What’s Tokenization and How Does It Affect Me?

There’s a lot of talk in our industry about tokenization lately and for good reason. Format-Preserving Tokenization is a rising data security model that can be used alone or to augment strong encryption to benefit companies that accept credit card numbers, including credit card processors.

Let’s break down tokenization for better understanding: Tokens are meaningless, replacement values that replace credit card numbers in systems, applications and databases, while the encrypted values they represent remain locked in a central repository, called a data vault.

Tokenization provides a number of benefits for companies that need to protect credit card information, including safe internal and external tokens mobility, credit card data format preservation and taking data, applications and systems out of scope for Payment Card Industry Data Security Standard (PCI DSS) compliance and audits.

Several industry organizations are working on tokenization definitions, standards and guidelines. The PCI SSC Scoping Special Interest Group (SIG) is working on definitions and the application of tokens as it relates to PCI DSS; the Accredited Standards Committee X9 is working on a standard to define tokenization requirements related to credit card data in the financial services industry.

Format-preserving tokenization enables practical applications, such as post-authorization sales and marketing analyses, loss prevention, and fraud detection. For example, a data warehouse program can use format-preserving tokens to determine what type of credit card – standard, private label or gift card – was used for a purchase. In this scenario, the data warehouse contains only tokens, not the actual card numbers.

Vision Payment Solutions offers a word of caution to its clientele, our merchants. There is no such thing as token portability between credit card processors. Because of this, you should be cautious of vendor lock-in when outsourcing tokenization to protect cardholder data to their payment processor. This becomes a problem when the company decides to change processors, because the tokenized values are not transferable. The new credit card processing company has no way to determine what credit card number is linked to each token, so the data is effectively lost.

The solution is In-house tokenization: The way to avoid this problem is for you to tokenize credit card data using a commercial off-the-shelf tokenization solution that’s properly maintained by the vendor.

We sincerely hope this article has been both informative and a pleasure to read. VPS welcomes any questions, concerns, or comments you may have. Simply contact us at the number above, or find additional contact information on our “Contact” tab.