Managing Risk - Not All Tokenization Solutions Are Equal Part 1 of 3


Managing Risk - Not All Tokenization Solutions Are Equal Part 1 of 3

It happens. Your team finally decides it's time to tokenize your organization’s sensitive data, but now you have to pick through the maze of tokenization solutions to determine which best meets your needs. You have complex challenges to balance in this decision making process, including compliance, budgets, architecture, and operations to name a few. As you probably already know by now, on-premise tokenization, payment gateway tokenization, hybrid tokenization, and cloud based tokenization are your options. Putting these solutions side-by-side can be a helpful way to determine which is the best fit for your organization and your data sets. To begin, it is good to ask an initial set of questions about your options and your environment. Is there a difference where the data is stored in each solution? Do these storage differences impact compliance? What data sets will be protected by tokenization? What payment gateway(s) do you wish to use? Selecting the right tokenization solution for your organization can impact so many different aspects of your organization that it is paramount for you to know the specifics on all of the different options. When deployed properly, tokenization can secure ALL of your sensitive data sets and meet the needs of your environment. Let’s take a look at what your options are.

According to the PCI DSS, Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply. The PAN must not be retrievable from any system component in order for the scope/compliance to be reduced. Sounds pretty simple, right? Many organizations are still leary of cloud based tokenization because they fear the worst. If someone else has control, how can we possibly trust that they will be the same type of steward with customer data as we are? This is a valid question in vetting your supply chain. At the same time, giving in entirely to that fear of relinquishing control has as an expensive consequence, costly PCI compliance coupled with putting your organization at risk for a data breach. The question to ask yourself is how much risk you are willing to assume and what specific measures you will take to manage that risk.

On-Premise Tokenization – Why Take the Risk?

The whole point of tokenization is to replace PAN values with a symmetric value that if ever hacked, would yield no valuable data to steal. An on-premise data security platform requires customers to keep sensitive data in their environments, so these solutions still expose customers to the possibility of a data breach. To further that, the cost of most on-premise tokenization solutions is about twice what cloud tokenization solutions are, often requiring you to set up your own data center, engage in additional employee training, pay IT personnel, and buy insurance for the equipment and data.

This traditional software-and-server tokenization solution only helps with requirement 3 for PCI compliance on data storage. When you manage your own on-premise tokenization solution or vaulting system, the vault is still part of your environment. You incur all the risk of keeping it active and secure, and you must handle all of the burden of compliance. When it comes to regulated sensitive data such as payment card information or Personally Identifiable Information (PII), achieving compliance is a difficult and a much more expensive undertaking, not to mention the liability associated with keeping it all in-house.

Payment Gateway Tokenization – Judge a Book by its Cover

It can be an appealing option to shift liability to your payment gateway. After all, this is added protection, and you may receive certain initial benefits. However, when you decide to use a payment gateway, you better ask yourself a few questions: Did you use the PSP tokenization solution simply because you are utilizing the PSP for payment acceptance? Perhaps you received one year of free tokenization as incentive? What are you really committing to when you hand over your data to them? What data sets do they tokenize outside of payment card data? If you ever change providers, will they readily return your data to you? Have you asked any of their past customers who tried to leave how that process went? Most gateways only tokenize PCI data, and when you decide to go with another tokenization solution they often will not return your data. To further that, PSPs do not use universal tokens that will translate to other tokenization solutions should you decide to change. The free year of services is rather paltry when you consider the long term and what a pickle losing all of YOUR data can produce. Further, PCI is not the only toxic data set that needs to be tokenized. More and more organizations are discovering this through emerging privacy laws, civil liability suits, and top-down policies aimed at insuring sensitive PII (Personally Identifiable Information) is properly secured, as well. Most gateways do not tokenize PII, so to avoid class-action lawsuits and angry customers, you will find yourself  searching for another tokenization solution anyway, one that can secure all data sets. Did I mention that while you are in the middle of that transition, you still won't be getting your data back? That’s a big one.

Hybrid Tokenization

A hybrid solution is defined as a combination of your traditional on-premise solution and a cloud based solution. In moving some of your sensitive data to the cloud, this is going to relieve some of the compliance burden. However, you will still have to determine which controls and requirements are the responsibility of the TSP (tokenization service provider), and which requirements you are responsible for. At the end of the day, as the merchant you are responsible for your compliance burden and the level of risk at which you have chosen to put your organization. This type of solution does not make a lot of sense, because you are federating your data security solution without truly accomplishing PCI Compliance or true risk avoidance.

Cloud Tokenization

In order to achieve the greatest amount of compliance and risk reduction, an increasing number of companies want to outsource tokenization. A true cloud tokenization solution does not store any sensitive data in your systems. None. If a breach does occur once cloud tokenization has been deployed, the only data that can be exposed is tokenized data, which cannot be turned back into true values without authorization. Tokenized data is worthless to thieves and hackers – so worthless, in fact, that the PCI Security Council doesn’t even consider it sensitive data. It carries virtually no risk to store in your environment, and is not subject to PCI compliance. You are trusting all of your sensitive customer data to a cloud based solution and transferring that liability to, hopefully, specialists in their field who have been vetted as experts and become valued members of your supply chain.

All Tokenization Requires Proper Integration

Like any successful data security platform, the actual integration is the most important piece. Data environments are more complex than they ever have been, so a one-size-fits-all solution is not realistic. Integration requires flexibility that can adapt to any environment and will not negatively impact business processes. In theory, you should be able to use whatever payment gateways, platforms, 3rd party analytics, etc. that are used by your organization, and not the other way around. True cloud tokenization should be vendor agnostic, so all organizations can utilize the unlimited flexibility in how they store, access, and secure their sensitive data sets. Since tokenization removes toxic payment and personally identifiable information (PII) data from internal IT systems, storing it in secure cloud data vaults, it eliminates the risk of data theft.

TokenEx is the industry leader for custom cloud tokenization solutions. TokenEx is patented technology. Follow us on LinkedIn and Twitter. Stay tuned for part 2 of 3, Managing Integration - Not All Tokenization Solutions are Equal, when we tackle the ins and outs of integration. 

Topic(s): data security , tokenization

Keep Up With Our PCI & Privacy Blog