Tokenizing with Your Payment Service Provider? Think Again Part 2 of 2

Tokenizing with Your Payment Service Provider? Think Again Part 2 of 2

In Part 1 we discussed data corruption, commingling of tokens, the inability or unwillingness of your Payment Service Provider (PSP) to tokenize sensitive data sets outside of payment card data, and whether or not you would have to pay your PSP for access to your own data. How does transactional pricing stack up against volume based pricing? What if you decide to switch PSP’s or you want to enlist a 3rd party for marketing analytics, customer buying patterns, etc., and you need your data returned to you? Why are these types of data retention policies not favorable for your organization? We will break down transactional costs versus volume based, cost of receiving your detokenized data back from your PSP, as well as tokenizing all data sets from actual customers who have been through the harrowing process. With all of this in mind, how does a flexible cloud based tokenization solution foster scalable growth in tokenizing all data sets without crushing your data security budget?

Transactional Pricing

For purposes of this blog, let’s use a recent customer example comparing transactional vs. volume pricing for tokenization at a monthly subscription service organization that has a million-strong customer base. A typical PSP will add $.01 each time a stored token and PAN combination is used to process a payment. The subscription merchant will end up paying an additional $0.12 per year, per customer, just to use the tokens. Multiply that by one million customers, and that innocuous figure blooms into a $120,000 per year loss for the merchant— and profit for the PSP. Bottom line, Customer A paid heavily. As they discovered, your PSP will charge you to create a token and a fee every time you access a token, even if it is already stored in their data vault.

Using a volume-based pricing for tokens stored in a SaaS Cloud Security Platform, it costs only $36,000 per year to store one million PANs, or $0.036 per token conversion. After the initial conversion of customer PANs to tokens, access is free. When a merchant acquires a new customer subscription, the PAN is stored in a secure data vault, and a mathematically unrelated token is created for a one-time fee, which is used thereafter for no additional charge. Volume Pricing cuts tokenization costs by nearly 75% compared to transactional pricing by PSPs. The added bonus is that since PANs are not accepted or stored in the merchant’s business systems, the cost of PCI compliance also plummets, saving IT budget and labor, while eliminating the risk of data theft.

Your Data Is Your Data

Charging a customer to detokenize their data, just so they can become free to migrate to another tokenization platform, is a costly practice for which PSP tokenization customers unfortunately pay the price quite often. By way of example, another of our valued customers–Customer B–wanted to utilize a 3rd party for customer profile storage, and shared with us what the cost looks like for detokenizing and returning their data. Their processor requested they pay $1 for each active profile with a $500 detokenization fee. That paltry $1/file seemed inconsequential at the time they signed their agreement, because they did not think they would need to change tokenization providers or PSPs. After all, they were paying the processor a per-transaction amount to tokenize the payment card data, so you would think that their data would be their data. Think again.

True Cost Breakdown

Customer B had 31,427 active profiles and 31,884 total profiles with both active and inactive users. A $500 MID (Management ID) surcharge was added for each data set, as well as $1 for the single profile. This is not to the advantage of the customer, as a single profile would not be that difficult to collect at the consumer level.  Of course, the overall fee would be $501.00 for the de-conversion and $31,427.00 for the individual active profiles, equaling $31,947.00. The grand total for both MIDs is $32,448.00. These are data sets that the organization owns, but is being forced to pay for. Imagine what these fees look like when you are managing hundreds of thousands of profiles. Even this last insult has a caveat, in that your PSP may not be contractually obligated to return your token vault, thus making it even more difficult and expensive to change payment processors.

PII Needs Your Attention

PII is now center stage as the most valuable data set to steal. Using stolen PII, a cyber-criminal can build a complete virtual identity. PII data sets—such as social security number, date of birth, employment history—are used to create fraudulent personas with which a fraudster can buy goods and services, open lines of credit, change bank account access, and a plethora of other illegal activities. The consequences of PII theft are a lot more expensive and time-consuming than just shutting off a credit card account and offering free credit reporting for a year. Class-action lawsuits are becoming more commonplace for organizations that are found guilty of violating their security and privacy statements when PII goes missing.

Flexible Tokenization For All Data Sets

We have multiple customers who have approached their PSPs about tokenizing personally identifiable information (PII), as well as other sensitive data sets, only to be to be told No– their PSP did not want the liability of handling and tokenizing PII. So organizations are left to find a platform who will accept the liability of tokenizing and vaulting the sensitive data sets that course through their environment each and every day. As we touched on in part 1, utilizing 2 separate tokenization platforms can create internal data corruption, commingling of tokens, and not to mention cost-prohibitive transactional pricing.

Your Tokenization Needs Visibility

Flexible cloud based tokenization solutions are unique in their ability to provide a single platform for tokenizing all of your sensitive datasets and ensuring they are protected in one cloud. A true tokenization platform stores the original value of the sensitive data and the associated token available to use when needed, so your business continues to operate as usual after your sensitive data is tokenized and secured. With predictable data storage overhead—the more data you store, the lower the cost per record–and fully customizable tokenization schemes to match the data type being secured, the result is that your entire environment being secured. You can use tokenized PII data or any tokenized sensitive data set within business intelligence and analytics platforms to achieve insights into customer behaviors and trends, measure internal environmental metrics, or more closely examine secure rewards programs. So you still get the business value out of your sensitive customer data without risking its exposure. This platform can become a key component to your overall information management program, saving you money, enabling secure analytics, and protecting your organization at the same time.

TokenEx is the enterprise leader in cloud tokenization. To learn more about our flexible tokenization solutions that secure ALL data sets and ALL acceptance channels, please email Follow us on Twitter and LinkedIn.

Cloud Tokenization


Keep Up With Our PCI & Privacy Blog