Stay in Touch
Sign up to our newsletter to stay informed about PCI compliance news, and updates regarding new PCI Booking features.
by PCI Booking – October 17th, 2019
Credit card fraud and theft is a massive problem in every corner of the world. The Nilson Report, shows that the current rate of losses due to payment card fraud is around $24.3 billion; by 2022 they expect that figure to top $34 billion.
Merchants, and in fact, the extended card ecosystem, must also deal with costs associated with chargebacks. All of this is occurring within a climate of increasingly stringent regulations and major cybercrime events.
To help alleviate the impact of fraud and mitigate risk, we can turn to technological techniques, one of which is payment card tokenization.
Storing credit card numbers has a large overhead in terms of security and compliance. A way to reduce this overhead, whilst also ensuring a smooth user experience, is by applying a technique known as “tokenization”.
Tokenization of payment cards works like this:
Data encryption is often presented as an alternative to tokenization. The basic difference between encryption and tokenization is that the former is reversible under the right conditions, whereas tokenization is irreversible.
Encryption: Encrypted database entries (such as credit card details) are generated using ‘encryption keys’ and a specialized algorithm. Having the correct key allows the encrypted data to be decrypted (reversed) when needed. If a cybercriminal gets hold of that key, they can decrypt the data.
Tokenization: One of the major security benefits of tokenization is that tokens are irreversible. That is, if a cybercriminal was able to steal a token, they could not then work out the original card details the token represents.
Tokenization ultimately pushes the pain needed to robustly secure data to an entity who has the resources to do so.
PCI Booking actually utilizes both tokenization and data encryption when storing card details – for an even higher level of protection.
A third party, such as PCI-Booking, offers specialist software which is used in the tokenization process. PCI Booking’s agnostic tokenization service provides merchants with a multi-type input of credit card data alongside with multi-party connectivity to ensure security, compliance and protection throughout the “life-cycle” of the card with the merchant, including:
The key reasons for a merchant to use a tokenization system are that the tokenization process:
The PCI Booking Tokenization solution is an “on-the-fly” tokenization service. The PCI Booking system intercepts credit card information and tokenizes the PAN and CVV (if present) before it reaches the merchant system.
The merchant receives the token to process the transaction – meaning they never have to store any credit card data; instead of storing credit card numbers you store tokens. Each token is associated with an individual card, so you can link these tokens when processing a transaction internally. However, the tokens, if stolen, cannot be reversed to reveal any financial card data or provide any secure or confidential information to unlawful entities.
Future transactions are also handled using the Tokenization solution. For example, if a customer wishes to charge the card, the token is sent to the payment gateway through our system where we replace the token (de-tokenized) with the real information. A similar process can be achieved when relaying the cards to a third party’s API.
The regulatory standard, Payment Card Industry Data Security Standard (PCI-DSS), sets stringent security requirements for any entity that handles financial data. The use of tokenization (and the underline stored data encryption that PCI Booking employs) is a way for merchants to seamlessly manage onerous security requirements. PCI-DSS documentation suggests that the removal of financial card data from your system is considered a best practice. In using a tokenization service, you effectively reduce the scope in handling PCI-DSS requirements. However, a merchant will still need to assess the transmission and processing aspects of PCI-DSS.
PCI Booking stores any credit cards that are involved in the tokenization process according to the highest security standards of PCI-DSS (PCI DSS Level 1); this includes, among other things, obfuscating and encrypting the sensitive card data.
Tokenization provides merchants with a system that offers a highly secure way of dealing with sensitive financial data. Using a tokenization service gives you a head start in becoming PCI-DSS compliant and is viewed as a best practice. However, implementing tokenization, as a merchant providing an online experience to your customers, needs to be seamless so you can focus on your core business. PCI Booking’s Tokenization system does all of the hard work for you, connecting you to third-parties and securing your customer’s data so you don’t have to.