Tokenization for Credit Card Data

Storing customer credit and debit card numbers “in the clear” opens merchants and enterprises up to huge potential for hacking and fraud. However, to enable recurring and subscription payments, it is extremely valuable to have this data readily available in the processing system.

Data tokenization is an integral component of secure payment processing that replaces credit, debit and ACH information in a transaction with a random character string or “token” acting as a surrogate for the credit card data. Because the character string is random, tokenized card data cannot be reverse engineered to identify the original sensitive data, which keeps your sensitive data secure even in the event of a hack or security breach.

Tokens are versatile. They can be engineered to preserve the length and format of the data that was tokenized and they can also be generated to preserve specific parts of the original data values. Thus, they can adapt to the formats of conventional databases and applications, eliminating the need to change the database scheme or business processes. Tokenization is also an ideal security solution to help lower your Payment Card Industry (PCI) scope.

What is Tokenization?

Tokenization is the act of substituting sensitive data, such as a credit card number, with a random string of characters, a “token”, that has no direct relationship back to the original data. This means that if the tokenized information is compromised, it cannot be reverse engineered to identify the original sensitive data.

Tokenization vs. Encryption

In encryption, sensitive information such as credit card data is immediately encrypted upon the point of card entry. In tokenization, a randomly generated token is stored in place of the original data.

Data Tokenization – Key to Holistic Payment Security

Tokenization is an integral payment technology for every merchant, along with EMV and PCI-validated point-to-point encryption (P2PE). Each of these solutions plays an important role in holistic payment security:

  • Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.
  • PCI-validated P2PE protects data in transit by encrypting cardholder data upon point of entry in the retail device. Encrypting card data upon entry prevents the data from being available in the enterprise or merchant’s system as “clear-text” where it could be exposed in the event of a data breach.
  • EMV, also called “Chip and PIN,” authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with a PIN or their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.

Bluefin’s PCI DSS Compliant Tokenization Solution

Bluefin’s PayConex payment platform provides a common tokenization vault unifying all of our payment products, including our PCI-validated P2PE solutions; e-commerce, retail, MOTO, and mobile channels; turnkey mobile app, Salesforce app, and virtual terminal web interface; as well as integrated support to our APIs, SDKs, payment pages, and standalone terminals.

Additionally, Bluefin also offers Store & Convert, which is a custom conversion process that tokenizes large volumes of existing card numbers on a system in one step. This is an ideal solution for any company looking to implement a tokenization solution with legacy card numbers that are in the clear.

Tokenization flow

1. Card is run and sent through POS or software

2. POS sends payment information to PayConex

3. PayConex sends payment information to issuing bank

4. PayConex sends payment information to tokenization vault

5. The card is tokenized and sent to the POS or software for storage

PCI Compliance Scope Reduction and Tokenization

The PCI DSS requirements apply to any cardholder data (CHD) that is Stored, Transmitted, or Processed by a merchant. Industry-insiders often refer to this by a simple acronym: STP. The best way to reduce the scope of your Cardholder Data Environment (CDE) is to not store, process, or transmit cards at all. Typically, this complete outsourcing of the CDE is only practical in Card Not Present (CNP) environments by implementing Hosted Payment Pages (HPP), Transparent Redirect (TR), or by using a listed PCI-Compliance Service Provider as your ecommerce provider or call center.

There are two important data security technologies recommended by the PCI SSC that, when properly implemented, can devalue the cardholder data and de-scope your cardholder data environment – Tokenization and P2PE. Both of these data security technologies solves a different part of the STP (Store, Transmit, Process) trifecta.