Rick Ricker, VP of Business Development for 3Delta Systems (3DSI), joins us today to discuss how Tokenization and Point-to-Point Encryption (P2PE) work together to protect your cardholder data, and why a third-party vendor skilled in these security solutions is your best bet. 3DSI is a leading provider of solutions that safeguard confidential payment data and is a Bluefin Decryptx partner.
For companies that accept card payments, a breach of credit card and confidential customer data is among the most serious risks they face. A company’s failure to protect data, and the inevitable breach that follows, leads to a litany of bad results:
- Huge financial costs—how about ‘substantial out of pocket costs’
- Customer defection
- A hit to reputation
Sure, you can build a fortress of protection on your internal system. But cyberthieves generally are more tireless in their attacks than businesses are in their defense. It’s understandable. A company is focused on selling its product, not defending its data.
And a better strategy is what our partners at Bluefin call “devaluing the data” – which is really nothing more than ensuring the card data a company stores or moves isn’t valuable to would-be thieves.
That’s where tokenization, which is one of 3Delta Systems’ specialties, and Point-to-Point Encryption (P2PE), of which Bluefin is a power provider, come together.
Let’s clear up what the role of each of those solutions is, and how they work hand-in-hand. But first, let’s review what the Payment Card Industry Data Security Standard (PCI DSS) requires us to do:
PCI DSS applies to everyone who collects, stores and transmits card data – which is the primary account number – or sensitive authentication data – which are the track data from a swipe transaction or the card verification value (or CVV) taken over the phone or through the web. The card number must be encrypted if a business stores it, and track data and CVV must not be stored at all.
The purpose of most encryption tools and techniques is to render the original data unreadable, then allow the decryption routine to restore the readable data.
Think of encryption as a code, like one that armies use to send messages to their commanders or allies during wartime. Encryption uses an algorithm to scramble information, making its data unreadable to anyone without the decryption key. The encrypted data often resides on a company’s internal servers or networks.
PCI DSS requires that card data is protected in transit and typically TLS (now > TLS 1.0 for PCI DSS 3.1) is used for that purpose, encrypting the channel while the data’s in motion. It is the data at rest that is most vulnerable, as it is just sitting there for hackers to try to expose and steal. If a studied hacker is able to decrypt the data, that hacker now has the key to all the data you store. As most merchants aren’t experts at information security, some choose to store the data offsite.
Tokenization replaces credit card data with a unique, generated placeholder, or “token.” Ideally, tokens have no meaning by themselves and are worthless to criminals if a company’s system is breached in any way. For example, let’s just say someone’s actual credit card number was 2123 3456 5678 6789. When the token is generated it might become EGHV234AUD54367. The most secure token is randomly generated instead of using an algorithm so there is no way to regain the original card number – crooks can’t reverse-engineer the actual credit card number, even if they were to grab the tokens off the servers.
Tokenization can be done in-house or outsourced.
- If done in-house, then the merchant moves the cardholder data to an environment called the token vault, and the tokens are used in the merchant’s business systems to refer to the card. When it is time to process, they send the token to the token vault to retrieve the PAN and forward it to the network for authorization. This scheme reduces the instances of card data around the merchant’s systems and thus the ability for a hacker to siphon it away.
- Outsourced tokenization works in the same way but eliminates the card data from the merchant environment – much like emptying a warehouse so that a thief has nothing to steal. Merchants use only the token to retrieve, access or maintain their customers’ credit card information. Meanwhile their customers’ card data is stored at a highly secure, offsite location by a vendor with PCI certification.
In either case, using tokens doesn’t alter the merchant’s payment processing or channels. Just like credit cards, tokens can be used for MOTO and e-commerce for all transactions including customer sales, refunds, voids and credits.
Removing confidential customer credit card data from their internal networks is one of the biggest reasons why more companies are relying on tokenization. All merchants who accept, transmit, process, or store credit card data online, in a store, by phone or by mail must certify each year that their IT security and processes comply with 12 rigorous PCI DSS requirements.
Companies that collect and store credit card data often find the PCI process to be a huge headache with potentially significant liabilities and costs rather than a convenience for their customers. Because every point at which credit card data is handled must be secured, conforming to these rules as well as building and defending one’s own data fortress can become extraordinarily difficult and prohibitively expensive.
Because outsourced tokenization removes card data completely from the merchant environment, there is nothing useful for criminals, and the liability and costs that merchants often associate with PCI compliance is dramatically reduced.
Many merchants find outsourcing to be less expensive than creating a team or diverting employees’ hours to card security and PCI compliance. Typically, an outsourced solution will be about one third the cost of an in-house solution.
For more information on 3Delta’s tokenization and P2PE solution, visit http://www.3dsi.com/secure-payments/cardvault/point-to-point-encryption.