Ramping up tokenization
Typically, in payments, when a merchant runs an electronic transaction, the gateway is programmed to use encrypted data tokens in place of sensitive card data to protect the merchant's side of the transaction flow. This prevents the possibility of a merchant storing private customer information on their servers and makes it difficult for anyone to steal the information for malicious purposes.
While this method is adequate for protecting the merchant in most cases, it doesn’t fully accommodate the merchant's needs when they want to set up a recurring transaction or handle a return-customer purchase without re-entering the card information.
"Originally, before tokenization became a hot word, when someone ran a transaction and needed to run another payment, we'd give them a transaction ID," said Vlad Galyuz, Vice President of Product Development at USAePay. "However, only some actions could be performed, and others could not, without having the sensitive payment details from the original transaction available."
A simple proprietary solution
According to Galyuz, the gateway providers had to come up with an improved version of the tokenization model to meet the needs of the growing number of merchants who wanted to use subscription and membership models or offer purchase incentive programs.
"We decided to make what is called True Tokenization, where a merchant can still run a transaction and get the response code back, but they can also get a transaction token to store," Galyuz explained, indicating the merchant would then use this token, that doesn't associate with sensitive card data, to do it again in place of running the card number.
The True Tokenization solution is 100 percent PCI compliant and merchants can even keep track of a client's card by searching the last four digits. "Sometimes you still want to know what type of card it is, so on top of the token, we send back the card type and the last four digits," Galyuz explained.
Galyuz noted the USAePay True Tokenization solution is exclusive to ecommerce purchases but it's still useful to brick and mortar merchants who offer omnichannel buying options.
Moreover, it isn't limited to one merchant account. "If you have a chain of accounts with us, you can copy the token to other locations," he said.
Promoting greater security
The True Tokenization feature is only available to merchants with accounts on the USAePay closed-loop system and Galyuz indicated this is to ensure maximum security. Additionally, none of the data stored on the merchant side is sensitive, so it can't be compromised in the event of a cyber intrusion.
"It's strictly stored for convenience, but at the same time, it's like having a card on file," Galyuz said. "It's more secure, and if you were breached, the data would be completely useless since there's nothing to decrypt."
Galyuz also noted the direct sales partner, whether it be an independent sales organization or independent software vendor, is also able to hold the payment data on file, because, "it is so desensitized, there is no risk involved, and it's outside the scope of PCI," he said.
USAePay's True Tokenization product is particularly beneficial for smaller market merchants, Galyuz explained, as well as businesses that use hosted payment forms.
"In a browser-based situation, you are sometimes faced with an unknown entity," Galyuz said. "It could be a man-in-the-middle attack or malicious code, browser plug-ins, or extensions, and we simply transmit the token, keeping the cardholder information secure."
USAePay offers the True Tokenization feature standard to all account holders as part of their commitment to partners, merchants, and the industry. "We like to offer these security features free of charge, because we believe it benefits our ecosystem, as well as the entire payments ecosystem," Galyuz confirmed.
Galyuz also said the company has an extensive wiki site online that was designed to help account holders understand the True Tokenization process better.
For more information, or to how to become a part of the USAePay network, please visit www.usaepay.com or contact a company representative directly at (866) 872-3729.