GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Legislative outlook:
Some clouds but no rain

Patti Murphy
The Takoma Group


Industry Update

New fees, more money for Visa, MasterCard

RBS, Heartland PCI compliance revoked: What's next?

A token of payments to come

Raising the ACH bar

Virtucard for virtual goods


Bill Pirtle

Breaches across America
installment two

Selling Prepaid

Prepaid in brief

Boom time for prepaid game card market

Global payroll done with SaaS

The state of escheatment


Be the toast of hosts

Scott Henry

Sluggish economy spurs faster payments

Nasreen Quibria
Association for Financial Professionals

Mobile payments? Not yet

Biff Matthews
CardWare International


Street SmartsSM:
Who are you?

Jon Perry and Vanessa Lang

Pull back the expense curtain

Jeff Fortney
Clearent LLC

Downshifting to rev up sales

Christian Murray
Global eTelecom Inc.

PCI versus tricky technology

Michael Wright
Panoptic Security Inc.

Five magical questions in making sales

Daniel Wadleigh
Marketing Consultant

Company Profile

UseMyBank Services Inc.

Data Delivery Services Inc.

New Products

Instant mobile processing

MerchantWare Mobile
Company: Merchant Warehouse

A most literate check reader

Company: Parascript LLC


See it, believe it



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 13, 2009  •  Issue 09:04:01

previous next

A token of payments to come

Merchants typically incur significant costs to become Payment Card Industry (PCI) Data Security Standard (DSS) compliant and face the prospect of hefty fines if they are determined to be noncompliant - not to mention the operational and reputational damage data breaches can cause. Mercator Advisory Group suggests tokenization may be able to mitigate these concerns.

Mercator's new report, Emerging Technologies Practice, Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI, examines tokenization as a secure alternative for card data storage, processing and settlement.

According to George Peabody, Mercator's Director, Emerging Technologies Advisory Service, a token is a proxy that replaces consumer card numbers with a number generated by a third-party tokenization platform.

"The idea is to reduce the number of locations where card numbers are stored within the network," Peabody said.

"So with tokenization, the processor is the only organization with the full card number. After the transaction is authorized, only the token number goes back to the merchant, and the POS system now tracks it forevermore via the token, which is useless to a fraudster."

Gaining momentum?

Peabody added that the concept of tokens has caught on with merchants seeking to reduce their PCI-compliance burden. "Even merchants who are PCI compliant are now looking at tokenization because, as PCI continues to evolve in response to new breaches and new forensic analysis, the ante for merchants continues to go up," Peabody said.

"Additionally, now that the payment network and the Internet touch each other, weaknesses have been found in both, creating more risks than merchants want to manage."

Peabody cautioned that choosing the right vendor requires careful evaluation.

"A lot of these companies tend to be smaller, so if a merchant is going to outsource their tokenization, they need to know that vendor is viable, because if that provider goes out of business, then the whole scheme can fall over," he said. "Merchants don't want to take that risk, so I would think eventually the bigger processors and acquirers are going to need to step up their efforts and implement a tokenization platform."

What price security?

The resources and time required to upgrade to a tokenization platform are significant. "A lot of business software has been written around card numbers, so transaction reporting and chargeback schemes would have to get reprogrammed to accommodate token numbers," Peabody said.

"The risks and costs need to be fully evaluated by each merchant, but in the long run they've reduced PCI audit expenses, and they no longer need to store card numbers, which makes that merchant a whole lot less attractive as a target." Merchants are "throwing up their hands and saying, 'Look, let's just not store numbers at all, and we won't have the same level of headache every year,'" he said. "Obviously, there are a number of players out there doing this who would be happy to talk to ISOs about reselling opportunities."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios