If you’re on the cutting edge in pop culture, you know a thing or two about tokens. They fly into and out of arcade machines; they slide around the Monopoly board; they even graced us with a number one hit in 1961.
These days, however, tokens have taken a far more important role in our lives, helping us protect our payment data when we make purchases online or over the phone with our credit cards. Tokenization is a relative baby in the technological world, having first been applied at a payment card industry (PCI) security summit in 2005, but, once more widely implemented, it will be a very important factor in securing credit card information from hackers and other nefarious online entities.
Security: a bigger deal than ever nowadays
Simply put, as more and more consumers turn to credit cards for purchases, the number of people affected by a credit card data breach grows exponentially. Recent data breaches at Target and Best Buy have put payment card security into the forefront of everyone’s mind, consumers and business owners alike. If you weren’t affected yourself, you no doubt heard the news stories surrounding them.
Advances like the EMV chip have been in the works now for years, and the US will have joined the rest of the world in adopting the technology by around October 2015. Since EMV technology consists only of a physical chip inside a credit card, it’s very effective in curbing fraud in card-present environments like retail stores or supermarkets; however, against card-not-present transaction fraud it doesn’t do a thing, and, whenever card information is stored inside a merchant’s own server, it doesn’t matter whether the cards were present or not at the time of the transaction–all of the information is susceptible to a break.
Tokenization bridges the gap
Fortunately, the advent of tokenization has brought merchants a way to encrypt card information in card-present or card-not-present environment and avoid data breaches altogether. Tokenization converts a customer’s credit card information into a string of meaningless numbers that are stored in a virtual vault and can be recalled when necessary (to look up a transaction, for example.) To outsiders like hackers, the tokens themselves only contain random numbers, rendering the data inside completely useless. Indeed, if Target, Best Buy, and other companies affected by the data breaches had had the foresight to use credit card processing that supplied tokenization, they could have avoided those costly problems.
Of course, the need for tokenization has given way to a few nifty developments in the tech world. ApplePay, for one, uses a self-authenticated token–a picture of your face–to verify your identity, and, as the demand for higher security becomes more and more prevalent, I’m sure we’ll see more of these developments come our way. It’s important to remember as well that you are only liable for damages from a data breach if you store your customers’ information on your own server (or store data in another non-PCI compliant way like writing it down and saving it for later). If your processor stores data on their own server, they assume all liability in the event of a breach–not you.