If you’ve been to an arcade, you’ve likely dealt with tokens. When you enter the arcade, you trade legal tender for tokens, which can be used to play at the arcade but have no value outside the establishment. If you win a game, you earn tickets to cash in on a prize of your choice. But you can’t use the tickets elsewhere, they have no value outside the arcade.
That’s essentially what tokenization is (in simplified terms). It’s the process of turning important data into a string of characters (known as a “token”) that has no value if breached. Tokens serve as a reference to the original data, but cannot be used to guess those values. There is no mathematical relationship between a token and a number, so the card number 1234-5678-9123-4567 could become a string like EO5L-X03K-S2LX-79BQ, which includes both letters and numbers. Only the token vault can untangle the thread.
In credit card tokenization, the cardholder’s information is replaced with a series of randomly generated numbers that only have value through the tokenization system, which services requests to interact with the tokens as the transaction is processed. This is helpful because there are numerous credit card processing middlemen, so providers and businesses must protect cardholder data as it passes through multiple parties to verify a purchase.
So, how does tokenization differ from encryption?
The term “encryption” is often used as a synonym for tokenization, however, the process is entirely different. With encryption, the card data is masked and can be decoded by anyone who has a proper key. The encryption is decoded and recoded as it passes through various systems involved in processing the transaction. Despite the disguise, the data stays intact and is often stored on a business’s internal network, placing the business within PCI scope.
In contrast, tokenization removes the data and replaces it entirely. The tokens can only be decoded at the final destination: the payment processor. This provides businesses and security providers with a number of benefits.
The benefits are numerous, but reduced PCI scope and a future-ready payment environment are highlights worth noting.
With fewer opportunities to be decoded, tokenization is considered a safer form of data security than encryption. The data is completely replaced rather than masked, making it more difficult for a hacker to obtain the raw data.
It also reduces a business’s PCI scope because cardholder data is never stored or processed in its environment. This protects the business from internal and external threats: even employees can’t access the raw payment information.
Tokenization is also built for the future. NFC payments, ACH and credit card transactions all use tokenization to securely transfer cardholder data. Internationally, this technology is already being used to secure sensitive data beyond payments, according to Skyhigh Networks. This includes Social Security numbers, passport numbers, medical record numbers, emails, billing addresses, driver’s license numbers and more.
Tokenization can protect cardholder data as it moves through the many steps of credit card processing; however, it also allows your business to safely store customer cards on file. With the right Merchant Account Provider and Virtual Terminal, you can take the following actions without needing the customer to return to your business:
PayJunction’s Virtual Terminal, for instance, automatically tokenizes and stores customer payment information (for debit cards, credit cards and ACH). Only the last four digits of the account are preserved so a customer can have multiple forms of payment associated with his account and specify the best account for a given payment.
Old-school terminals that aren’t EMV-ready and lack fraud-prevention technology are under increased attack by fraudsters, according to TSYS. Security is make or break for businesses because almost half of surveyed consumers said they’d shop less or stop shopping at a retailer that had a security breach, according to Retail News Insider.
Most businesses can’t survive a 50 percent drop in revenue, so it’s vital that you implement the newest technology to protect customers’ payment information. Ultimately, it’s an investment in protecting your business as well.
How does your business protect customer information? Are you able to store cards on file? Let us know how this technology would impact your business in the comments section below.