In the wake of high profile data breaches like those at Target and Michaels, as well as at other retailers and web sites, many consumers are increasingly concerned about the safety of their personal financial information.
One of the solutions being presented is a process called tokenization. “Tokenization is an excellent form of protection for credit card information,” says Jeff Thorness, the CEO of Forte Payment Systems. “Tokenization replaces the sensitive card information with a meaningless surrage value that is useless to criminals.”
The idea is to create a token, such as 1234A, to reference card data. “The actual card data is stored safely in a payment processor’s secure data vault,” Thorness explains. “When a merchant goes to process a transaction, they can send the request using this dummy value and avoid referencing the real card information.”
As a result, the token acts as a stand-in. The payment processor can match it up, but anyone intercepting the transaction has, instead of valuable card information, a useless string of alphanumeric characters.
Benefits of Tokenization
“There are tons of benefits to tokenization, all of which would provide protection to U.S. citizens,” says Thorness. “The tokenization process is easier for merchants to secure than the alternative, which is securing every process and system that touches payment information.”
Thorness also says that tokenization can reduce the costs of security and compliance because it limits merchant contact with card number data. On top of this, he points out that tokenization wouldn’t be limited to credit cards. It can also be used to protect bank account information and for the processing of eChecks or automatic payroll functions.
Since tokenization is cheaper and easier to implement, and more secure, Thorness believes that more education is needed to encourage merchants and others to adopt the practice. With a bigger push toward education, and with consumers increasingly worried about their data protection, tokenization would be a big step forward.
Is Tokenization the Only Solution?
As helpful as tokenization would be, it’s not a cure-all for the data breach problems that seem to beset us on every side.
Peter Zielke has been in the Information Technology industry, specializing in security, for 18 years. “There are many situations where tokenization will minimize the possibility of a breach, but it is not a magic bullet,” he says.
He points out that an ecommerce company can outsource tokenization to make it a little easier. These companies normally store the card using its own cryptographic methods, so that the database, even if hacked, proves useless to the attacker.
However, Zielke explains that tokenization is mainly for protecting your credit card information and other sensitive information when it is kept on file for future use. It’s a good way to protect the data of customers who want to save a card on file with an online retailer so that it can be easily retrieved and used for online shopping. The problem is that tokenization does little for Target-style security breaches.
“Because the hackers were able to directly piggyback off the swipe terminals, tokenization would not have done any good,” Zielke points out. “The point of capture was before any tokenization could have occurred.”
In order to prevent problems that take place at point-of-sale terminals, Zielke says that the adoption of smart chip credit cards is more likely to provide better protection. Smart chip cards store information that is already encrypted. A microchip is embedded in the card, and that is where the information is stored, rather than an easy to crack magnetic strip. That way, when the card is used at a terminal, the data is already protected, and it’s useless to whoever is trying to grab it from the point-of-sale terminal.
Smart cards, and the chip-and-PIN method that is used widely throughout Europe that is seeing some progress through adoption in Canada, offers more protection at the credit card terminal but it has been slow coming to the United States. Part of the reason is that merchants and card issuers would need to spend a little more money to put these systems in place. Chips are more expensive than magnetic strips, and the terminals that read smart cards would need to replace the current terminals.
Zielke sees this as a problem, though, and laments the fact that the United States is so far behind in this technology. “The only viable alternative to fighting off these types of attacks at terminals is to move to smart chip credit cards,” he says.
Tokenization certainly has its place for recurring transactions that don’t require additional card swipes, but it isn’t a catch-all. Until people are ready to put their money where their mouths are, and adopt smart card technology on a wider basis, their personal financial information will be less secure than it could be.