Today, it's expected that merchants accept electronic payments and that those payments are secure with no data leaks or breaches of any kind. But the reality is many merchants don't truly understand the vulnerabilities that electronic payments present. They may think they are secure when in fact they are at risk.
The Payment Card Industry Security Standards Council (PCI SSC) has been addressing security concerns by issuing the PCI Data Security Standard (PCI DSS) and ratcheting up compliance requirements. As a response, the industry has been flooded with solutions claiming to provide heightened security for a merchant's data. Merchants often invest in these offerings out of fear, uncertainty or doubt. What most don't understand is that the solutions are not bulletproof and they still may not be able to pass an audit.
One thing that could help is a solid tokenization solution can take companies into a safe harbor and remove navigational stress. According to a recent Gartner Group report, "Using Tokenization to Reduce PCI compliance Requirements", "enterprises that have successfully implemented tokenization … have reduced the scope of … costly PCI compliance audits while keeping sensitive cardholder data more contained and secure."
So what is tokenization? It is a technology that leapfrogs better-known, traditional encryption, removes sensitive data from enterprise systems but is complimentary to legacy enterprise systems.
The technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replaces it with a surrogate "token", a unique ID created to replace the actual data associated with a specific card number. Tokenization is different from other security solutions dealing with PCI issues because it is "waterproof" vs. "water resistant" (encryption).
Tokenization offers two key benefits: Software-as-a-service (SaaS) model ensures no customer card data resides within company systems, and it is cost effective.
Benefits of SaaS
With a tokenization solution outsourced via a SaaS model, cardholder data never resides in the merchant's environment. The premise of encryption remains true -- protect sensitive data with complex encryption algorithms wherever sensitive data is stored. But tokenization takes the principle to a new level: protect sensitive cardholder data by removing it from merchant systems entirely. Quite simply, merchants do not need to encrypt what they do not store. Let someone else shoulder the burden.
By eliminating the storage of cardholder data, merchants realize a multitude of financial, operational and security advantages. A tokenization solution requires minimal up-front capital expenditure, if any. And it saves on the back end, too, by preventing costly breaches. If thieves know you don't have any valuable data they have no reason to break into your systems. And in the event that the worse happens and someone figures out how to hack a token -- the breach would be extremely limited; there would only be access one card number.
According to Gartner, a company with 100,000 customer accounts spends $6 per account to roll out encryption appliances. A separate encryption solution is required for each place where credit card data is stored. In a large enterprise there can easily be 10 or 20 systems. That could add up fast.
Transferring card holder data off premises eliminates those capital expenditures. The less data on site, the less it costs to keep it secure. This will also reduce the complexity of a company's PCI audit. Because the merchant no longer stores cardholder data, it will be removed from the scope of PCI Requirement 3, reducing the number of questions needed to answer on the audit.
All in all, tokenization greatly reduces risk of breach, operational expenses and bad PR -- all of which ultimately saves money.
To choose a tokenization vendor, make sure it has expertise and execution experience. Vendors must be thoroughly vetted because they will become mission-critical business partners. There is no doubt there is a solution for every company. But you must pick the right partner that can fulfill all the company's requirements while understanding its level of size and complexity.
Tokenization is the answer to security, cost savings and general peace of mind. . . just be sure to ask the right questions.
Wine is CEO of Paymetric, a provider of integrated and secure electronic payment acceptance solutions that enable companies to streamline the order-to-cash process, reduce the scope and financial burden of achieving PCI compliance and improve return on electronic payment acceptance. Visit www.paymetric.com for additional information.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Tokenization eases merchant PCI compliance" was originally published by Network World.