Tokenization: A PCI SidestepNo Card Number Means No PCI Audit -- or Does It?
In theory, tokenized payments are quite secure. When a payment transaction is initiated, the credit or debit card number is replaced with a token, which ultimately is assigned either to a specific transaction or a card number. When the transaction is processed, the card information associated with the token is used, rather than the card number itself. Thus, if a transaction is somehow intercepted or a database compromised, the only thing fraudsters get their hands on is the token.
I can see where that's more secure. And it has some advantages. One industry expert I spoke with called the relationship between tokenization and the payments-processing industry "the perfect storm."
So, does that mean tokenization can cut PCI security-standards compliance out of the picture?
Among tokenization's key advantages:
- Safe consumer data storage;
- Taking the credit or debit card number out of the transaction, making compliance with the Payment Card Industry Data Security Standard, by and large, moot;
- Having a token that can be used for rebilling or recurring payments, since it contains all the information a merchant or business needs, without the card number.
The PCI Security Standards Council sees it a little differently. In fact, during last month's PCI Community Meeting in Orlando, Fla., Troy Leach, the council's chief standards architect, said until the council passes guidance on tokenization, merchants and businesses that invest in tokenization are doing so at their own risk. "Buyer beware," Leach said.
But while the payments industry debates next moves in security best practices for things like tokenization and end-to-end encryption, vendors are moving forward.
Three companies in point: First Data Corp., RSA and Akamai Technologies. All three have recently launched what they describe as innovative tokenization offers - solutions that take credit and/or debit card numbers out of the payments cycle either before or as transactions are processed.
First Data and RSA partnered a year ago to develop their tokenization offer called TransArmor - a solution that is now being used by 3,000 merchants. First Data and RSA expect more than 100,000 merchants to be using TransArmor by the end of the year. In fact, McMillon says Bank of America also recently signed and will deploy TransArmor to its merchants.
Tokenization itself is not so new. Over the last 18 to 24 months, other payments vendors such as Cybersource and Payments Gateway have rolled out their own token-payments services.
But not all tokenization is created equal, as Mike Smith, a security expert at Akamai, points out. "Tokenization varies," he says, hence arguments from First Data and Akamai that their solutions are innovative. RSA's McMillon says a lot of vendors say they offer tokenization when they really don't. "Some are using encryption but referring to it as tokenization," he says.
So how reliable are any of these solutions, with all professing their own take on tokenization? Well, that's debatable. "If you're using a technology and there's no guidance, you're taking a chance," Smith says.
Akamai, which routes e-commerce transactions for 90 of the 100 top online merchants, handles its tokenization in the cloud, before the transaction hits the Web server or the payments gateway. The card information is tokenized "in the middle," if you will, one or two network hops away from the Web browser.
"Wherever you handle the tokenization is where the credit card number resides," Smith says. "A lot of companies that do tokenization do it inside their data center, to limit the scope of where their credit card data goes. We just take it one step further, and actually do that switch before it reaches the merchant's Web server."
From the First Data perspective, the difference is about affiliating the token with a card number, not the transaction. "When the token is affiliated with a card number, then whenever a shopper goes back, the merchant just pulls the same token, so it can be used for loyalty rewards and business analytics," McMillon says. "That's the only reason you would ever need the card data."
So what does the future hold? Here is McMillon's prediction: "Within the next couple of years, I would imagine you aren't going to have anyone holding card data. There is no need to. And the merchant-processor relationship sets the stage perfectly for tokenization."