With the drumbeat of bad news about online credit card breaches continuing, retailers must do all they can to protect their valued customers from theft and themselves from massive exposure, losses and brand damage.
As hackers devise new and better ways to pilfer consumer data, how do retailers stay one step ahead of the bad guys?
Tokenization is the answer
A key way to do that, which is gaining support from retailers and payment processors, is tokenization.
Like a subway token, a “token” used for online payments is not actually currency, so it can’t be used for any other purpose. Technology is used to create a random token representing the credit card number. If hackers accessed it, the token would have no value to them because they couldn’t convert it back to the actual card number.
A token system protects the consumer, while limiting exposure for the merchant and ecommerce providers since credit cards no longer have to be stored in ecommerce and enterprise resource planning (ERP) or order management system (OMS) databases.
To see the difference between traditional card processing and tokenization, consider this scenario: A home goods retailer has brick-and-mortar locations and an ecommerce website. A customer visits the website, decides to make a purchase and types in her card number. Whoever handles the ecommerce function – the retailer itself or, more likely, a vendor – has to store that number. A second customer visits a physical store, brings an item to the checkout and swipes his card on the reader.
There are several vulnerable points in this scenario since the card information is stored and susceptible to attack in three places: the website, the physical store and the OMS.
Specific points open to attack may differ depending on the merchant and the various collection points or channels and service offerings — for example, if the merchant has a call center for phone orders, credit and collections, an ecommerce website, a physical store, kiosk, interactive voice response or OMS. When using tokenization, credit cards are no longer stored in the merchant’s ecommerce and OMS databases, thus reducing vulnerability and liability.
Tokenization, while not removing all risks, eliminates the storage of credit cards in website and OMS databases. If merchants have a brick-and-mortar store or call center, they will still be handling credit cards.
Getting tokenized
How can a retailer get tokenized? The easiest route is to ask their payment processor bank representative which tokenization providers the bank is integrated with and request a recommendation. That way, the merchant doesn’t have to make any major changes to its system. Some large processor banks have their own token-based solutions. Merchants can select from several third-party tokenization solution providers to integrate with their ERP/OMS and ecommerce applications.
Adding tokenization will protect the sensitive data of online shoppers should a breach occur, so retailers may want to consider adopting it before the start of the holiday shopping season.
Getting tokenized can carry a cost. In addition to software upgrades, some vendors charge merchants 5 cents extra on every token-based transaction. However, that cost pales in comparison with the financial and reputational effects of a serious breach.
The new Y2K
When the business world was in a tizzy over the anticipated Y2K threat, some software providers chose not to go to the trouble or expense of upgrading their systems. As a result, many customers took their business to compliant providers.
Similarly, many smaller ecommerce, point-of-sale (POS) and OMS providers may opt to avoid getting tokenized, prompting their clients to search for vendors that have upgraded or plan to do so.
However, the evolving landscape suggests that tokenization will be required and become the standard, so merchants need to consider now if their POS or OMS provider is tokenized. Among indications of this trend are the recent push by a coalition of leading retail trade groups for an open tokenization standard; work in progress by top payment processors to develop a tokenization specification; and plans for the PCI Security Standards Council to discuss the latest developments toward a standard at its annual community meeting in September. Merchants can also visit the PCI website to see if their vendor is a certified solution provider.
Tokenization not a substitute for robust security procedures
While tokenization is a huge step forward in mitigating the risk of credit card data theft, it isn’t an ironclad guarantee against breaches. Hackers are forever devising new schemes to extract the gold.
Merchants still need to maintain strict security policies and standards in terms of how they conduct their business online, in store, in the call center and in their credit department. Vendors also have to keep up their best practices, such as using monitoring software to proactively identify vulnerabilities.
For now, tokens represent the best method to safeguard against an attack and the only viable alternative for meeting the emerging PCI standards. As credit card breaches remain a major issue, merchants and ecommerce vendors need to explore tokenization. This will not only significantly mitigate risk by taking card numbers out of the equation but also make PCI compliance a much smoother and simpler process.
Diane Buzzeo is founder and CEO of ecommerce, order management and financial software solutions provider Ability Commerce.