For companies that accept credit and debit card payments, a breach of confidential customer data is among the most serious risks they face. Failure to protect data leads to financial costs, customer defections and loss of reputation—all of which affect bottom line and public perception.
To protect card data, merchants might encrypt it, or they might tokenize it. But many are confused by what exactly these two methods are, how they’re different, and how they complement each other.
The Payment Card Industry Card Data Security Standard (PCI DSS) requires those who work with payment cards to adhere to certain regulatory practices. For security reasons, individuals and businesses that collect, store and transmit card data or sensitive authentication data must convert that information from ordinary language to a code. The two main ways sensitive data is converted are encryption and tokenization.
The purpose of most encryption tools and techniques is to scramble data, then allow it to be unscrambled, or decrypted, when needed.
Think of encryption as a code, not unlike one that armies use to send messages to their commanders or allies during wartime. It uses an algorithm to scramble information and make it unreadable to anyone without the proper decryption key. The scrambled or encrypted data often resides on a company’s internal servers or networks.
PCI DSS requires that card data is protected in transit and typically SSL/TLS (now > TLS 1.0 for PCI DSS 3.1) is used for that purpose, encrypting the data in motion. It is data at rest that is the most vulnerable, as it is more easily accessible to hackers looking to expose and steal it. If an experienced hacker is able to decrypt the data, then they have the key to unlock all of the sensitive information being stored. It is clear then that encryption is not completely secure in the face of security threats.
Many companies have found tokenization to be cheaper, easier to use and more secure than end-to-end encryption.
Tokenization replaces original card data with a unique, generated placeholder, or “token.” Because tokens are randomly generated and there is no algorithm to regain original information, they have no meaning by themselves. Thus, crooks can’t reverse-engineer credit card information, even if they were to grab tokens off of a company’s servers. Tokenization increases security because tokens are worthless to criminals should a company’s system be breached in any way.
Tokenization can be done in-house or outsourced.
If done in-house, merchants must move their cardholder data to an environment called the token vault. When it is time to process the information, merchants send the token representing the card data to the token vault to retrieve the PAN and forward it to the network for authorization. This scheme reduces the instances of card data floating around the merchants’ systems and thus the ability for a hacker to siphon it away.
Outsourced tokenization works in the same way, but eliminates the card data from the merchant environment—much like emptying a warehouse so that a thief has nothing to steal. Merchants use only the token to retrieve, access or maintain their customers’ credit card information. Meanwhile, their customers’ card data is stored at a highly secure, offsite location by a vendor with PCI certification.
Whether done in-house or outsourced, tokenization doesn’t alter the merchant’s payment processing or channels. Just like credit cards, tokens can be used for customer sales, refunds, voids and credits—only they’re a much safer option. The appeal of removing confidential customer credit card data from internal networks is one of the biggest reasons why more and more companies are turning to tokenization.
Companies that collect and store credit card data often find the PCI process to be a huge headache with potentially significant liabilities and costs. Because every point at which credit card data is handled must be secured, conforming to these rules as well as building and defending one’s own data fortress can become extraordinarily difficult and expensive.
Because outsourced tokenization removes card data completely from the merchant environment, there is nothing useful for criminals and the liability and costs that merchants often associate with PCI compliance are dramatically reduced.
Many merchants find outsourcing to be less expensive than creating a team or diverting employees’ hours to card security and PCI compliance. Typically an outsourced solution will be about one-third the cost of an in-house solution.