Securing Stored Credit Card Data

Storing customer credit and debit card numbers “in the clear” opens merchants and enterprises up to huge potential for hacking and fraud. However, to enable recurring and subscription payments, it is extremely valuable to have this data readily available in the processing system.

Data tokenization is an integral component of secure payment processing that replaces credit, debit and ACH information in a transaction with a random character string or “token” acting as a surrogate for the credit card data. Payment tokenization differs from encryption. In encryption, when a payment application or a database needs to store credit card data, the card values are encrypted and cipher text is then saved in the original location. With tokenization, a token – or surrogate value – is stored in place of the original data.

Tokens are versatile. They can be engineered to preserve the length and format of the data that was tokenized and they can also be generated to preserve specific parts of the original data values. Thus, they can adapt to the formats of conventional databases and applications, eliminating the need to change the database scheme or business processes. Tokenization is also an ideal security solution to help lower your Payment Card Industry (PCI) scope.

Bluefin’s PCI DSS Compliant Tokenization Solution

Bluefin’s PayConex payment platform provides a common tokenization vault unifying all of our payment products, including our PCI-validated P2PE solutions; e-commerce, retail, MOTO, and mobile channels; turnkey mobile app, Salesforce app, and virtual terminal web interface; as well as integrated support to our APIs, SDKs, payment pages, and standalone terminals.

Additionally, Bluefin also offers Store & Convert, which is a custom conversion process that tokenizes large volumes of existing card numbers on a system in one step. This is an ideal solution for any company looking to implement a tokenization solution with legacy card numbers that are in the clear.

Data Tokenization – Key to Holistic Payment Security

Tokenization is an integral payment technology for every merchant, along with EMV and PCI-validated point-to-point encryption (P2PE). Each of these solutions plays an important role in holistic payment security:

  • Tokenization enables merchants and enterprises to safely “store” cardholder data at rest for use in future transactions. Tokenization, like P2PE, effectively renders the data useless to hackers.
  • PCI-validated P2PE protects data in transit by encrypting cardholder data upon point of entry in the retail device. Encrypting card data upon entry prevents the data from being available in the enterprise or merchant’s system as “clear-text” where it could be exposed in the event of a data breach.
  • EMV, also called “Chip and PIN,” authenticates the credit or debit card at the point of sale by reading a chip embedded on the card and validating the cardholder with a PIN or their signature. EMV makes it extremely difficult (though not impossible) to “white-label” or duplicate a physical credit card that could then be used by thieves to purchase items at the POS.

Four Best Practices for Tokenization

Going beyond Visa’s best practices guide with random generation of tokens, protection of the server, encryption of data and avoidance of homegrown solutions.

PCI Compliance Scope Reduction and Tokenization

The PCI DSS requirements apply to any cardholder data (CHD) that is Stored, Transmitted, or Processed by a merchant. Industry-insiders often refer to this by a simple acronym: STP. The best way to reduce the scope of your Cardholder Data Environment (CDE) is to not store, process, or transmit cards at all. Typically, this complete outsourcing of the CDE is only practical in Card Not Present (CNP) environments by implementing Hosted Payment Pages (HPP), Transparent Redirect (TR), or by using a listed PCI-Compliance Service Provider as your ecommerce provider or call center.

For Card Present (CP) merchants and CNP merchants that operate their own back office, ecommerce and call center facilities, devaluing the card data throughout your network is vital to down-scoping your environment.

There are two important data security technologies recommended by the PCI SSC that, when properly implemented, can devalue the cardholder data and de-scope your cardholder data environment – Tokenization and P2PE. Both of these data security technologies solves a different part of the STP (Store, Transmit, Process) trifecta.

Bluefin’s payment data tokenization solution down-scopes your environment from the PCI DSS Storage Requirements because instead of storing the actual card number, you store a token that is a reference to the card number. You can already store the first 6 digits and last 4 digits of the card (also known as “6+4”) in an unencrypted, clear-text fashion, per PCI DSS requirements. When your system needs to run the card again, run a refund, process a chargeback, or perform other card processing, you simply provide the token instead of the card number. It’s as simple as that.

The token only has meaning to your organization and to Bluefin. This way, if the tokens are exposed to any outside entity, they are useless for processing.