Credit Card Tokenization


Latest news:

Novenber 14, 2013:
Tokenization debate heats up as new global standard unveiled by Visa, MasterCard, AMEX. Credit card tokenization gains attention as processors and merchants experience data breaches. There is also some sentiment among merchants that thwarting identity theives makes it much harder for them to prosper, so they might try something else.


Best Tokenization Providers:

One popular player in the tokenization field is TransArmor, a product of First Data which is sold through several different credit card processing company vendors.

How does tokenization protect against data breaches

Liability is reduced, data theives thwarted by tokens.

Credit Card TokenizationCredit card tokenization is a powerful new tool in combating credit card fraud and keeping personal information secure. The phrase has become more commonplace lately as more credit card processing companies roll out ways of protecting credit card numbers. One of the best known Tokenization tools is First Data’s Transarmor Fraud Prevention system.

What is the difference between tokenization and encryption? This is the most commonly asked question about the process. Basically, encryption is used in the process, so when a card is run it is sent securely to a processing network, where the card number is converted into a "token" that only has value to the merchant and the processor. Imagine exchanging money for poker chips that were only valuable when you used them, but could not be exchanged by anyone else. Merchants can use tokens for recurring billing, or to give a refund, or to even to dispute a chargeback, without having to know the card number. The other key differnce between encryption and tokenization is that someone could potentially crack the encryption on your terminal (which is why you should upgrade every few years) but if someone got a list of your tokens there is nothing they could do to convert them back into credit card numbers. This is because the only party that knows the relationship between the card number and the token is the processor. This may sound nuanced and semantic, but what this really means is that you aren't holding sensitive cardholder information, so your liability under PCI-DSS rules drops substantially. In the encryption vs. tokenization debate, there is a bit of a false argument because all transactions are still encrypted when sent through your terminal. However, a transaction involving tokens, even when decrypted or cracked by a data thief, would not disclose cardholder data.

What is credit card tokenization? Basically, when customer credit card information is swiped through a terminal or reader, it gets encrypted and swapped with a “token.” This token takes the actual credit card number out of the payment processing environment, and even if a token number was stolen, it would be unusable for making purchases anywhere else.  Credit card tokenization may also be known as PCI tokenization, since the data being tokenized is encrypted for the purposes of PCI-DSS security compliance standards. Additionally, it may be known as PCI tokenization because it is implied to meet the standards set forth in PCI (Payment Card Industry) documentation for securing credit card information.

Notes and Special Information

Special note: Tokenization may have an unseen downside or there may be cases where the token could be abused from within your own data environment, so even though you can reduce a lot of exposure by tokenizing credit cards, you should still be very careful to make sure you don't let the token info become accessible to just anyone in your company.