Tokenization and encryption may be the best solution to one of the biggest data-security challenges facing merchants: how to protect confidential payment card information against emerging threats without disrupting normal business operations. That’s according to a security brief released on Tuesday by RSA, the Security Division of EMC. Security experts from processor First Data Corp. and Visa Inc. also contributed to the report.
Merchants not only spend money to achieve compliance with the Payment Card Industry data-security standard, they also have to alter businesses processes to meet the standard while simultaneously running a business, says Branden Williams, director of security consulting for RSA’s security practice and an author of the report.
“It’s a dynamic environment,” Williams says. “People try to react, try to get ahead of their competition, and they’re kind of hindered in some cases by these (security) processes that have been put in place.”
By using a combination of tokenization and end-to-end encryption, a merchant can meet the PCI standard with little interruption of normal business operations, Williams says. With tokenization, card numbers are replaced with safe proxies that can’t be fraudulently used for purchases, but still allow merchants to track and analyze customer purchasing behaviors associated with each payment card. The actual card data are held in a secured data base operated by a third party.
With end-to-end encryption, card data are encrypted when the card is swiped at the point-of-sale and not decrypted until the transaction is forwarded to the card networks for settlement.
“You can still get at all the things you need like analytics and be able to process payments but greatly reduce the risk,” he says. “In effect, the risk is transferred to an outside entity so that merchants can get back to what they do best, which is being a merchant.”
RSA and First Data have developed a transaction-management solution called TransArmor that combines end-to-end encryption and tokenization.
But not all tokenization solutions are the same, Williams says.
“There are some vendors that will use encryption tricks to basically mask out parts of the card numbers,” he says.” They call that a token but it’s really not a token, because it’s something that can be cryptographically reversed. That means it has a mathematical relationship to the original value.”
Instead, tokens should be a reference value with no mathematical connection to the actual card data, Williams says. “It is a reference value in no way related to it other than there’s a table somewhere that has both values in the same row,” he says.
By using true tokenization and encryption, merchants can “dramatically reduce” the parts of their organizations that must meet PCI standards, Williams says.
Tokenization and encryption can benefit all sizes of merchants.
“For a large merchant, it’s ‘I can outsource the risk of a credit card member but I can also get all the value of the information out of it that’s valuable to me,” he says, including information needed for settling transactions, chargebacks, and business analytics.
For a small merchant, “it’s more about ‘I have completely outsourced all the risks on this. I can focus on being a restaurant and not have to worry about managing a payment system.”
The security brief, “Secure Payment Services: Card data Security Transformed,” is available for download at RSA’s site. In addition to discussing encryption and tokenization, the brief provides guidance on what merchants should look for when evaluating secure payment services providers.