MAG Insights

Announcements from the MAG & Featured Articles

MAG Sponsor Spotlight: In The War on Data Breaches, Tokenization Can Help Merchants Fight Back (MAG Quarterly- Volume Six, Issue Three)

BAMS logo
By Raoul Aranha, Head of Fraud, Security and Analytics, Bank of America Merchant Services

September 6, 2018

Merchants should consider tokenization as part of a multi-layered approach to combating fraud and data breaches. Providers can work with businesses to evaluate cost-benefits and any risks.

When choosing from an ever-changing array of payment acceptance options, businesses today need to pay close attention to the risks of fraud and data breaches. A valuable way to protect against these threats is tokenization, but the use of this technology should be part of a multilayered approach that includes encryption and EMV® chip-reader solutions.  

 First, a quick primer: Tokenization is a security measure in which a consumer’s information, such as a credit card number, is replaced with a placeholder number, or token, which makes the data useless to criminals in the event of a breach. This is different from encryption in which a credit card number is hidden but can be decrypted by someone with the proper key. 

 When payments are processed for businesses, there are two main stages: pre- and postauthorization of the transaction. Pre-authorization is when the cardholder data is captured using a payment device and then sent to the consumer’s issuer for approval. Post-authorization is when that data comes back to the business from the issuer with an approval response. During transmission (data in motion) and storage (data at rest), a business can be exposed to a possible breach if the data is not properly protected.  

Under Payment Card Industry Data Security Standards (PCI DSS), businesses have an obligation to secure their customers cardholder data.  It’s also particularly important to protect against any exposure of Personally Identifiable Information (PII), such as names, dates of birth or Social Security numbers you might collect about customers. Criminals can use this data to commit identity theft and other acts of fraud, causing significant harm to consumers.  

Tokenization makes it easier for businesses to be in full compliance with PCI Data Security Standards and provides PII protection thereby reducing financial and legal obligations in the event of a breach. If encryption is used by itself, without tokenization, a business is considered compliant, but it remains responsible for the data if an encryption key is stolen along with card data.   
 
So what should businesses consider when implementing tokenization?   

Businesses can build their own token systems, but under this approach a company still keeps its card data in-house in a “token vault,” potentially leaving the business exposed in a breach. Another option is for businesses to choose to have their payment processor build and maintain a solution that addresses concerns around security and fraud.  
 
Using a processor’s tokenization service may create switching expenses, but providers can work with businesses to evaluate cost-benefits and any risks. The costs are worthwhile if the solution secures a business end-to-end, especially when paired with other fraud services. Cardholder data is no longer used in the post-authorization stage for loyalty analytics, settlement, reporting, chargebacks or retrievals. 

While businesses need to be rigorous in evaluating the risks and costs of tokenization, they should also remember that protecting against fraud allows companies to focus on what’s most important: creating a seamless and secure experience for their customers. 

EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC.