What is Credit Card Tokenization?

What does tokenization mean?

With regards to data security, tokenization refers to the process of substituting valuable data elements with non-valuable equivalents.  The basic concept behind tokenization has origins dating back thousands of years. Over the centuries any time someone felt the need to protect currency or a valuable item during a transaction, by switching it with a less-valuable item, tokenization was occurring. Outside of computers and data networks, common everyday examples of tokenization include casino chips and bus tokens. By definition, a token serves merely as a reference to the original item or currency, and provides value only within an authorized isolated ecosystem that validates its purpose. For example: A bus token from a Chicago bus line is unusable on a bus in New York City, unless NYC transit authority were to authorize and recognize Chicago tokens as valid bus fare. The parameters of said ecosystem can be as narrow or as wide as the tokenizing entity chooses. Thus, the narrower the ecosystem scope is, the more limited a token’s acceptance becomes- which consequently reduces exposure to unauthorized users.

 Data Tokenization

The constant threat of cyber attacks and fraud has made data (both personal and financial) extremely susceptible to exploitation. Tokenization technology digitally converts sensitive data to less valuable digital assets (tokens) that have little or no value outside a specific digital ecosystem.  Once a data element has been tokenized, the data in its original form no longer plays a role within the designated ecosystem and is therefore protected. Thus, in the event of a data breach; hackers are extremely limited by how tokens can be used and are left with data elements of no monetary value. In fact, it is the actual tokenization process that provides the only financial vulnerability, since it creates the only point of exposure for the original data element within the ecosystem. For that reason, for tokenization to succeed as designed, the actual tokenization process must be secure and reliable. In addition, there is no distinguishable relationship between original data elements and their tokenized results, creating value and reference only within the ecosystem. For this reason, tokenization provides excellent security to data that is stored or “at rest.”

 

What role does tokenization play in today’s credit card processing?

As high profile data breaches have increased, the need to not only block external threats but also to shield digital assets has led to the implementation of various security techniques including tokenization and encryption. When tokenization is utilized within credit card processing, it provides substantial protection to consumers and business alike, by yielding only unusable tokens to hackers; fraudsters must instead seek more valuable digital assets such as actual credit card numbers or social security numbers elsewhere. With regards to credit card processing, encryption serves an important role when data is transmitted across digital networks. Since tokens exist and operate strictly within their designated ecosystems, encryption serves as both a digital connection and translation across two or more ecosystems.

Credit card tokenization process

Encryption

Encryption is the process of encoding or scrambling sensitive data elements into an unrecognizable and unreadable digital jigsaw puzzle. For encryption to be successful within designated connections, the encryption process must consistently produce the exact same encryption result for any given value- regardless of the point and time of encryption.  Unfortunately, while encryption does provide a substantial layer of protection against unauthorized viewing, it does not prevent the interception of the actual encrypted message. Thus, encryption by its very nature brings the inherited vulnerability that much like any jigsaw puzzle; one true solution technically does exist and can be applied from either inside or outside a specific digital ecosystem. This weakness has led hackers to develop sophisticated programs that have ultimately succeeded in untangling encrypted elements previously considered unbreakable.

Tokenization vs. Encryption

A common misconception is that tokenization and encryption are essentially the same and are therefore interchangeable, when in fact they affect data elements very differently and at different stages within transactions. If tokenization protects data elements that are in use and at rest, it can be said encryption “masks” those elements while they are in transit across digital networks.  It is generally accepted by data experts that tokenization and encryption not only complement each other in building a formidable data defense, but are codependent entities that can only provide maximum benefit when both are in place within a transaction.

 Storing Digital Assets

The actual location and storage of sensitive digital data can vary. Many organizations choose to store data in-house on local data servers, although this practice is rarely recommended by security experts- as it provides a centralized target for hackers. Others choose to hire an online backup service, which were considered innovative many years ago, but are technologically limited by today’s standards- as they only allow users to back up and restore files. Still others choose a cloud-based solution, since an intangible virtual vault provides a more elusive target for hackers. Cloud based storage also provides users remote accessibility and functionality, regardless of where they may be, which allows continuous round-the-clock productivity.

Credit card tokenization

The Future of Tokenization

Most industry analysts agree, when properly implemented and enforced, tokenization will continue to play a major role in fending off advanced threats that seek to exploit sensitive data. Both the Payment Card Industry Security Standards Council and the Clearing House Payments Company (an organization representing 22 of the world’s largest banks) are staunch advocates of the benefits tokenization brings to both companies and consumers in the digital age.


Sources:
http://cardnotpresent.com/news/default.aspx?id=11487
https://securosis.com/assets/library/reports/Securosis_Understanding_Tokenization_V.1_.0_.pdf
http://www.pcworld.com/article/2062140/payment-card-industry-gets-updated-security-standard-with-new-requirements.html
http://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html