Using Tokenization to Keep Cardholder Data Safe
All merchants must comply with the industry’s mandate to protect cardholder information. Unfortunately, because of increased fraudulent activity in recent years, the task of keeping payment card data safe isn’t easy.
Payment Card Industry Data Security Standard
The Payment Card Industry has created a set of Data Security Standards. The PCI-DSS includes guidelines to help merchants secure the sensitive data that’s used during credit card transactions. PCI-DSS compliance creates a defense against data breaches and hackers.
Not only is achieving and maintaining a PCI-DSS compliant status a time-consuming and expensive task, it doesn’t always ensure total protection for cardholders. Data breaches still occur.
Many businesses look for ways to supplement their PCI-DSS protection. The most common supplementary security methods are end-to-end encryption and tokenization.
Addressing Security Vulnerability
Whether used separately or jointly, end-to-end encryption and tokenization help merchants reduce vulnerability during transaction processing.
There are two main points of vulnerability and each technology addresses a different issue:
|Technology||Vulnerability Issue Solved|
|End-to-End Encryption||E2EE secures data that would normally be exposed when the payment card information has been captured, but not yet sent to the acquirer for authorization.|
|Tokenization||Tokenization secures data that would normally be exposed while the merchant stores the payment card information after obtaining authorization.|
Choosing the appropriate security technology is a decision the merchant must carefully consider.
The State of Chargebacks 2018
Launched as a way of collecting and analyzing industry findings, the State of Chargebacks survey reflects the experiences of more than one thousand respondents in the card-not-present space. Download to learn the latest insights on fraud and chargeback management.Free Download
Tokenization replaces sensitive credit card information with a token (or alias). This means the merchant doesn’t store credit card numbers; tokens are accumulated instead.
After obtaining authorization from the issuing bank, the credit card information is sent to a highly-secure server (an independent third-party) called a tokenization vault.
The vault creates a unique number, consisting of randomly generated digits, that replaces the sensitive information. These new numbers, or tokens, are returned to the merchant.
The vault also maintains a carefully guarded database that is able to match the tokens with the authentic card information. This card information can be exchanged for the token when necessary (for example, disputing chargebacks).
Benefits of Tokenization
There are several benefits to tokenization:
- If the merchant experiences a security breach, the cardholder’s information is safe. The only thing the hacker would be able to access is the tokens—which would be completely useless.
- Tokenization reduces the data environment that’s susceptible to PCI-DSS compliance requirements and audits. This saves the merchant both time and money.
- Many merchants prefer tokenization to end-to-end encryption because of the cost. Tokens are created once and then can be used seamlessly throughout the merchant’s system. The merchant doesn’t have to pay to encrypt the data, decrypt it, and then re-encrypt it again.
Considerations When Implementing Tokenization
Before proceeding with tokenization, there are several things a merchant should consider:
- Ideally, a merchant will be able to find a tokenization vendor that offers the most security with the least IT investment.
- If the business changes vendors or processors, the merchant will need to retain ownership of the tokenized data.
- Without additional products and support, cardholder information is still vulnerable during the short time period preceding authorization.
- Tokenization is an all-or-nothing security measure. It can’t be implemented piecemeal.
- Tokens should consist of random numbers. They should not be created using algorithms or any other predicable method that could be reversed.
- The token should have the same number of digits as the original card number.
- The last four digits of the token should be the same as the credit card number. The merchant can print this abbreviated information on the receipt and the cardholder won’t know it represents a token instead of a credit card number.
- To reduce the risk of a token number matching a real account number, tokens should not begin with the numbers associated with the major card networks (3, 4, 5, or 6).
- Merchants need to be able to quickly exchange tokens for actual card information when chargebacks are issued. The representment window is extremely limited; merchants can’t afford to have dispute efforts slowed down by tokenized data.
Costs Associated with Tokenization
Merchants should carefully consider the costs associated with implementing additional security efforts. However, merchants must also consider the cost of not taking appropriate preventative action.
Experts estimate the average security breach costs the merchant approximately $200 per compromised cardholder. Since the average breach affects 28,000 cardholders, the total cost of a security breach can be over $5.6 million per incident.
Another costly issue associated with tokenization is the mistaken belief that extra data security means decreased fraudulent activity. Tokenization reduces security risks, not fraud risks. Merchants are still incredibly susceptible to unauthorized transactions and the accompanying chargebacks.
If you’d like to learn more about keeping both your data and your revenue safe, let us know. Chargebacks911® offers turnkey services designed to produce long-term, sustainable growth.