Tokenization

What to do when you get rid of a computer
February 21, 2017
CardConnect with CardSecure
March 7, 2017
What to do when you get rid of a computer
February 21, 2017
CardConnect with CardSecure
March 7, 2017

As a merchant that accepts credit cards meeting PCI security standards is imperative to not only keeping yourself safe but to staying in business. Much of what allows you to meet PCI compliance is done automatically by the system that has been installed. That includes one of the most important parts of data security, tokenization. It sounds complicated and it is and for good reason. Protecting data is one of the most important things you do as a merchant.

Tokenization is complicated. We will attempt to simply explain its inner workings in this blog post but there is much more to it. The easiest way to describe it is replacing sensitive information with gibberish, also known as a token. This token, when decrypted, provides the map back to the real information.

The term tokenization comes from the use of tokens but not on computers. In many mass transit systems customers had to purchase tokens to use the system or even remember back to the days of your youth when you went to the arcade. You may have had to purchase tokens to play the games. It is basically an alternative currency that is only usable in one place. You couldn’t take a token from SEPTA in Philadelphia and use it on the T in Boston. These tokens were designed to limit fraud and theft.

This is part of the larger process of encryption that happens whenever sensitive data is entered into a computer. The encryption process begins before the card information is swiped or dipped and before any information is entered into the POS system. Data remains encrypted until received by the processing host. If this is done properly the amount of usable information that a thief can obtain in a data breach will be much less.

There have been a few limitations to tokenization. There is a lack of standardization when dealing with tokens which means the tokens used with one data center may be different with another. This requires constant updating between the two eating a lot of processing power and storage space. Another is that there is a master database since every token has to point back to the correct information. This makes an attractive target for hackers. For tokenization processes that use random number generators they must be monitored to avoid predictability and compromise.

There are other ways to meet PCI compliance without using tokenization but this is the most common practice and the easiest to implement. In fact the PCI council recommends tokenization. Tokenization specifications have been in practice for the new EMV cards since 2014 so they have been tried and tested.