Your business is responsible for keeping its sensitive payment information safe. Tokenization is one critical technology that has enhanced payment security for merchants, customers and financial institutions. Here’s critical information to know about tokenization and how it can minimize your risk of a security breach.
The easiest way to understand why tokenization is necessary is to view payment processing without the technology in place. (If you haven’t yet equipped your point of sale to use EMV chip card features, and/or your customers still swipe their debit or credit cards to pay, you’re not protected by tokenization). Even if you otherwise adhere to the compliance guidelines established by the Payment Card Industry (PCI) Security Council, a payment processing transaction that doesn’t use tokenization sends sensitive account information across payment networks.
Cybercriminals intercepting transactions can access the sensitive information related to the transaction and the customer associated with it. With data like a customer’s 16-digit personal account number, name and address, thieves can sell their account information on the black market to create counterfeit cards and, in some cases, use the customer’s data to open entirely new accounts.
As the experts at First Data explain, merchants are responsible for providing a secure processing environment that protects sensitive data during pre-authorization, transaction processing and post-authorization. As cybercriminals have become more adept at intercepting transaction data, PCI-compliant processing may not provide enough security to adequately protect customers and merchants. Tokenization was created to offer that additional layer of protection.
How tokenization works
When tokenization is used in payment processing, cardholder data is authorized and then sent to “a centralized and highly secure server” called a vault. The sensitive information is held in the vault and replaced with a randomly generated number (the token) with the same number of digits as the actual card number. To ensure the token is indeed unique and not an actual card, First Data experts explain that tokens never begin with a 3, 4, 5 or 6 (which lead to actual account numbers). Tokens are further validated by a “Mod 10 check,” which a token should not be able to pass. (Only valid account numbers can pass a Mod 10 check.)
The token is sent to the merchant systems to use for payment processing, while the sensitive data the token replaced remains in the secure vault. If cybercriminals do intercept a payment transaction, the data cannot be used to identify the customer or the account associated with it; it has no value for criminal use.
How to ensure your payment processes use tokenization
Credit and debit cards were reissued in 2015 to include a square chip on each card’s front, which uses EMV (Europay, MasterCard, Visa) chip card technology and tokenization in payment processing. As of October 2015, most merchants are to have the payment processing tools at the point of sale to facilitate EMV chip card payments. When a customer inserts his or her EMV chip card into a point-of-sale terminal and the card is identified, a token request is sent to the card’s payment network. The customer leaves the EMV chip card in the terminal throughout processing approval. All the while, tokenization is used in the payment processing.
Why tokenization is necessary
As of October 2015, liability for a data breach is now on the party involved in a payment transaction found to offer the lowest level of security. With the exception of fuel pump operators (which have until 2017 to become EMV compliant), merchants involved in a data breach could be subject to any fines, fees and lawsuits that arise. As the experts at First Data point out, tokenization also minimizes the liability that merchants assume in recordkeeping after a transaction. When a business doesn’t hold sensitive card data in its own back-end applications, the scope of PCI compliance is made more financially manageable and cost efficient.
Tokenization empowers merchants to eliminate their risk associated with handling sensitive data, while at the same time, protecting customers. You can instantly take advantage of the tokenization by equipping your point-of-sale terminals — mobile or affixed — to accept EMV chip cards.
About the Author
Kristen Gramigna is chief marketing officer for BluePay, a credit card processing firm. She has more than 20 years experience in the bankcard industry in direct sales, sales management and marketing. Follow her on Twitter at @BluePay_CMO.