Secure payment processing with tokenization
In order to reach PCI Compliance, when a business processes payments, sensitive data must be encrypted. Sensitive data includes credit card numbers or ACH account numbers as well as AVV and CVV2 information. In order for a business to handle this data in a secure way, either an end-to-end encryption system must be installed or payment processing can be outsourced to a service provider that tokenizes sensitive data externally.
What is tokenization?
Token technology takes a credit card number, for example, and replaces the 16 digit card number with a custom token. The token mirrors the format of the original data, but is non-descriptive. Tokenization requires the use of a gateway, which is where the sensitive data is stored.
When a customer submits a payment via a business’ website, the sensitive data entered into the payment fields is encrypted by k-eCommerce Credit Card Extension using 128-bit encryption. It is then sent to a gateway so that a token can be generated. The payment process then proceeds as usual. Once all necessary information has been received and the payment has been applied, all that is stored on a business’ database is a token and a separate masked credit card number that contains the last four digits of the card that looks like this:
The stars do not represent anything. This means the full 16 digit credit card number is not stored on a business’ network, which reduces liability greatly. For future transactions, the token and the separate masked credit card number with the last four digits are stored in a business’ ERP can be easily accessed and verified.
Tokens are not mathematically reversible. Because the unique placeholders are unrelated, the stored payment data is meaningless.
What is encryption?
Encryption has been around for years. When it comes to payment processing, encryption, different than tokenization, takes the sensitive data and transforms it using a mathematical equation. The end result is 12 encrypted digits with the last 4 original digits of a credit card. The encrypted code is composed of letters and numbers that will be stored on an internal database, such as a business’ ERP. To return the data to its original form, the mathematical equation is reversed and the credit card can be used again for a transaction.
Which method is best?
When it comes to processing payments securely, token technology is superior. A token can be stored in tables and when a transaction needs to be processed, since the token includes the last four digits of the credit card, it can be easily verified. Once the payment process has finished, that token can again reside in a database securely. This alleviates a business’ liability and further, since tokens are composed of unrelated data, they are meaningless. Tokenization also makes obtaining PCI Compliance much easier as it eliminates nearly half of the security requirements that are part of the PCI audit.
Encrypted data is less secure as it is reversible, whereas a token is not. Also, because encrypted data is stored internally, should fraud occur, a business is liable.
k-eCommerce Credit Card Extension (CCE) is a PA-DSS Certified solution that integrates with multiple gateways that use token technology. Follow this link to learn more about CCE.