importance to consumers is that their payment methods are secure and convenient. However, tokenization is also seen as the perfect partnership for mobile as it provides a layer of security for consumers that is vital to protecting their card data while also being ubiquitous across multiple devices and locations.
The Benefit to eCommerce
eCommerce exists in a state of threat, with vast quantities of transactional data stored on the internet. This opens eCommerce merchants up to attack risks and necessitates layer upon layer of security due to the need to be PCI compliant. However, with tokenization, the amount of data they need to store, and by extension their risk, is significantly reduced.
Tokenization doesn’t completely remove retailers from the need to be PCI compliant, but it does help to reduce the scope of systems that fall under the PCI umbrella. In some instances, this can minimize the time and money spent on resources and costly annual PCI audits.
A Step in the Right Direction
Of course, tokenization isn’t the perfect solution. There is customer data to be stored and protected by retailers that tokenization can’t facilitate and encryption is still required for the point-to-point transportation of card numbers. Furthermore, hackers are adaptable, and they will likely change targets from retailers to data vaults. Nevertheless, if tokenization is viewed as an additional layer of security to card processing, and not as a silver bullet, it’s a step in the right direction toward reduced fraud and compromised card numbers.
Lori Ciavarella serves as CIO for BillPro. A problem-solver by nature and an experienced business owner and manager, she is in her element helping businesses improve operations, manage change, and develop talent.
Do you think tokenization can help reduce data security breaches? Let us know in the comments below!
Images courtesy of shutterstock, crimsontt.com, paymentscardsandmobile.com