Skip Links

Tokenization eases merchant PCI compliance

By Larry Wine, special to Network World
March 30, 2010 02:43 PM ET
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Network World - Today, it's expected that merchants accept electronic payments and that those payments are secure with no data leaks or breaches of any kind. But the reality is many merchants don't truly understand the vulnerabilities that electronic payments present. They may think they are secure when in fact they are at risk.

The Payment Card Industry Security Standards Council (PCI SSC) has been addressing security concerns by issuing the PCI Data Security Standard (PCI DSS) and ratcheting up compliance requirements. As a response, the industry has been flooded with solutions claiming to provide heightened security for a merchant's data. Merchants often invest in these offerings out of fear, uncertainty or doubt. What most don't understand is that the solutions are not bulletproof and they still may not be able to pass an audit.

One thing that could help is a solid tokenization solution can take companies into a safe harbor and remove navigational stress. According to a recent Gartner Group report, "Using Tokenization to Reduce PCI compliance Requirements", "enterprises that have successfully implemented tokenization … have reduced the scope of … costly PCI compliance audits while keeping sensitive cardholder data more contained and secure."

So what is tokenization? It is a technology that leapfrogs better-known, traditional encryption, removes sensitive data from enterprise systems but is complimentary to legacy enterprise systems.

The technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replaces it with a surrogate "token", a unique ID created to replace the actual data associated with a specific card number. Tokenization is different from other security solutions dealing with PCI issues because it is "waterproof" vs. "water resistant" (encryption).

Tokenization offers two key benefits: Software-as-a-service (SaaS) model ensures no customer card data resides within company systems, and it is cost effective.

Benefits of SaaS

With a tokenization solution outsourced via a SaaS model, cardholder data never resides in the merchant's environment. The premise of encryption remains true -- protect sensitive data with complex encryption algorithms wherever sensitive data is stored. But tokenization takes the principle to a new level: protect sensitive cardholder data by removing it from merchant systems entirely. Quite simply, merchants do not need to encrypt what they do not store. Let someone else shoulder the burden.

By eliminating the storage of cardholder data, merchants realize a multitude of financial, operational and security advantages. A tokenization solution requires minimal up-front capital expenditure, if any. And it saves on the back end, too, by preventing costly breaches. If thieves know you don't have any valuable data they have no reason to break into your systems. And in the event that the worst happens and someone figures out how to hack a token -- the breach would be extremely limited; there  would only be access to one card number.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News