How Does Tokenization Work in the Retail Industry?

A study conducted by Newcastle University experts claims that criminals take only six seconds to guess credit card numbers and security codes. Using information gathered from other websites, hackers and criminals are able to systematically determine the correct credit card number and security code in a matter of seconds.

Together with a general increase in credit card and online transactions, it is no longer sufficient for retailers, whether online or offline, to stick with traditional methods of securing cardholder data in their systems.
Enter tokenization.

Tokenization replaces sensitive information such as credit card numbers with an incomprehensible set of characters called tokens. By storing and processing tokens, instead of actual credit card numbers, retailers are not only protected from security breaches, they are also freed from the burden of complying with strict security and regulatory requirements.

But, how does tokenization work? How does it benefit retailers?

How Tokenization Works

To understand how tokenization works, it helps to compare and contrast a tokenized credit card transaction with traditional retail and ecommerce transactions:

Traditional Transactions

• In a traditional credit card transaction, a customer swipes his credit card into a Point of Sale (POS) terminal or enters his credit card number (also known as a primary account number or PAN) into an ecommerce website. The retailer captures the customer’s PAN and sends it to a payment processor, usually a bank or financial institution, to process the payment. The PAN is then stored in the retailer’s POS system or ecommerce website and its internal database.

Tokenized Transactions

• In a tokenized transaction, when the buyer swipes his credit card in a POS machine or enters his PAN in an ecommerce website, his PAN first passes through a tokenization system provided by a third-party. The third-party tokenization system replaces the PAN with a string of randomly-generated characters called a token. The token is sent back to the POS terminal or ecommerce website where it is stored. The token is also sent to the retailer’s internal database for record-keeping. In this case, the customer’s actual PAN is never stored in the retailer’s database, including its website and POS systems. What is stored is the token. The third-party tokenization provider submits the PAN to the payment processor to complete the payment transaction. The provider is also the one that stores the actual PAN in its secure database, taking the burden of securing sensitive data off retailers.
• Apple Pay provides a perfect example of how tokenization works. A customer takes a picture of his or her credit card using an iPhone. Apple captures the customer’s PAN and sends it to the bank or financial institution that issued the credit card. The bank generates a token and sends it to Apple. Finally, Apple stores the token, not the PAN, on the customer’s iPhone.

Tokenization vs Data Encryption

• Tokenization is often confused with data encryption. While the two processes are similar in the sense that they both replace sensitive data with incomprehensible characters, they have significant differences:
  Firstly, while tokens are randomly generated, data encryption uses algorithms to generate incomprehensible characters to replace PANs. The algorithms are also called encryption keys. While similar in results, it remains possible for hackers and criminals to reverse-engineer encrypted data back to their original forms by getting their hands on the algorithms used or cracking the encryption keys. On the other hand, tokens are randomly-generated and possess no mathematical relationship with the original data. Thus, tokenization is irreversible.
• Secondly, when the original data such as PANs are encrypted, they still remain in retailers’ databases and internal systems. This means that, in data encryption, retailers retain the burden of securing their customers’ sensitive information. This is not the case with tokenization where sensitive data are stored in the third-party tokenization providers’ databases.
• Finally, encryption secures PANs whether it is at rest in databases or in transit during a payment transaction — that is, from the retailer to the payment gateway or processor. However, customer information, including credit card numbers or PANs, is often passed to several departments such as sales, accounting, and marketing. Customer information is also stored and processed in different enterprise applications and information systems. In order for different departments to utilize this information, they need to decrypt the PAN and re-encrypt it again for security. However, the encrypt-decrypt-re-encrypt process provides criminals with more windows of opportunity to compromise the sensitive information. On the other hand, only tokens are stored in and passed around a retailer’s information system, making sure that sensitive information is secure whether at rest or in transit.

Benefits of Tokenization for Retailers

Tokenization provides retailers with a solution that not only secures credit card information such as PANs, but also enables retailers to conveniently meet credit card data security, compliance, and reporting requirements:

Improved end-to-end security

• Credit card tokenization significantly improves a retailer’s end-to-end security of sensitive data, from the point of capture to storage. By replacing customers’ PANs with tokens, retailers no longer have to capture high-risk information in their POS terminals and ecommerce websites, transmit this information across various departments and systems, and store it in databases.

Minimized impact of security breaches

• By utilizing tokens instead of actual PANs, tokenization protects retailers from the impact of security breaches. Suppose a criminal or a hacker compromises a retailer’s information system, he can only get his hands  on what would be worthless and meaningless tokens to the hacker because the tokens are impossible to be reverted back or reverse-engineered to the actual PAN.  This protects retailers and their customers even more.

Reduced scope of credit card data security compliance

• Retailers that accept credit card transactions are required to comply with various regulations that aim to protect cardholders against theft of their personal information. Some of these regulations include the Payment Card Industry Data Security Standard (PCI DSS) and the European Union’s General Data Protection Regulation (EU GDPR).

The PCI DSS requires organizations that accept, transmit, or store any cardholder data to ensure cardholders’ data are adequately protected. This means that retailers that accept payments via credit card are covered by this regulation. Aside from building and maintaining secure networks and implementing security safeguards, covered organizations and retailers are also required to report periodically on whether their individual systems and databases that store, process, or transmit credit card information are compliant with PCI DSS requirements or not.

On the other hand, the GDPR covers organizations that store or transmit the personally identifiable information (PII) of EU citizens whether residing in the EU or not. The PII includes credit card information and PANs. Similar to the PCI DSS, the GDPR requires covered organizations and retailers to build secure networks and implement data security safeguards. The GDPR also has reporting requirements for covered entities. In cases of security breaches, covered entities are also required to report on the possible impact of the breach and the affected accounts.

Tokenization significantly reduces a retailer’s scope of compliance with these regulations. For instance, since a retailer no longer stores its customers’ actual PANs in its POS terminals, websites, and information systems, the number of systems which they need to report on to be compliant with the PCI DSS and GDPR requirements is greatly reduced.

Increased focus on core competencies

Tokenization enables retailers to effectively pass on the burden of securing sensitive data and compliance to the tokenization solution providers. This allows retailers to focus on their core competencies, which include selling and marketing their products. It also saves them time and valuable resources since they do not have to recruit and maintain an in-house compliance team.

A Trusted Tokenization Solution Provider

Opentext’s tokenization solution stores sensitive data in its encrypted cloud, narrowing the scope of an enterprise’s systems, applications, and processes that need to be audited for compliance with PCI DSS and other credit card-related regulations. Delivered using the ALLOY™ Platform, Liaison’s cloud tokenization technology manages the competing objectives of access and security by substituting sensitive data throughout enterprise systems with format-preserving tokens. This enables enterprises to avoid the need for back-end system modifications and allows data analysis operations to continue as usual.

With Liaison’s tokenization technology, enterprises can minimize points of risk by allowing customers to bypass their systems altogether and transmit payment card data directly to Liaison’s cloud. Enterprises can also minimize costs associated with compliance with PCI DSS requirements or building on-premise tokenization solutions.