Tokenization for Credit Card Data Security
February 21 2014 |
In an ongoing effort to facilitate worldwide interoperability and acceptance of secure payment transactions, EMVco announced earlier this year, that it will expand its scope of work from chip-based payments to include tokenization.
What is tokenization?
According to the PCI Security Standards Council, tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a "token". This means that sensitive credit card information is replaced with a random value that retains the card's essential information without compromising security. Tokens come in many sizes and formats, some of which include numeric characters, a combination of alpha-numeric characters, or a truncated version of the primary account number with additional characters.
How does tokenization benefit merchants?
The greatest benefit to merchants is the added layer of security since there is no longer any need to store sensitive credit card data locally. This eliminates the risk of sensitive data falling into the wrong hands, a common cause of great concern amongst merchants both big and small. With tokenization, the merchant loses nothing except the risk associated with keeping the card data. What's more; enterprises who do not store payment data are eligible for simpler, less expensive PCI self-assessments.
Is tokenization more secure than encryption?
Tokenization and encryption are complimentary processes. Encryption protects card data as it is read from a point-of-sale terminal, either from the magnetic stripe or from a chip enabled card inserted into a pos terminal. It transforms the primary account number which is in plain text format, into a non-readable form called cipher text. This prevents hackers from stealing the data as it is transmitted to the server. Encryption protects data in transit.
Tokenization on the other hand protects data at rest after authorization. After authorization from the card issuer, a token is returned to the merchant's systems in lieu of the primary account number. Tokenization is therefore, arguably, more secure since it removes sensitive credit card data from the merchant's domain entirely. Tokenization has been praised as an option for merchants looking to establish payment networks that limit access to sensitive financial data, as stipulated under PCI Data Security Standard regulations.
For more information on tokenization and encryption please contact us.