As one of the last countries in the world, the U.S. will migrate to an EMV-based payments infrastructure on October 1, 2015. By then, Visa and MasterCard alone will have issued more than 550 million chip and pin cards. While migration to an EMV-based payments infrastructure is a significant step in securing payment data, it won’t eradicate all risks.
Typically, payment data flows from the customer in the swipe of the payment card, via the merchant’s point-of-sale terminal, to the acquirer and then onward to the card association for payment validation. When an EMV chip is embedded in a card, it helps ensure that the card being used is real and that it in fact belongs to the person using it, thereby drastically reducing the risk of stolen or counterfeit cards in comparison to traditional magnetic stripe cards.
These chip and pin cards are a vast improvement for preventing counterfeit use in comparison to traditional magnetic stripe cards. However, security controls still need to be put in place to protect cardholders’ confidential information on payment cards not just at the moment the card is swiped or dipped, but all the way through the transaction process. To secure data in-transit, merchants are turning to tokenization.
In this slideshow, Malte Pollman, CEO of Utimaco, a leading manufacturer of hardware-based security solutions, looks at how merchants will need to take extra steps toward encryption and tokenization if they want to truly secure transactions.
Securing Payment Transactions
Click through for more on how merchants need to take extra steps toward encryption and tokenization if they want to truly secure transactions, as identified by Malte Pollman, CEO of Utimaco.
What Is Tokenization?
Tokenization is a process in which sensitive credit card numbers are replaced with a string of unique identification symbols that retain all the essential information about the data, but without compromising its security. In other words, during the transaction, the process of tokenization turns the data into a non-sensitive token that cannot be used outside of the context of this specific transaction at this specific merchant.
Scale Across Devices and Merchants
Tokens are a powerful security tool because they are able to scale across devices and merchants. They cannot be used outside of the context of the transaction, and payment card data doesn’t have to be stored on a company’s network. Mobile payment options, like Apple Pay, benefit especially from this as the use of tokens adds EMV security to transactions performed with virtual cards, such as via an iPhone. Virtual card payment not only makes mobile payments more convenient, but also more secure with the potential to enable tokenized commerce across the entire retail economy.
Avoid Regulatory Compliance
Tokens are often exempt from regulatory audits as they replace original credit card data with random values. Because tokenization completely replaces sensitive credit card data, all transaction systems are able to use tokens, thereby reducing the number of devices that must meet PCI DSS compliance requirements. Not only does tokenization better protect sensitive data, it also greatly reduces efforts and costs to be compliant with the latest security requirements.
Minimize Data Exposure
A key advantage of tokenization is that it enables data consolidation. With sensitive data only stored on tokenization servers, where they are encrypted and highly protected, businesses are able to reduce data exposure and decrease data duplication, minimizing costs and risks linked to relying on multiple databases and multiple data management points.
Harden Security with HSM-Enabled Tokenization
Encrypting data via the use of tokens is the first step in protecting critical business and consumer data. The second step is to create and store the cryptographic key that unlocks those tokens. Hardening security means creating a secure key via true random number generation, which relies on the anomalies in physics instead of the constraints of zeros and ones found in software code.
Storing a cryptographic key is just as important as creating it. Software solutions store keys in main memory, which means the system administrator, and anyone else with server access, has access to and the capability to create an extra key to access the data. Hardware-based tokenization instead offers strong security even in the most hostile environments. The module can detect when any attack is happening, in the form of drilling, heat, power blackout or chemical attack, and automatically delete the keys immediately.