TechnologyNov 15, 2010

Get a Better Night’s Sleep with Payment Tokenization

Joshua Grear

Does the thought of capturing, storing, managing and securing your customer’s payment information keep you up at night? Are you looking for a way to reduce the cost of your PCI compliance implementation?

If you answered yes to either of these questions, you should know that Payment Tokenization could help you get back to sleeping like a baby and allow you to hold on to more of your hard earned cash.

What is Payment Tokenization?

Tokenization is the process of taking sensitive information and replacing it with a “token” that is not sensitive in nature. The resulting token can then be distributed without concern for the sensitivity of information that it represents.

For example, I just recently registered my vehicle. After giving the authorities various pieces of sensitive information, I was issued license plates. Essentially, the process I went through was a process of tokenization. My license plate number is a representation of all of the sensitive information I originally provided. However, my license plate number only has value in context of the system it was intended for.

Much in the same way, companies and organizations that capture sensitive payment information can utilize this same process of tokenization. When this process is applied to payment-related information, it is called payment tokenization.

Why should you consider implementing Payment Tokenization?

There are two main reasons payment tokenization is becoming a hot topic in the industry. While it could be argued either way, the primary reason for payment tokenization is reduction of cost. Equally important however, is the reduction of risk to the customer and company.

“Consider the use of payment card tokenization to reduce the scope of PCI compliance audits and to protect sensitive cardholder data.” – Gartner*

Cost Reduction

Payment tokenization can help reduce cost by decreasing the scope of PCI compliance and maintenance effort. PCI compliance typically is very expensive for most organizations. This is directly related to the number of systems that are deemed to be “in scope”. More systems that interact with payment information mean higher cost. While various levels of payment tokenization can be employed, they all reduce the number of systems in scope, and therefore reduce the cost.

Risk Reduction

Payment tokenization can help reduce risk to both the customer and the company. Thinking about the license plate example again, consider what happens if my license plate number is stored in various systems. If one of those systems gets compromised, the stolen license plate number would have little to no impact on me. However, if those same systems persist my sensitive information instead, the story becomes much worse. In its simplest form, by reducing the number of systems containing sensitive information, you reduce the risk of that information being compromised. Having less potential for being compromised ensures that the customer’s information is safer. Likewise, if the risk to the customer is lower, so it the liability to you.

What is the roadmap for Payment Tokenization?

While payment tokenization is relatively a new concept, it is gaining ground quickly in the security community. In fact, Visa recently released a set of best practices geared towards payment tokenization implementations. Likewise, many payment vendors are beginning to offer payment tokenization services as a solution. Look for this trend to continue to grow heavy over the next several years.

Next Steps

The follow steps should be taken to help determine the effectiveness of payment tokenization for your company. First and foremost, assess the number of systems that currently capture, transmit or store credit card data. As discussed above, a higher number of in-scope systems equates to higher cost reduction potential. Next, begin to develop a roadmap for implementing payment tokenization. This should, at a minimum, include:

· an inventory of systems that:

o capture credit card data and how the data is captured

o transmit credit card data and how the data is transmitted

o store credit card data and how/where the data is stored

· determine if you will implement internally or utilize a third-party vendor

· define how existing systems will be affected

· define a transition plan from existing functionality to a tokenized solution

And finally, if you need help analyzing your systems, creating a roadmap or implementing the solution, Credera has expertise that can help you get back to sleeping like a baby.

*“Using Tokenization to Reduce PCI Compliance Requirements”, Gartner, August 5, 2009.

Have a Question?

Please complete the Captcha