March 31, 2010, 11:42 AM — Today, it's expected that merchants accept electronic payments and that those payments are secure with no data leaks or breaches of any kind. But the reality is many merchants don't truly understand the vulnerabilities that electronic payments present. They may think they are secure when in fact they are at risk.
The Payment Card Industry Security Standards Council (PCI SSC) has been addressing security concerns by issuing the PCI Data Security Standard (PCI DSS) and ratcheting up compliance requirements. As a response, the industry has been flooded with solutions claiming to provide heightened security for a merchant's data. Merchants often invest in these offerings out of fear, uncertainty or doubt. What most don't understand is that the solutions are not bulletproof and they still may not be able to pass an audit.
One thing that could help is a solid tokenization solution can take companies into a safe harbor and remove navigational stress. According to a recent Gartner Group report, "Using Tokenization to Reduce PCI compliance Requirements", "enterprises that have successfully implemented tokenization … have reduced the scope of … costly PCI compliance audits while keeping sensitive cardholder data more contained and secure."
So what is tokenization? It is a technology that leapfrogs better-known, traditional encryption, removes sensitive data from enterprise systems but is complimentary to legacy enterprise systems.
The technology works by intercepting cardholder data entered into an enterprise payment acceptance system like a Web store, CRM, ERP or POS, and replaces it with a surrogate "token", a unique ID created to replace the actual data associated with a specific card number. Tokenization is different from other security solutions dealing with PCI issues because it is "waterproof" vs. "water resistant" (encryption).
Tokenization offers two key benefits: Software-as-a-service (SaaS) model ensures no customer card data resides within company systems, and it is cost effective.
Benefits of SaaS
With a tokenization solution outsourced via a SaaS model, cardholder data never resides in the merchant's environment. The premise of encryption remains true -- protect sensitive data with complex encryption algorithms wherever sensitive data is stored. But tokenization takes the principle to a new level: protect sensitive cardholder data by removing it from merchant systems entirely. Quite simply, merchants do not need to encrypt what they do not store. Let someone else shoulder the burden.
