The Green Sheet Online Edition
April 13, 2009 • Issue 09:04:01
A token of payments to come
Merchants typically incur significant costs to become Payment Card Industry (PCI) Data Security Standard (DSS) compliant and face the prospect of hefty fines if they are determined to be noncompliant - not to mention the operational and reputational damage data breaches can cause. Mercator Advisory Group suggests tokenization may be able to mitigate these concerns.
Mercator's new report, Emerging Technologies Practice, Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI, examines tokenization as a secure alternative for card data storage, processing and settlement.
According to George Peabody, Mercator's Director, Emerging Technologies Advisory Service, a token is a proxy that replaces consumer card numbers with a number generated by a third-party tokenization platform.
"The idea is to reduce the number of locations where card numbers are stored within the network," Peabody said.
"So with tokenization, the processor is the only organization with the full card number. After the transaction is authorized, only the token number goes back to the merchant, and the POS system now tracks it forevermore via the token, which is useless to a fraudster."
Peabody added that the concept of tokens has caught on with merchants seeking to reduce their PCI-compliance burden. "Even merchants who are PCI compliant are now looking at tokenization because, as PCI continues to evolve in response to new breaches and new forensic analysis, the ante for merchants continues to go up," Peabody said.
"Additionally, now that the payment network and the Internet touch each other, weaknesses have been found in both, creating more risks than merchants want to manage."
Peabody cautioned that choosing the right vendor requires careful evaluation.
"A lot of these companies tend to be smaller, so if a merchant is going to outsource their tokenization, they need to know that vendor is viable, because if that provider goes out of business, then the whole scheme can fall over," he said. "Merchants don't want to take that risk, so I would think eventually the bigger processors and acquirers are going to need to step up their efforts and implement a tokenization platform."
What price security?
The resources and time required to upgrade to a tokenization platform are significant. "A lot of business software has been written around card numbers, so transaction reporting and chargeback schemes would have to get reprogrammed to accommodate token numbers," Peabody said.
"The risks and costs need to be fully evaluated by each merchant, but in the long run they've reduced PCI audit expenses, and they no longer need to store card numbers, which makes that merchant a whole lot less attractive as a target." Merchants are "throwing up their hands and saying, 'Look, let's just not store numbers at all, and we won't have the same level of headache every year,'" he said. "Obviously, there are a number of players out there doing this who would be happy to talk to ISOs about reselling opportunities."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.