Analysts expect online shopping to account for more than 12 percent of retail spending by 2019. As more businesses accept credit card payments through the web, they need to assure customers that their personal data is safe. By using the right technology, like tokenization, a company with a high-risk merchant account can protect credit card information by making it harder for criminals to access.
Image via Flickr by rahego
For many years, encryption has been the security measure of choice for merchants, government agencies, and anyone else who needed to maintain the integrity of private information. Here’s how encryption works: An algorithm makes the original data unintelligible to any person who doesn’t have the key. With the key, however, one can decrypt the data and view it in its original form.
One of the primary vulnerabilities of encryption is the vulnerability of the key. Anyone who can get the key will have access to the protected data. Other complications include a lack of versatility in working with some databases and a requirement that the encryption is strong enough to withstand the efforts of hackers. Finally, encryption usually involves a system in which the encrypted data stays on site with the retailer, creating a liability.
While encryption uses a logical algorithm to change data so that it’s only readable with the key, tokenization replaces the data randomly, eliminating the key altogether. The random characters that take the place of the original data are called tokens, and they are generated using a lookup table. Think of them as placeholders because they keep the same form and length as the information they replace. While companies are storing the tokens as placeholders, the original data exists off-site in a more secure location, along with the lookup table.
If criminals steal tokens, he or she won’t be able to decode them, because there’s no key. The characters are random, making it impossible to reverse-engineer the data and get credit card numbers and other sensitive data.
Not only is tokenization safer, but it’s also a technology that enables some businesses that have high-risk merchant accounts to save money. Often these companies collect many credit card numbers and related data because they’re in a high-volume industry. The more sensitive financial information they collect, the higher their liability if a criminal steals the data. By implementing tokenization, companies beef up their data protection, thereby reducing the chances that a thief will be able to decode and take the data and leave the company on the hook for the breach.
Another way tokenization helps businesses save money is by taking the sensitive data off-site. When companies gather and store credit card numbers, they must comply with 12 stringent requirements laid out in the Payment Card Industry Data Security Standards (PCI DSS). Achieving compliance usually forces businesses to spend thousands of dollars each year on security services. In contrast, tokenization lowers the bar for compliance because the actual data is stored off site. With fewer requirements to meet, companies using tokenization can expect to spend less on compliance measures.
Security experts advise companies to avoid using their in-house tokenization solution. Instead, they recommend contracting with an online security firm that specializes in tokenization to ensure that the data stays safe.