As merchants large and small scramble to protect sensitive customer data, credit card tokenization has emerged as a key form of defense. Tokenization replaces sensitive payment data with a unique token generated by complex algorithms that cannot be duplicated or decoded. The actual value of the data is zero without the ability to decipher it. The token can then be used in subsequent transactions in place of the actual card number, maintaining the functionality associated with storing card data, such as recurring billing.
Payment tokenization is intended to address the risk of unauthorized access associated with stored cardholder data. Tokens are particularly useful in situations where the card number is stored for future use like recurring billing or tip adjustment.
Easier than it sounds
If you’re unfamiliar with the technology, it may sound complicated and too complex to be accessible to small businesses. But the exact opposite is true. Tokenization is one of the most effective and most affordable ways for small merchants to protect their customers and their business.
When you use tokenization your POS system does not store actual card-specific payment data. If actual payment data doesn’t exist on the POS, merchants can maintain compliance much more easily. Tokenization can be directly built into your integrated POS system so when a card is swiped a token is automatically generated and submitted for approval. Then, a token is returned to the POS system with the transaction authorization approval response. It can even be stored securely for future use which is particularly useful for recurring billing or tip adjustment.
Tokenization alone is not enough
While tokenization is certainly one of the best payment security defenses for vulnerable data, it's worth noting that a payment system remains vulnerable without additional layers of security.
Tokenization combined with end-to-end (E2E) or point-to-point encryption (P2PE) creates a comprehensive solution for protecting merchant and consumer data.
P2PE encrypts card data from the entry point of a merchant’s point of sale to a point of secure decryption outside of the merchant’s environment, such as a payment processor. In a P2PE environment, cardholder data is not in the clear (visible in clear text), and the confidentiality and integrity of the data-in-motion is maintained securely point-to-point.
P2PE is intended to directly address the risk of unauthorized interception associated with cardholder data-in-motion such as during transmission of a transaction from the POS terminal to the payment processor. It does not address data-at-rest (stored cardholder data) in legacy or other systems used for ongoing operations. In a nutshell, it means the card number is encrypted from the moment a card is swiped and for the duration of the transaction. Without E2E, when a card is swiped the card number is recorded in clear text for a split second before the POS encrypts it, making it vulnerable to data thieves.
For more information on how to implement tokenization, contact Vantiv or your POS provider.