VMS-Washington – What is Credit Card Tokenization?

Posted: 23 May, 2012 in Credit Card Processing
Tags: , , , , , ,

What is the biggest problem with Credit Card Data?

A tongue in cheek reply would be: “The Credit Card Data dummy!” While it is a tongue in check reply, there is some truth to it.

Having been involved with many implementations, I have seen this over and over. It is always an issue securing and protecting this data and only displaying it to those that need to know. Here are some classic issues I have seen.

Most SAP infrastructures include a Quality Assurance client for testing changes before moving these to the Production environment. And it is very often a copy of Production at some point in time. And what comes over with that copy? All the customers Payment Card data. So you need to do 1 of 2 things:

  1. Purge the Credit Card Data (have to write a custom program)
  2. Encrypt that data – very often not activated in the QA environment. And quite a process to turn on.

The Result of Encryption

When a credit card is encrypted in the database, it is displayed as ************4141 for example.

The problem is that it needs to be displayed everywhere like that. I have seen instances where someone will run a report and the unencrypted credit card will show up. Or someone enters a transaction from a different direction, or accesses a rarely used screen, and suddenly the unblemished, unencrypted credit card data show up.

And in reality, the Payment Card is still saved in our database. And we are responsible for securing and protecting that data.

What is a Token

VMS-Washington – Washington’s Merchant Service Provider

What if we could move the Credit Card data from our database and give it to another server (called a Token Server)? The Token server then gives us back a Token that is representative of the Credit Card data. So the actual Credit Card data in our databases, is now replaced by a Token data.

For example: It gives us back ************4141 to store in out database. The only link from the token to the Credit Card data is now held on the Token Server.

Advantages of Tokenization

  1. Now we do not have the credit card data in our database. If someone hacked into our database or a user accessed the customer Payment Card data, they could not do anything with the ************4141.
  2. Obviously the Token Server needs to be secured and PCI compliant. But this means that we only have one system to secure, instead of potentially many systems.
  3. And if we contract with a 3rd party to supply this Token Server, we have now moved the responsibility off site to another company whose core business is to secure such data and remain PCI compliant.
  4. This reducing our costs.
  5. If the Credit Card data is ever needed, a query goes out to the Token Server which returns the Credit Card Data. This makes PCI compliance much easier as we do not store Credit Card data on site anymore.

Who offers these Tokenization Services for SAP

Probably the best known of the Service Providers is Paymetric, with their XiSecure Service (they use a 25 Character Token).

They have 2 versions of it:
  1. XiSecure – Onsite local Installation
  2. XiSecure – SAAS Hosted Offsite Service.

Whilst I have not implemented a Token system yet, it makes sense and would be a useful compliment to a Credit Card Payment System.

Hope this brief article helps you understand what tokenization is and how it helps your business.
Hope this brief article helps you understand what tokenization is  and how it helps your business.  Valued Merchant Services is in all 50 states and Canada, provide excellent customer service, process over 100+ million a day and we are an A rated company that can take care of all your financial needs and services.  Due to overwhelming replies, questions and needs for our services please contact us and we will gladly help you.

Thank you,

Michael Roberts

VMS-Washington
National Sales Director
(800) 531-8575 ext. 697
washington@valuedmerchants.com
www.vms-washington.com

Read about PCI Compliance:

Is PCI Compliance a Toothless Tiger?

PCI Compliance Frequently Asked Questions

What Is PCI Compliance?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s