How Tokenization Affects PCI Compliance
PCI compliance – the security measures mandated by the Payment Card Industry of any merchant stores, processes, or transmits sensitive credit card information. The PCI DSS (Data Security Standard) is a set of 12 requirements that merchants must adhere to, or risk some hefty fines and penalties.
PCI compliance is not, unfortunately, a quick and easy standard to reach. The reason for this should be obvious: the data that you are responsible for protecting is sensitive in the extreme, and anything less than the strongest possible protection will result in breaches, loss of data, and loss of reputation.
What, then, is a company to do if PCI compliance is such a complicated matter?
Recently, outsourcing of payment processing has become a popular option. This eliminates the massive changes in your business practices that would otherwise be required, and it leaves this sensitive information with a company that (hopefully) specializes in providing PCI compliant security.
Still, the problem with outsourcing payment processing lies in the fact that you have now greatly increased the number of electronic transmissions that must be made. And a hacker could attempt to interrupt, intercept, divert, or otherwise manipulate those transmissions.
The answer that has begun to surface is a new technology called tokenization. By employing this method, merchants can safely transfer their data without the risk of it falling into the wrong hands.
Tokenization is an affordable option for merchants who are looking to reach PCI compliance because it can generally be integrated with a merchant's existing procedures with minimum interruptions or changes to the company's normal way of doing business.
Tokenization works like this: a merchant accepts a payment card or the associated sensitive information from a customer. In other words, this process can be applied to retail outlets or in card-not-present transactions. Initially, the customers information is sent to the service providers – the company providing the tokenization or payment processing – who, in turn, provide a randomly generated, totally unique ID number and return it to the merchant.
Now, with this number – or token – in place, it is the only information that a merchant needs to store on-site. This number is all they need to access customer records, conduct multiple transactions, or even institute recurring billing procedures.
The most obvious benefit from this is that, with nothing but a list of randomized 16-digit numbers on your own system, there is nothing of value for a thief to take. Even if they managed to intercept a token in transmission, decrypted the signals and everything, there is, in truth, nothing for them to do with the numbers. They are meaningless to everyone but the merchant.
Methods like tokenization become a great way to reach PCI compliance because of the responsibility shift to a company that is prepared to spend the time and resources to protect card holder data. Guarding this information is a constant battle, and the only way to ensure its safety is through perpetual vigilance. Many merchants, unfortunately, are not prepared to do this. It's not that they have no interest in PCI compliance, or that they do not care about customer data, because they do. It is simply that, given the demands of maintaining every-day aspects of their regular business, they dimply do not have the necessary resources to deal with compliance.
The does not, however, change the fact that the PCI DSS is a requirement and can not be ignored.
The Payment Card Industry will continue to evolve, as will the tactics used by hackers to gain access to your systems. This will, of course, prompt the industry to evolve yet again. This has created a type of disabling effect among some merchants, as these requirements seem more and more unattainable.
But the truth is, PCI compliance is within reach. And if you have to outsource certain aspects of your payment processing or employ tokenization techniques, then do it now, and find the safety that comes with being compliant.