First Data Corp. will update its TransArmor tokenization service in 2015 to make it platform-agnostic, while expanding the number of sales channels it is available through, says a First Data executive.
Launched in 2010, TransArmor provides merchants a way to mask sensitive cardholder data by replacing them with a string of characters, called a token, that bear no resemblance to the original data. If stolen, the token is meaningless without access to the technology to decode it.
“We will be able to serve those merchants with dual acquiring relationships or with no acquiring relationships,” Paul Kleinschnitz, First Data senior vice president of cyber-security solutions, tells Digital Transactions News. First Data has generated close to 4 billion tokens since TransArmor’s launch, he says.
That means merchants won’t have to be First Data payment-processing clients. “The intent really is to get [TransArmor] outside of acquiring dependencies,” Kleinschnitz says.
Interest in tokenization schemes is increasing in the wake of several high-profile data breaches, such as Target Corp. and The Home Depot Inc., Kleinschnitz says. A big boost in interest followed the Oct. 20 debut of Apple Pay, where tokenization was explained in simplified language by Tim Cook, Apple’s chief executive, during a presentation.
“What I love about Apple Pay is Apple made cool what First Data has been doing for five years,” Kleinschnitz says.
“Target brought heightened awareness of security vulnerabilities to consumers and the public,” he says. Target’s $100 million investment in converting its payments system to a chip-compatible one may have given some the impression that chip cards using the Europay-MasterCard-Visa (EMV) standard would alleviate the impact of a data breach, Kleinschnitz says. “There is some false belief that EMV is a silver bullet,” he says. “Beyond the authentication process, if there is no encryption in the terminal that data is going in the clear.”
Indeed, a combination of tokenization, EMV, and encryption is viewed as fundamental to the best available approach to payment-data security, says Randy Vanderhoof, executive director of the Smart Card Alliance, a Princeton Junction, N.J.-based trade association. “Implementing one without the other leaves aspects of the system still vulnerable,” Vanderhoof says.
Because chip cards using EMV authenticate themselves to the point-of-sale terminal and vice versa, EMV will help prevent counterfeit card fraud, he says. Adding encryption and tokenization provides even more security. Tokenization differs from encryption in that it involves a random assignment of characters to mask the original cardholder credential, whereas with encryption the masking characters are mathematically derived from the credential.
Tokenization, however, may present issues for some merchants. They have questions about how to handle returns or recurring payments, Vanderhoof says. “They need to be able to deal with customer-service issues,” he says.
Still, merchants are inclined to favor tokenization because it can reduce their PCI compliance demands.
Kleinschnitz says TransArmor offers a token that merchants can use for payments, such as for recurring billing, and non-payment needs, like fraud analysis.