Last year, mobile payments reached $8 billion in the United States alone and as a result, businesses are feeling the pressure to provide new payment options to their customers. According to ACI Worldwide, a leading payment solutions provider, up to 93% of retailers feel that consumers want more payment options. In response, businesses are introducing or at least planning to introduce new payment options to their customers, including mobile payments and via e-commerce.
However, implementing new payment methods does not come without challenges. Retailers cite security considerations, the high cost of integrating existing infrastructure with new payment methods, and compliance with customer protection and regulatory requirements as the biggest obstacles to adopting new payment methods, according to ACI.
This is where tokenization comes in. Tokenization offers a solution to secure emerging payment methods such as mobile payments and e-commerce and to avoid the high cost of integrating legacy infrastructure, while taking away the burden of regulatory compliance from businesses and retailers.
What is Tokenization?
Tokenization is simply the process of replacing sensitive information such as personally identifiable information (PII), protected health information (PHI), and credit card numbers with an incomprehensible set of characters called tokens. By storing and processing tokens, instead of the actual sensitive data, businesses, retailers, and other organizations utilizing tokenization and their customer information are protected from security breaches. Furthermore, because organizations are no longer keeping and/or processing highly regulated information, the burden of complying with strict security and regulatory requirements is significantly reduced.
How Does the Tokenization Process Work?
Tokenization usually involves three main parts: the input terminal, the tokenization system, and the database.
In a traditional process, data is captured via an input terminal and stored in a database without a tokenization system. In a cashless purchase transaction, for example, a customer swipes his credit or debit card into a Point of Sale (POS) terminal or enters his primary account number (PAN) into a business’s e-commerce website. The POS terminal or the e-commerce website serves as the input terminal. The business captures the customer’s PAN and sends it directly to a payment processor, usually a bank or financial institution, to process the payment. The PAN is then stored in the business’ internal database for record-keeping.
With a tokenization process, the data that is entered in the input terminal first passes through a tokenization system and is replaced with a string of randomly-generated characters called a token. For example, in the cashless purchase transaction, when the buyer swipes his credit or debit card in a POS terminal or enters his PAN in an e-commerce website, the PAN first passes through a tokenization system provided by a third-party. The third-party tokenization system replaces the PAN with a token. The token is then sent back to the POS terminal or e-commerce website and is kept in the business’s internal database for record-keeping.
In this case, the customer’s actual PAN is never stored in the business’s database, e-commerce website, or POS systems. The PAN is submitted to the payment provider by the third-party tokenization provider to complete the payment transaction. The third-party tokenization provider is also the one that stores the actual PAN in its secure database, thus assuming the burden of securing the sensitive data.
For mobile payments, Apple Pay provides a perfect example of how tokenization works. A customer takes a picture of his debit or credit card using an iPhone. Apple captures the customer’s PAN and sends it to the bank or financial institution that issued the credit card. The bank generates a token and sends it to Apple. Finally, Apple stores the token, not the PAN, on the customer’s iPhone.
Why Should Businesses Embrace Tokenization?
The advantages of tokenization go beyond data security. Its many benefits include:
Enhanced security and protection from breaches
Tokenization significantly improves a business’s end-to-end security of sensitive data, from the point of capture to storage. By replacing sensitive information with tokens, businesses and organizations no longer have to capture high-risk information in their input terminals, process and transmit this data across various departments and information systems, and store it in internal databases.
At the same time, tokenization protects businesses from the impact of security breaches. Should a criminal or hacker compromise a business’s information systems, the hacker will only be able to get his or her hands on the tokens, which will turn out to be worthless and meaningless. Tokens cannot be decrypted or reverse-engineered, making tokenization more secure than encryption.
Increased customer assurance
Security remains the top concern of both businesses and consumers when it comes to e-commerce. According to ACI, 54% of businesses cite security concerns as the primary reason why they are not investing more in their payment infrastructure. Outside North America, Europe, and some developed countries in Asia, security concerns are also hindering consumers from transacting online and participating in e-commerce. According to the United Nations Conference on Trade and Development, this “lack of trust is most likely to keep people off e-commerce platforms in the Middle East, Africa and Latin America.”
As tokenization provides an added layer of security for e-commerce websites by protecting critical customer information from security breaches, tokenization can also build trust and assurance among businesses and consumers.
Reduced scope of regulatory compliance
One of the biggest drivers of tokenization is reducing the scope of compliance with such data security and privacy regulations as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) by reducing the footprint of where data covered by these regulations is stored throughout an organization.
PCI DSS requires organizations that accept, transmit, or store any cardholder data to ensure cardholders’ data are adequately protected. This means that any business that accepts payments via credit card are covered by this regulation. Aside from building and maintaining secure networks and implementing security safeguards, covered organizations and businesses are also required to report periodically to assure that their individual systems and databases are compliant with PCI DSS requirements.
On the other hand, HIPAA requires covered entities such as healthcare providers and health insurance companies to establish safeguards to protect patients’ PHI. It requires covered entities and business associates to establish administrative, technical, and physical safeguards to maintain the integrity, confidentiality, and security of electronic PHI.
By using tokens to replace sensitive cardholder data or PHI in an organization’s systems, tokenization significantly reduces the organization’s scope of compliance with the PCI DSS or HIPAA. It thus reduces the amount of effort required to meet regulatory standards, the subsequent cost of compliance, and the risk of non-compliance. Furthermore, by decreasing the organization’s overall data footprint, it increases audit success by effectively reducing the scope of the audit.
A Secure, Cloud-Based Tokenization Solution
Liaison’s tokenization solution stores sensitive data in its encrypted cloud, narrowing the scope of an enterprise’s systems, applications, and processes that need to be audited for compliance with PCI DSS and other credit card-related regulations. Delivered using the ALLOY™ Platform, Liaison’s cloud tokenization technology enables credit card, payment, and data tokenization for sensitive information such as PII, PHI, and credit card data. It also manages the competing objectives of access and security by substituting sensitive data throughout enterprise systems with format preserving tokens. This enables enterprises to avoid the need for back-end system modifications and allows data analysis operations to continue as usual.
With Liaison’s tokenization technology, enterprises can minimize points of risk by allowing customers to bypass their systems altogether and transmit payment card data directly to Liaison’s cloud. Enterprises can also minimize the costs associated with compliance with PCI DSS and HIPAA requirements or building on-premises tokenization solutions. Contact our data experts to learn more about our tokenization solution.