Embracing Tokenization: Payment Without Pain

Larry Wine

Today, it's expected that merchants accept electronic payments. It's more than expected that those payments are secure. No data leaks or breaches of any kind. The reality is many companies don't truly understand the security vulnerabilities that electronic payments present nor the solutions on the market. They may think they are secure, but in fact are at great risk.


As President and CEO of Paymetric, Inc., Larry Wine is responsible for increasing stakeholder value through strategic, operational, financial and resource excellence.

The Payment Card Industry Security Standards Council (PCI SSC) has tightened compliance requirements, initially with their Data Security Standards (PCI DSS). Ever tightening, the compliance rules will become more stringent again in 2010. As a response, the industry has been flooded with solutions claiming to provide heightened security for a merchant's data. Undoubtedly, and often blindly, merchants invest in these offerings. In most cases out of fear, uncertainty and doubt. What companies don't get is that most of these solutions are not bullet-proof.


Since companies think they are compliant and are indeed not, they are at risk for a breach or an audit resulting in hefty fines that could bring them to their knees. Unfortunately, most find out the hard way.

What can help? In my view, tokenization is the answer. A solid tokenization solution can take companies into a safe harbor and remove all navigational stress from its shoulders.


According to the recent Gartner Group report, "Using Tokenization to Reduce PCI compliance Requirements," "enterprises that have successfully implemented tokenization have reduced the scope of costly PCI compliance audits while keeping sensitive cardholder data more contained and secure." So what is tokenization, really? The bottom line is that tokenization is a technology that leapfrogs the better-known, traditional encryption. Sensitive data is removed from enterprise systems and, as an added bonus, the technology is complimentary to legacy enterprise systems.


Drilling down, tokenization affords companies the opportunity to eliminate the storage of sensitive information. This cutting-edge technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replacing it with a surrogate number known as a "token," a unique ID created to replace the actual data associated with a specific card number. Put more simply, tokenization is different from any other security solution dealing with PCI issues because it's "waterproof" vs. "water resistant" (encryption).


Tokenization offers the following two key benefits:
1. Software as a Service (SaaS) model ensures no customer card data resides within company systems
2. cost effectiveness and savings


1. Benefits of SaaS: Get It Out of My House
With a tokenization solution outsourced via a SaaS model and a reputable vendor, cardholder data never resides in the merchant's environment. The premise and theory behind encryption remains true-protect sensitive data with complex encryption algorithms wherever sensitive data is stored. Tokenization takes the same principle to a new level: protect sensitive cardholder data by removing it from merchant systems entirely. Quite simply, merchants do not need to encrypt what they do not store. Let someone else shoulder the information.


By eliminating the storage of sensitive cardholder data through a SaaS tokenization solution, merchants can realize a multitude of financial, operational and security advantages over traditional enterprise encryption solutions. A tokenization solution requires minimal upfront capital expenditure, if any. And it saves on the back-end, too, by preventing costly breaches. If thieves know you don't have any valuable data they have no reason to break into your systems. And, let's pretend the worst happens and someone figures out someday how to hack a token-the breach would be extremely limited. If an attacker somehow bypasses both the token and encryption, they will have access to only one card number.


2. Cost Savings: Protecting the Brand and the Bottom Line
According to Gartner Group, a company with 100,000 customer accounts spends $6 per account to roll out encryption appliances. A separate encryption solution is required for each place where credit card data is stored. In a large enterprise, there can easily be 10 or 20 systems. Do the math -- that could add up fast.


In contrast, by transferring all card holder data out of your systems, a company eliminates capital expenditures. It's a simple premise: The less data there is onsite, the less it costs to keep it secure. This will also reduce the complexity of a company's PCI audit. Because the merchant no longer stores cardholder data, they will be removed from the scope of PCI Requirement 3, reducing the number of questions needed to answer on the audit.


All in all, tokenization greatly reduces risk of breach, operational expenses and bad PR-all of which ultimately saves money.


Finding the Shoe that Fits: Tokenization Solution

In conclusion, if a company carries confidential cardholder data, we strongly recommend getting it out of the system and onto a reputable vendor's. To choose a vendor, make sure they have expertise and execution experience. Tokenization vendors must be thoroughly vetted, since they will become mission-critical business partners. There is no doubt there is a solution for every company. But you must pick the right partner that can fulfill all the company's requirements while understanding its level of size and complexity.


With an eye towards the future, Paymetric's Data Intercept Solutions for XiSecure On-Demand takes tokenization to the next level by ensuring that sensitive cardholder data never enters the enterprise payment acceptance system. Sensitive information is intercepted and tokenized at the the time of sale. The secure token then routes back to the merchant for authorization and settlement. Data Intercept Solutions, using tokenization, offer the ultimate breach protection, while dramatically reducing the cost and effort to achieve PCI compliance. And the process is entirely transparent to the customer.


Tokenization is the answer to security, cost savings and general peace of mind ... just be sure to ask the right questions.

Add Comment      Leave a comment on this blog post

Oct 6, 2009 9:42 AM Bryan Johnson Bryan Johnson  says:

Well explained Larry. Tokenization is clearly one of the best approaches to reduce PCI scope and increase credit card data security. It makes the task of securing 7 million merchant locations a much more feasible objective.

Oct 22, 2009 11:13 AM Paul Donovan Paul Donovan  says:

My question to you Larry is does the retailer need to move away from batch settlement in order to be able to tokenize (settle at authorization), otherwise they will not have a credit card number to settle with the bank.  This is an obstacle  I see some smaller retailers are not understanding, and I want to have some clarification on this point.

Jan 12, 2010 5:02 AM Robin Robin  says:

Glad to know that tokenization helps improve security also.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data