Tokenization and PCI
In the world of PCI, tokenization has become a common way to reduce many of the risks associated with handling credit card data. Tokenization converts the card number into a random value that prevents the original primary account number (PAN) from being “computationally feasible”, in PCI terms. As such, these tokens provide a record of the transaction but are virtually useless to attackers who may obtain them.
With tokenization, organizations must still comply with PCI, but the scope for compliance is now generally limited to those systems and components that manage tokenization and those that handle processing or transmission, since the actual card data (typically) no longer needs to be stored in the organization’s environment.
In House Tokenization
We say card data typically is no longer stored in the environment with tokenization, because that’s not always the case.
For tokenization to work, PANs need to be stored somewhere so that the token can still be matched to the appropriate account. For merchants who outsource tokenization, PANs are stored at the payment processor, while the merchant only stores the token. For merchants who perform tokenization in house, they store both the PAN and the token.
Doesn’t this defeat the purpose? Well, somewhat, but it’s not totally illogical.
If PANs are stored in house, the organization is still responsible for protecting them in accordance with PCI requirements. But organizations who choose in house tokenization argue that, with tokenization, full PANs are still stored in less locations than they would be otherwise. Fewer storage locations means fewer systems to secure, which generally translates to reduced costs and risks. These organizations also point out that fees are less expensive. If margins are tight, in house tokenization may be a cost effective way to reduce some of the risk associated with cardholder data (CHD).
Though in house tokenization works for some, outsourced tokenization is by far the superior alternative. When you outsource tokenization, you pass the responsibility for this procedure upstream to the processor – who, by the way, likely dedicates significantly more resources to IT/security than most merchants can. While some organizations who tokenize in house say they are more comfortable with doing the process on their own, usually it’s best to trust an entity that provides tokenization as a main line of business because they are more likely to have a defined and proven process.
Outsourced tokenization can’t eliminate risk, but it does transfer a substantial portion of it. If your customer’s CHD is compromised while in your processor’s environment, the processor is liable, as long as you have the proper indemnifications and contracts in place.
You are still responsible for protecting the systems that handle card transactions, but you are no longer liable for protecting stored CHD since this data is no longer in your environment. In turn, this reduces your scope for PCI compliance. Though there is a cost with outsourcing this process, many organizations find it well worth the investment because ultimately, tokenization results in reduced costs and effort in maintaining compliance.
Quantifiable Benefits of Tokenization
To put the benefits of outsourced tokenization in terms of real, quantified risk reduction, consider this example.
In house tokenization: Assume a company does 5 million card transactions in a year. If this merchant tokenizes in house and is 100% compliant with PCI, they still hold $23M in risk exposure, based on how much the organization could lose if that card data is compromised. This is based on our business process risk assessment, which quantifies risk exposure in terms of whether data is stored, processed, and/or transmitted in the environment.
Outsourced tokenization: If that same organization were to outsource tokenization, their risk exposure drops to $4.6M. That’s an 80% reduction in risk.
To summarize, outsourced tokenization reduces scope, decreases risk, and improves security of CHD. Outsourced tokenization provides real benefits to organizations and has become an integral component of many organizations’ compliance efforts. If you haven’t investigated this option yet, it may well be worth your time.
To make sure you have implemented a program that puts you on the most efficient path towards maintaining PCI compliance and reducing risk, contact us today.