Tokenization Beneficial for Merchants, but Merely a Single Piece of the Security Puzzle

Whenever a credit or debit card is used, whether that’s a swipe at a grocery store or buying concert tickets online, there is a transmission of its numbers representing the payment account. Upon authorization, a common approach in ecommerce is to store the numbers in the merchant’s system to facilitate the exchange of money for goods or services. These stored numbers also attract those looking to steal that information, but a security measure known as tokenization is helping to make this kind of data theft much more difficult.

Credit card tokenization is a method of security in the payments industry in which a cardholder’s credit or debit card numbers are replaced as they enter a merchant’s system by a random string of numbers or symbols[1]. This means the merchant does not have access to the actual credit or debit card number, which all but eliminates its sales system and data as a target for hackers.

Anything that can slow down data breaches is very much needed. In 2015, 170 million consumer records were uncovered by hackers, which globally cost businesses $400 billion[2].

“Tokenization is important for some merchants to adopt because it substantially reduces the risk and liability that is inherent in storing and maintaining a large database of cardholder data,” Verifi Senior Vice President of Business Development Rick Lynch said. “As we see many of the largest global merchants breached repeatedly throughout the last few years, it’s clear that no system is safe or impenetrable, and the safest approach may simply be to not store cardholder data at all.”

Why some merchants are hesitant to adopt tokenization

Though an extremely effective solution to a very specific problem, tokenization is more of a single piece of the security puzzle than the end-all of stopping data theft and credit card fraud. Tokenization doesn’t guard against card skimmers, and it is not intended to be used as an alternative to EMV[3]. Additionally, this security measure doesn’t add any greater validation of the sale than what is already there.

Merchants might also be reluctant to handing over their customer data to a tokenization provider.

“Merchant’s fear tokenization because they fear giving up control of what they consider to be their own data,” Lynch said. “Particularly for subscription or recurring billing merchants, the ability to maintain and bill cardholder data is the key to their ability to collect revenue. If they give up the cardholder data to a tokenization provider, no matter the reassurances, a business owner recognizes that their entire ability to collect customer revenue is now dependent on a third party, where as it wasn’t before. For some merchants, this is an unacceptable risk.”

Some providers have made it difficult for a merchant to retrieve their original data once it has been tokenized, which can be a problem if the merchant no longer wishes to use the service or wants to switch providers.

“Tokenization providers can address this concern in a couple of ways,” Lynch said. “Assure their prospective merchant clients that the card data they are tokenizing belongs to them, and specify that the provider will agree to return all of the cardholder data, un-tokenized, at any time, should the merchant decide to maintain their data in-house again, or to switch to another provider.”

Then there’s the cost

Perhaps one of the biggest hurdles for widespread tokenization practice is the cost of implementation. Major companies might have the means to add it to their security protocol, but many medium and small merchants simply aren’t able to afford the added cost of tokenization[4]. The merchant is then faced with a less-than-ideal decision: go without or pass the cost on to the consumer. Both positions come with their share of problems.

Those who go without face increased security risk to their customers’ information, and a breach could mean losing customers on a grand scale. On the other hand, raising prices will force customers to seek alternatives, again, potentially meaning the loss of a great deal of business.

Some merchants seek out cheaper custom variations of tokenization technologies, which might not be nearly as secure. The landscape has been muddled with many different systems, which will cost more in the long run to rein in.

Putting it all together

A closer look at the books, however, could reveal that It might make more sense to spend the extra money now to avoid a major hemorrhage later—essentially viewing the cost of tokenization like an insurance cost. Because it eliminates the need for merchants to actually store credit card data, tokenization can also significantly reduce PCI scope, which also means lower operational costs.

“Tokenization assists the merchant with reducing their PCI scope. It simplifies their PCI audit and security requirements,” Verifi’s Senior Vice President of Strategic Alliances and Business Analytics Jeff Sawitke said. “Merchants simply don’t want the risk associated to having the data, and tokenization is the way for them to reduce that risk.”

In addition to eliminating sensitive data from the merchant’s environment, tokenization can also help decrease instances of fraud and chargebacks that come from unauthorized use of credit or debit cards. A reduction in chargeback expenses—from issuing refunds for an otherwise valid sale to chargeback representment costs to fees and penalties incurred as a result of an increased chargeback rate—can more than make up for the added expense of a proper tokenization adoption.

However, this reduction in chargebacks as a direct result of tokenization isn’t something that will be seen until there is a grand-scale adoption.

“At some point, if enough cards are tokenized by enough merchant businesses, the overall level of chargebacks network wide should decline,” Lynch said. “I don’t think tokenization necessarily reduces chargeback risk substantially by the merchant doing the tokening directly. It is more likely that when cardholder data is stolen, it would be used for fraudulent purchases at other merchant businesses than the one where the card data was stolen from. However, all merchants would benefit from reduced chargebacks by the overall broader adoption of tokenization. ”

Tokenization is a tool that should be combined with data encryption to meet data security best practices. It is a versatile security measure that can be applied to any transaction method that uses a credit or debit card, including emerging new payment methods such as mobile wallets. The best bet is a multilayered security strategy that makes use of various tactics, platforms and experts that protect merchants and their customers throughout the entire transaction lifecycle. These solutions often give merchants better insight into what’s working and what isn’t in terms of their security, and ways to detect fraud, resolve disputes early and avoid and reduce chargebacks.

The Identity Theft Resource Center reported that the number of exposed personal records more than doubled from 2014 to 2015[5]. Without the proper tools and partners supporting them throughout the entire transaction, merchants may find their current security measures are inadequate, and could come crumbling down at any moment.

[1] http://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html

[2] http://www.cutimes.com/2016/01/06/cybersecurity-woes-to-intensify-in-2016

[3] http://www.darkreading.com/perimeter/tokenization-6-reasons-the-card-industry-should-be-wary-/a/d-id/1316376

[4] http://www.datacapsystems.com/news/2014/10/13/the-advantages-and-disadvantages-of-tokenization.html

[5] http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html