Stay connected
Subscribe to our corporate payments blog to stay on top of payment innovations.
Payments
Tokenization 101: Understand the basics of payment data security
For businesses that accept credit and debit card payments, protecting customer data is a top priority. A breach of confidential information can lead to financial losses, customer churn, and reputational damage – issues that directly impact the bottom line and public trust. To keep cardholder data safe, merchants often rely on encryption or tokenization.
Let’s clear up some confusion around these methods – how they work, how they differ, and how they complement each other.
What is the Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS is a set of rules aimed to protect sensitive credit card information. It requires businesses handling card information to follow strict security practices. This helps protect cardholder data, implement control measures, and ensure compliance.Â
One key requirement is converting sensitive data into a secure format, making it unreadable to unauthorized users. This can be achieved through encryption or tokenization.
Understanding encryption
The purpose of most encryption tools and techniques is to scramble data. Then allow it to be unscrambled, or decrypted, when needed.
Think of encryption as a code, not unlike one that armies use to send messages to their commanders or allies during wartime. It uses an algorithm to scramble information and make it unreadable to anyone without the proper decryption key. The scrambled or encrypted data often resides on a company’s internal servers or networks.
Encryption is essential for securing data in transit, such as during online transactions. PCI DSS standards mandate the use of protocols like Transport Layer Security (TLS) to encrypt data while it moves through networks. It is data at rest that is the most vulnerable, as it is more easily accessible to hackers looking to expose and steal it. If an experienced hacker is able to decrypt the data, then they have the key to unlock all of the sensitive information being stored. It is clear then that encryption is not completely secure in the face of security threats.
Understanding tokenization
Many companies have found tokenization to be cheaper, easier to use and more secure than end-to-end encryption.
Tokenization replaces original card data with a unique, generated placeholder, or “token”. Because tokens are randomly generated and there is no algorithm to regain original information, they have no meaning by themselves. Thus, crooks can’t reverse-engineer credit card information, even if they were to grab tokens off of a company’s servers. Tokenization increases security because tokens are worthless to criminals should a company’s system be breached in any way.
Tokenization can be done in-house or outsourced.
If done in-house, merchants must move their cardholder data to an environment called the token vault. When it’s time to process the information, merchants send the token representing the card data to the token vault to retrieve the PAN and forward it to the network for authorization. This scheme reduces the instances of card data floating around the merchants’ systems and thus the ability for a hacker to siphon it away.
Outsourced tokenization works in the same way, but eliminates the card data from the merchant environment. This is much like emptying a warehouse so that a thief has nothing to steal. Merchants use only the token to retrieve, access or maintain their customers’ credit card information. Meanwhile, their customers’ card data is stored at a highly secure, offsite location by a vendor with PCI certification.
Whether done in-house or outsourced, tokenization doesn’t alter the merchant’s payment processing or channels. Just like credit cards, tokens can be used for customer sales, refunds, voids, and credits—only they’re a much safer option. The appeal of removing confidential customer credit card data from internal networks is one of the biggest reasons why more and more companies are turning to tokenization.
Who benefits?
Companies that collect and store credit card data often find the PCI process to be a huge headache with potentially significant liabilities and costs. Because every point at which credit card data is handled must be secured, conforming to these rules as well as building and defending one’s own data fortress can become extraordinarily difficult and expensive.
Because outsourced tokenization removes card data completely from the merchant environment, there is nothing useful for criminals and the liability and costs that merchants often associate with PCI compliance are dramatically reduced.
Many merchants find outsourcing to be less expensive than creating a team or diverting employees’ hours to card security and PCI compliance. Typically an outsourced solution will be about one-third the cost of an in-house solution.
As cyber threats continue to evolve, tokenization has become a preferred choice for businesses prioritizing secure, efficient payment processes.
Explore how WEX can simplify your payments process and drive savings.
Contact us today to get started!
Stay up to date on the latest in business payments by subscribing to our blog! Simply hit the “Subscribe” button above or submit your email address in the form below.
The information in this blog post is for educational purposes only. It is not legal, tax or investment advice. For legal, tax, or investment advice, you should consult your own legal counsel, tax, and investment advisers.
Editorial note: This article was originally published on July 17, 2017, and has been updated for this publication.