Recently, tokenization has gained widespread attention as one of the most effective solutions organizations can implement to protect sensitive cardholder data. Though encryption is a prevailing security solution as well, there are vast differences among the two solutions that may or may not be a good fit for your organization’s needs.
With traditional encryption, there are three common challenges that grow exponentially more difficult for organizations that have payment data in multiple, disparate systems. Those challenges are cost, key management, and application integration. Tokenization helps solve these challenges.
Many people view the core definition of tokenization as the substitution of a credit card number for a meaningless replacement value that has no intrinsic value to criminals on the black market. But what is tokenization, really? A token can be thought of as a reference or pointer to a credit card number, without actually having to handle the credit card number. The bottom line is that tokenization is an evolution of the better known, but lesser qualified, traditional encryption. With tokenization, sensitive data is completely removed from enterprise systems. And, as an added bonus, the technology is complimentary to ERP systems.
Drilling deeper, tokenization affords companies that opportunity to eliminate the storage of sensitive information. This technology intercepts cardholder data entered into an enterprise payment acceptance system like a web store, CRM, ERP or POS, and replaces it with a surrogate number known as a token – a unique ID created to replace the actual data associated with a specific card number. This makes tokenization security best in class regarding data security. More than 25 percent of Gartner clients have already adopted payment card tokenization to reduce the scope of their PCI assessments, and three out of four clients calling about PCI inquire about tokenization.
By ensuring that business applications, systems and infrastructure are processing randomly generated numbers instead of regulated cardholder data, organizations can drastically reduce the controls, processes and procedures needed to comply with PCI DSS. This is particularly true if tokenization is provided to merchants as a service from a third party that maintains data management.
The task for merchants is to find an electronic payment security solution that integrates into existing workflows while also:
- Protecting sensitive cardholder data
- Achieving and maintaining PCI DSS compliance
- Reducing the scope of compliance
- Conducting business as usual
- Deploying in a cost-effective manner