The Fraud Blog with Tracy Kitten

Tokenization: A PCI Sidestep

No Card Number Means No PCI Audit -- or Does It?
Tokenization: A PCI Sidestep

Token payments are interesting, even if defining them makes my head spin a bit.

In theory, tokenized payments are quite secure. When a payment transaction is initiated, the credit or debit card number is replaced with a token, which ultimately is assigned either to a specific transaction or a card number. When the transaction is processed, the card information associated with the token is used, rather than the card number itself. Thus, if a transaction is somehow intercepted or a database compromised, the only thing fraudsters get their hands on is the token.

I can see where that's more secure. And it has some advantages. One industry expert I spoke with called the relationship between tokenization and the payments-processing industry "the perfect storm."

Among tokenization's key advantages:

  • Safe consumer data storage;
  • Taking the credit or debit card number out of the transaction, making compliance with the Payment Card Industry Data Security Standard, by and large, moot;
  • Having a token that can be used for rebilling or recurring payments, since it contains all the information a merchant or business needs, without the card number.
So, does that mean tokenization can cut PCI security-standards compliance out of the picture? Well, it depends on how you look at it. As Rob McMillon, director of development for RSA's merchant solutions division, says, "PCI rules apply to card data. And since tokenization is not a card number, it's not subject to PCI."

The PCI Security Standards Council sees it a little differently. In fact, during last month's PCI Community Meeting in Orlando, Fla., Troy Leach, the council's chief standards architect, said until the council passes guidance on tokenization, merchants and businesses that invest in tokenization are doing so at their own risk. "Buyer beware," Leach said.

But while the payments industry debates next moves in security best practices for things like tokenization and end-to-end encryption, vendors are moving forward.

Three companies in point: First Data Corp., RSA and Akamai Technologies. All three have recently launched what they describe as innovative tokenization offers - solutions that take credit and/or debit card numbers out of the payments cycle either before or as transactions are processed.

First Data and RSA partnered a year ago to develop their tokenization offer called TransArmor - a solution that is now being used by 3,000 merchants. First Data and RSA expect more than 100,000 merchants to be using TransArmor by the end of the year. In fact, McMillon says Bank of America also recently signed and will deploy TransArmor to its merchants.

Tokenization itself is not so new. Over the last 18 to 24 months, other payments vendors such as Cybersource and Payments Gateway have rolled out their own token-payments services.

But not all tokenization is created equal, as Mike Smith, a security expert at Akamai, points out. "Tokenization varies," he says, hence arguments from First Data and Akamai that their solutions are innovative. RSA's McMillon says a lot of vendors say they offer tokenization when they really don't. "Some are using encryption but referring to it as tokenization," he says.

So how reliable are any of these solutions, with all professing their own take on tokenization? Well, that's debatable. "If you're using a technology and there's no guidance, you're taking a chance," Smith says.

Akamai, which routes e-commerce transactions for 90 of the 100 top online merchants, handles its tokenization in the cloud, before the transaction hits the Web server or the payments gateway. The card information is tokenized "in the middle," if you will, one or two network hops away from the Web browser.

"Wherever you handle the tokenization is where the credit card number resides," Smith says. "A lot of companies that do tokenization do it inside their data center, to limit the scope of where their credit card data goes. We just take it one step further, and actually do that switch before it reaches the merchant's Web server."

From the First Data perspective, the difference is about affiliating the token with a card number, not the transaction. "When the token is affiliated with a card number, then whenever a shopper goes back, the merchant just pulls the same token, so it can be used for loyalty rewards and business analytics," McMillon says. "That's the only reason you would ever need the card data."

So what does the future hold? Here is McMillon's prediction: "Within the next couple of years, I would imagine you aren't going to have anyone holding card data. There is no need to. And the merchant-processor relationship sets the stage perfectly for tokenization."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.