Reducing Risk and PCI Compliance with Transparent Tokenization and Detokenization

Adding layers of security to your internal network environment is essential for protecting the sensitive personal and cardholder data of your customers. However, when not properly implemented, this extra security can confuse customers by using different interfaces and requiring additional passwords at checkout time, which can lead to shopping cart abandonment and lost sales. Ideally, security systems safeguard customer data while keeping the user experience consistent and simple. TokenEx’s transparent tokenization and detokenization were designed to enable this type of frictionless operation. Our platform works “transparently” with your business environment and your partners’ booking engines, payment-processing systems, etc., keeping sensitive data out of your business and IT environments. Using transparent tokenization and detokenization with secure cloud data vaulting, you can virtually eliminate the risk of data theft, reduce the cost of PCI compliance, and conduct business as usual without disrupting your existing third-party integrations.

Benefits of Transparent Tokenization and Detokenization

Transparent tokenization and detokenization offer more than just data security. They’re parts of a powerful technology that can help organizations achieve digital transformation by prioritizing a data-centric approach to security. Here are some additional benefits of transparent tokenization and detokenization, especially when it comes to credit card tokenization and other types of PCI tokenization:
 

  • Works with all data sets
  • Requires no new integration with service providers, only changes in packet headers
  • Increases business continuity, utility, and agility
  • Significantly reduces the scope of regulatory compliance obligations
  • Reduces risk of data theft by storing all sensitive data outside of your environment
  • Enables the use of any payment service provider

Transparent Tokenization and Detokenization Explained

The purpose of tokenization is to exchange sensitive data—typically payment card or bank account numbers—with randomized numbers in the same format that possess no intrinsic value of their own. This type of tokenization is typically referred to as PCI tokenization. Tokenization differs from a similar security technology called encryption, a process where a number is mathematically changed but its original pattern is still “locked” within the new code. Encrypted numbers can be decrypted with the appropriate private key through either brute computing force or a stolen or mismanaged private key, whereas tokens are irreversible.

Additionally, transparent tokenization tokenizes and vaults the sensitive data at the point of acceptance—preventing payment card data from entering your business systems—and the sensitive data is detokenized with an API call as data leaves your environment for payment processing or fulfillment. Because sensitive data never enters your environment, transparent tokenization and detokenization effectively remove your cardholder data environment from the scope of PCI compliance.

Detokenization for PCI Compliance

Organizations that accept payment card transactions are required to comply with the Payment Card Industry Data Security Standard for the processing, transmission, and storage of cardholder data. In effect, the PCI DSS functions as the source for credit card tokenization standards, outlining how tokenization should work with credit and debit cards. PCI compliance can be a complicated and expensive process, especially if your organization requires you to store payment card data internally. An effective and efficient solution is to implement transparent tokenization and detokenization to capture payment and personal data before it enters your internal business systems and then store the tokens as placeholders until the original, sensitive data is needed.

For example, not every transaction from a booking engine contains a payment account number (PAN), such as when the payment is being made through another service like PayPal. Also, most tokenization platforms charge to create a token even when payment card data is not available. On average, a booking engine may receive 80,000 requests in a single day, but only 50,000 requests contain payment card information. Using a traditional tokenization vendor, your organization would still be charged for the PCI tokenization and vaulting, even though there is no PAN to store. Using TokenEx’s transparent tokenization and detokenization, if there is no PAN received in the form from the booking engine, there is nothing to tokenize and vault, therefore there is no charge for that transaction from TokenEx. As with all data stored with TokenEx, the only charge is for tokenizing and vaulting each record.

From a customer’s perspective, booking reservations at a hotel requires providing a payment card to hold the reservation—usually through the website of a booking engine. However, the hotel usually does not want to preauthorize the card only for the cost of the room, since other additional charges may be incurred during the customer’s stay. Using transparent tokenization, the payment card data coming from the booking engine is intercepted, vaulted by TokenEx, and tokenized. The hotel receives the token representing the customer’s payment card data and stores that until checkout, when all the charges for the stay are accumulated, at which point the request for payment is sent to the processor with the token. TokenEx will detokenize the PAN before sending on to the payment processor, relieving the hotel of the responsibility of holding sensitive data. This reduces risk of data theft and minimizes the scope of PCI compliance.

Transparent Tokenization and Detokenization Help Reduce Risk

The transparent tokenization and detokenization offered by the TokenEx Cloud Security Platform especially excels at reducing risk through its use of pseudonymization and secure data vaults. Pseudonymization, also known as deidentification, is the process of desensitizing data to render it untraceable to its original data subject. This virtually eliminates the risk of theft in the event of a data breach. Because there is no mathematical relationship between the token and its original data, tokens cannot be returned to their original form. Instead, when detokenization is required, the token is exchanged for the original data, which can be done only by the original tokenization system—there is no other way to obtain the original data from the token alone. So if a breach occurs, the exposed data is worthless to cybercriminals. The original, sensitive data sits undisturbed in a secure cloud data vault. In effect, no data is lost.

Additionally, tokenization can further reduce risk by addressing many international regulatory compliance obligations, such as the PCI DSS. Again, by removing payment card information from organizations’ cardholder data environments, tokenization satisfies controls concerning the processing of sensitive data, which can reduce the risk of incurring fines and other penalties as a result of noncompliance.

Topic(s): compliance , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog