Tokenization can significantly improve data security and mitigate the risks of data breaches. However, its promise is largely unrealized in the retail industry due to its low adoption rate, which can be blamed on a poor understanding of what exactly tokenization does.
How does tokenization work? How does it differ from data encryption and how can it benefit retailers and other businesses that rely on credit card transactions?
Understanding How Credit Card Tokenization Works
To understand how tokenization works, it helps to compare a tokenized credit card transaction with a traditional one. In a traditional credit card transaction, a buyer swipes his credit card into a POS machine or enters his credit card number into an ecommerce website. The merchant receives the credit card number and sends it to a payment processor for processing the transaction. The credit card number is then stored in the merchant’s POS terminal or ecommerce website and internal systems.
In a tokenized credit card transaction, when the buyer swipes his credit card in a POS machine or enters his credit card number in an ecommerce website, his credit card number is first passed to a tokenization system. The tokenization system creates a string of random characters to replace the credit card number. This string of characters is called a “token.” The token is returned to the POS terminal or ecommerce website and also passed to the merchant’s internal systems where it is stored. Thus, the customer’s credit card number is never stored in any of the merchant’s systems, including its website and POS terminal. To process the payment, the tokenization system sends the credit card number to the payment processor to complete the payment transaction.
Minimizing the Impact of Security Breaches
Credit card tokenization beefs up merchants’ end-to-end data security, from the point of data capture to storage as it eliminates the actual storage of credit card numbers in the POS terminals and merchants’ internal information systems. But the greatest benefit of tokenization is that it minimizes the impact of security breaches for merchants.
Since merchants are storing tokens instead of credit card numbers in their systems, hackers will acquire tokens which are worthless and meaningless. The credit card numbers are stored in the databases of the third-party tokenization solutions provider, effectively passing the risk from the merchant to the solutions provider.
Advantages Over Data Encryption
Tokenization is different from encryption. Encryption uses algorithms to generate a string of incomprehensible characters from a set of data like a credit card number. While this seems similar to the tokenization process, encryption is reversible while tokenization is not. Once a hacker or a criminal gets his hands on the encryption key or cracks the algorithm used to encrypt the data, they can reverse-engineer the characters to arrive at the original data. On the other hand, tokenization is irreversible. Tokens are randomly generated and do not have any mathematical relationship with the original data.
Encrypted data also remain in merchants’ internal information systems. This means that merchants are still vulnerable to security breaches if and when criminals gain access to the encryption keys or crack the algorithm.
Finally, encrypted credit card numbers are mostly secure while stored in a database or while in transit during a payment transaction (from the merchant to the payment gateway or processor). However, as is often the case with merchant companies, credit card information is passed to multiple internal information systems. In order for different departments to process the information, they need to decrypt the credit card number and re-encrypt it again for security. However, the encrypt, decrypt, and re-encrypt process provides criminals with more opportunities to compromise the critical credit card numbers.
Reduced Scope of PCI DSS Compliance
Tokenization does not completely eliminate the need to comply with the Payment Card Industry Data Security Standard (PCI DSS). However, since merchants which utilize tokenization no longer store their customers’ credit card numbers in their POS terminals and internal systems, the number of systems which are covered by PCI DSS requirements are greatly reduced.
For example, the systems that provide security measures such as authentication servers which are covered by the PCI DSS requirements are greatly reduced since tokenization enables the systems to carry incomprehensible tokens instead of the actual credit card numbers. Tokenization also effectively reduces the impact of other system components such as internal firewalls, name resolution, and web redirection servers on the security of the cardholder data environment (CDE).