When establishing a business, finding the right merchant services provider is paramount. So is securing your transactions, especially in the age of recent credit card data breaches. There will likely never be a failsafe method of securing credit card data from hackers, but tokenization might be the strongest defense yet.
Tokenization, basically defined as the substitution of data, was among the recurring themes at the ETA Transact 14 Conference in Las Vegas Apr. 8-10. Among the other omnipresent themes was EMV technology and several experts affirmed the two could be the best defense in the escalating war against credit card data hackers.
EMV technology is expected to replace the magnetic stripe on credit cards in the U.S. within five years and the four major credit card companies – MasterCard, Visa, American Express and Discover – are in the process of conversion. The companies’ efforts, the result of the recent credit card data breaches, are commendable, but outspoken critics of EMV technology at Transact 14 emphasized that the adoption of tokenization must also happen.
As a child, I spent too much time in the local mall feeding quarters into video games such as Asteroids, Galaga, and many others. Nowadays, most local arcade machines no longer take quarters, only tokens, which have no monetary value other than to give a child 5-10 minutes worth of play on a video game.
The theory behind tokenization of payments is the same: It is the use of a substitute value, or token, in place of the data that has value. This way, if a system using tokens is compromised, it is the tokens that are stolen, not the actual valuable data. Tokenization in a credit card transaction works like this: A merchant swipes the consumer’s credit card, and the 16-digit number immediately is recorded in the merchant database. Tokenization converts the 16-digit number into another, radically different 16-digit number. The mapping of the original 16-digit number is maintained in a secure database.
If hackers make their way into the merchant database, they can only see the token 16-digit numbers that are useless. “EMV is not the ‘silver bullet’ but it can be effective if it is used with tokenization,” said Andrew Henwood, CEO of data forensics firm Foregenix in South Africa. “It is very effective in a card-present environment.”
With tokenization, it is essential that your database is secure. It is important that reversing the mapping to retrieve the original data, the 16-digit number, should be done as infrequently as possible. The fewer times that tokens are converted back to their original data, the more valuable tokenization is.