P: Tokenization is more than PCI compliance – it’s a strategic business decision
Heightened merchant concerns over securing sensitive cardholder information, as well as new PCI security mandates, have driven demand for integrated card data protection solutions. These concerns are well justified. In a 2010 study conducted by the Ponemon Institute, the average cost of a data security breach for US merchant is in excess of $6.7 million. The most expensive data breach event to date cost almost $31 million to resolve.
As the losses mount, tokenization, the process of replacing cardholder data with alternative identifiers (or tokens), is receiving significant industry attention. As this attention has grown, a number of new solutions have appeared on the market to fill the expanding demand.
Tokenization, in concert with encryption, is emerging as a leading option because it addresses critical merchant requirements by eliminating the need for a merchant to store card account data within their business environment. This can result in a significant reduction in the scope of a merchant's PCI compliance program.
The business decision to implement tokenization can impact multiple customer interaction and payment processes. But not all tokenization solutions are created equal, and it is essential that merchants evaluate products carefully to determine the best fit for their business and payments models.
Tokenization is not a new technology. The process is well understood by payments technology experts, and there are proven solutions with well established track records. Merchants should evaluate solution providers for their experience, strength and stability. It is equally important that the solution is sufficiently flexible to be tailored to the merchant’s specific business requirements.
The application of tokenization to Card Not Present (CNP) transactions is particularly appropriate, as the solution can protect information across a range of usage scenarios unique to the merchant’s ecommerce environment. For example, CNP merchants often choose to store customer profiles in order to speed the checkout process for returning customers. Along those same lines, automatic account updating may be implemented for recurring payments. A fully featured tokenization solution should include both single-use and ‘persisted’ tokens to be flexible enough to support one-time purchases, returning customer profiles and recurring bill payments. Merchants should have a range of options available to them, including the ability to protect not only the card number, but all other card data attributes.
When evaluating a tokenization solution, merchants should match specific capabilities against their existing business processes, and implement the option(s) that provide maximum utility with minimal payments flow disruption. In some cases it may be desirable for a merchant to change their business logic to fit a particular solution, but minimizing these changes will ease integration and reduce the impact to other systems.
Tokenization offers the potential to increase security and lower compliance costs. Choosing the right tokenization solution for your online business needs can ensure smooth implementation and maximize return on investment.
Contact us today to get more information now about Tokenization and our Orbital Customer Profile Management solution.
This article was contributed to the Direct Response Forum.