by Bill Cohn, Director of Product Management, Vantiv eCommerce
By now, most organizations that conduct eCommerce business understand the value and criticality of payment data security and the use of tokenization to protect their customers’ data and, ultimately, their own reputations. No company can claim that its systems are immune from breaches, and it’s clear that the cost of being breached while holding cards on file is untenable.
So, what should you consider when selecting a tokenization provider? What makes for a cost-effective solution that fits the way you do business online . . . both today and in the future?
Here’s a list of the top eight essential considerations when selecting a robust eCommerce data security solution.
The first four explore aspects of the token itself that make the solution fit your systems, processes, and future expansion. The next four then look at operational considerations that can directly impact your “total cost of ownership.”
1. Service Compatibility ─ Your tokens must be fully compatible with all standard processing transactions, including authorizations, deposits, sales, refunds, and chargebacks. Equally important is that they should work seamlessly with related payment value-added services, including account updating, recycling, fraud detection, chargeback prevention, and customer insight data services.
2. Format Preservation ─ No doubt you’ve made significant investments in order management, billing, enterprise resource planning (ERP), and other back-office systems to run your business. Tokens must be compatible with your systems, which expect primary account numbers (PANs). With format preservation, each token is the same length as the card number it replaces – generally 15 or 16 digits – so you don’t have to modify your systems. Plus, format-preserved tokens include the last four digits of the PAN so your users can select their card on file – their token in this case.
Also, look for a payment system that provides the bank identification number (BIN), which can be valuable for your data analytics and operations. The BIN may be provided either within the token itself or delivered as a separate data field.
3. End-to-End Protection ─ While it’s essential that you use tokens for all of your retained data (i.e., cards on file), ideally PANs should never touch your systems. Look for a solution that protects you by replacing the PAN with a token prior to the authorization, at the initial capture of the card, whether that’s in an online shopping cart, in your mobile app, or at a POS terminal. By tokenizing at the point of card entry, you eliminate the risk of theft while the data is “in transit” and you minimize your PCI scope, which can reduce your annual compliance cost burden.
4. Channel Neutral ─ As you expand the channels through which you offer your products and services, your customers expect to be able to use the same card on file, whether online, via a mobile app, in-store, or at a mobile POS. The fact that you’re using tokens should be transparent to your cardholders, which means you need the ability to use one token in all your channels. Make sure your provider offers an “omni-token” solution so you can adapt to the ever-changing commerce landscape.
5. Portability ─ An eCommerce data security solution should never hold your cards “hostage.” You need the option to “de-tokenize,” whether to sell a business unit or change payment processors. Also, if you will be migrating from another token provider, you don’t want to be exposed to PANs during the transition. Make sure your provider can obtain a mapping file from the incumbent and then produce a file for you with new tokens mapped to your old token values.
6. Ease of Implementation ─ Tokenization shouldn’t require a substantial coding effort. Look for clear, well-written documentation, a robust test and certification system, and dedicated implementation personnel who will make the process straightforward and highly productive for you.
7. Unlimited Use ─ The most cost-effective tokenization solutions charge you only when you create a new token and the provider places the PAN in their “vault.” As long as the card number doesn’t change, you shouldn’t have to pay any recurring charges, storage fees, or per-transaction fees for using the token.
8. Ease of Compliance ─ When you conduct a yearly assessment of your company’s compliance with PCI guidelines, the primary method for discovering vulnerabilities is to scan your systems to see if your “data footprint” includes PANs. All the major payment networks use card values that pass what are known as “Mod 10 validations” or “Luhn checks.” If the tokens you store also pass the Mod 10 check, it can be very difficult to prove that you aren’t storing PANs. The best data security solutions format is for your tokens to be “Mod 10+1”checked, which means scanning software won’t falsely identify your tokens’ PANs. Also, Mod 10+1 tokens will never be mistaken for a credit or debit card and – most importantly – will be completely useless to a thief if stolen.
Not all eCommerce data security solutions are alike. From token formats, to service compatibility, to managing your compliance effort, the differences among service providers can directly impact your bottom line.
Before you make a decision, be sure to take a deeper look and select a provider whose service meets all of your current and future needs.
Bill Cohn is Director of Product Management, Vantiv eCommerce.