Digital tokenization has been around for over 20 years and was primarily designed to secure credit and debit cards. In the early days of digital payments, merchants and payment processors would store Primary Account Numbers (PANs) – the 16-digit debit/credit card number – alongside other transaction information. Because this sensitive payment information was stored in clear text, it was visible to anyone with system access and especially vulnerable to data breaches and theft. Inspired by physical token systems like casino chips and vouchers, digital tokens were created to substitute sensitive data in storage.
Tokenizing data also secures online transactions, sending randomly generated symbols, numbers and letters instead of valuable card data, which could be compromised by hackers or other malware attacks during transit. Tokenization has become an even more important technology because of the rise in cyberattacks, whether malware or ransomware, and compromised third party vendors and partners. Verizon’s 2022 Data Breach Investigations Report revealed a 13% increase in ransomware in 2021, more than the last five years combined, with 62% of system intrusions involving threat actors that compromised third parties.
When it comes to processing payments and storing financial information, taking steps to protect your company and your customers from costly data breaches must be a top priority. Our two-part blog series will first explore how tokenization applies to cardholder data (CHD) and Payment Card Industry (PCI) compliance. Part two will detail how tokenization applies to non-payment data, including Personally Identifiable Information (PII) and Protected Health Information (PHI), and data privacy regulations.
The PCI Data Security Standard (DSS)
Any organization that accepts credit or debit card payments is required to keep that data as safe and secure as possible. The Payment Card Industry (PCI) Data Security Standard (PCI DSS) is the set of regulations established by credit card companies to help protect payment information and are mandated by the credit card companies to ensure the security of credit card transactions.
PCI DSS 4.0 has 12 key requirements organizations need to continually follow. In addition, and depending on transaction volume, there are also 78 base requirements and over 400 test procedures that organizations must comply with in order to achieve PCI compliance.
Companies can achieve PCI compliance in-house but managing the process can be complicated based on transaction level and size of the organization. Organizations must be certified through an audit process that is long and often expensive. Even after receiving a first-time certification, organizations must undergo annual audits and fees. There are multiple levels of certification, which increase as an organization meets certain criteria.
Implementing the requirements can go a lot smoother if managed by a third-party expert, as they remove organizations from the audit process since they manage all sensitive card data, saving the organization time and money while assuring PCI compliance.
How does tokenization relate to PCI compliance?
Tokenization addresses PCI DSS requirement set #3: protecting cardholder data (CHD) at rest. PCI DSS seeks to reduce retention of sensitive data and safely govern its storage and deletion. Tokenization satisfies this critical requirement by eliminating stored CHD from as many systems as possible. Credit card tokenization not only replaces sensitive data, but it also minimizes the amount of data an organization needs to keep on file, which ultimately helps to reduce the cost of compliance with industry standards and government regulations.
Additionally, the responsibility to protect stored CHD and maintain the proper level of PCI DSS certification then falls on the token (solution) provider, so it ultimately reduces the cost of PCI compliance. This makes an especially big difference for organizations that want to support card-on-file or recurring payments.
What are the benefits of tokenization for payments?
Worldwide spending on cybersecurity is expected to reach $134B in 2022 and will likely increase as more organizations recognize the threat that cybercrime poses. By employing tokenization as part of their data security program, businesses can achieve a number of benefits:
- Reduced data theft. While tokenization cannot prevent a data breach, it can minimize data theft if a breach occurs by converting sensitive data into tokens that cannot be reverse engineered. A breach is an unfortunate incident but data theft during a breach will bring significant monetary repercussions and lost customer confidence.
- Reduced PCI compliance costs. Storing tokens instead of sensitive data lowers the amount of CHD in your environment. While tokenization does not eliminate the need to maintain PCI DSS compliance, it makes it easier by considerably reducing PCI scope.
- Seamless payment experience for customers. The tokenization process ensures a frictionless checkout since it does not interfere with the customer experience. Whether customers shop in stores or online, tokenization protects customer data no matter the device, contributing to seamless payments – one of the critical drivers of customer satisfaction.
- Increase customer confidence. Tokenization services provide customers with the convenience of giving their payment data to a single provider. The service also ensures that personal information is never divulged since tokenized values are used during transactions rather than actual card numbers, greatly enhancing both convenience and security.
How do I select a payment tokenization solution?
Many providers offer payment tokenization, but one of the biggest considerations is the type of system – vaulted or vaultless. Vaultless tokenization systems are capable of handling large amounts of data and do it at a faster pace – in other words, the system is much more scalable with reduced latency. These systems are also generally considered to be more secure than their vaulted counterparts.
When tokenizing payments specifically, it is also helpful to find a provider that specializes in CHD. They are more likely to offer simple and proven integrations with payments acceptance services as well as offering specialized features and tools.
Bluefin’s ShieldConex® offers a vaultless, cloud-based approach to tokenization, returning the tokenized data to the client for storage. With no limit to the amount of data that can be tokenized, ShieldConex secures all CHD while also providing tokenization for PII, PHI, and ACH account data entered online.
ShieldConex does not store any of the original data – it is always tokenized and returned to the client, mitigating any data sovereignty issues. Additionally, there is no vault to lead to performance issues, and de-tokenization requests are returned instantaneously to the client.
Stay tuned for part two of our blog where we will explore how tokenization can be applied to non-payment data and how it relates to meeting GDPR, CCPA and other data privacy regulations while reducing monetary damages from a data breach.