Whenever a credit or debit card is used, whether that’s a swipe at a grocery store or buying concert tickets online, there is a transmission of its numbers representing the payment account. Upon authorization, a common approach in ecommerce is to store the numbers in the merchant’s system to facilitate the exchange of money for goods or services. These stored numbers also attract those looking to steal that information, but a security measure known as tokenization is helping to make this kind of data theft much more difficult.
Credit card tokenization is a method of security in the payments industry in which a cardholder’s credit or debit card numbers are replaced as they enter a merchant’s system by a random string of numbers or symbols[i]. This means the merchant does not have access to the actual credit or debit card number, which all but eliminates its sales system and data as a target for hackers.
Anything that can slow down data breaches is very much needed. In 2015, 170 million consumer records were uncovered by hackers, which globally cost businesses $400 billion[ii].
Why some merchants are hesitant to adopt tokenization
Though an extremely effective solution to a very specific problem, tokenization is more of a single piece of the security puzzle than the end-all of stopping data theft and credit card fraud. Tokenization doesn’t guard against card skimmers, and it is not intended to be used as an alternative to EMV[iii]. Additionally, this security measure doesn’t add any greater validation of the sale than what is already there.
Perhaps one of the biggest hurdles for widespread tokenization practice is the cost of implementation. Major companies might have the means to add it to their security protocol, but many medium and small merchants simply aren’t able to afford the added cost of tokenization[iv]. The merchant is then faced with a less-than-ideal decision: go without or pass the cost on to the consumer. Both positions come with their share of problems.
Putting it all together
A closer look at the books, however, could reveal that It might make more sense to spend the extra money now to avoid a major hemorrhage later—essentially viewing the cost of tokenization like an insurance cost. Because it eliminates the need for merchants to actually store credit card data, tokenization can also significantly reduce PCI scope, which also means lower operational costs.
In addition to eliminating sensitive data from the merchant’s environment, tokenization can also help decrease instances of fraud and chargebacks that come from unauthorized use of credit or debit cards. A reduction in chargeback expenses—from issuing refunds for an otherwise valid sale to chargeback representment costs to fees and penalties incurred as a result of an increased chargeback rate—can more than make up for the added expense of a proper tokenization adoption.
However, this reduction in chargebacks as a direct result of tokenization isn’t something that will be seen until there is a grand-scale adoption.
Tokenization is a tool that should be combined with data encryption to meet data security best practices. It is a versatile security measure that can be applied to any transaction method that uses a credit or debit card, including emerging new payment methods such as mobile wallets. The best bet is a multilayered security strategy that makes use of various tactics, platforms and experts that protect merchants and their customers throughout the entire transaction lifecycle. These solutions often give merchants better insight into what’s working and what isn’t in terms of their security, and ways to detect fraud, resolve disputes early and avoid and reduce chargebacks.
The Identity Theft Resource Center reported that the number of exposed personal records more than doubled from 2014 to 2015[v]. Without the proper tools and partners supporting them throughout the entire transaction, merchants may find their current security measures are inadequate, and could come crumbling down at any moment.
Download Verifi’s white paper today to learn more about the emergence of new payment methods, the security risks that come with them and what merchants can do about it.
[i] https://www.computerworld.com/article/2487635/data-security/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html
[ii] https://www.cutimes.com/2016/01/06/cybersecurity-woes-to-intensify-in-2016
[iii] https://www.darkreading.com/perimeter/tokenization-6-reasons-the-card-industry-should-be-wary-/a/d-id/1316376
[iv] https://www.datacapsystems.com/news/2014/10/13/the-advantages-and-disadvantages-of-tokenization.html
[v] https://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html