Most merchants think that secure tokenization of payment card data will protect them from ever having a breach or cyberattack while ensuring that the data is fully protected. These merchants can sleep at night knowing their payment provider has provided this valuable tokenization service, reduced their PCI scope, and maintained PCI compliance. However, our experience in the payments industry shows us that if “bad actors”, i.e.: cybercriminals, want to access information, they will try many creative ways to steal it and use it.
Let’s revisit what tokenized data is and why it’s been an important security strategy for the past 10 years. Simply put, a token is a randomly assigned character stream used to represent payment card numbers or PAN (Primary Account Numbers). Only those processing this data will have the ability to unlock or access the secure token vault to gain access to the PAN to submit for payment authorization. For the merchant, the token takes the place of the payment data and allows it to be stored and used on payment gateways greatly reducing the risk of payment data being stolen. As part of gaining PCI compliance and reducing scope, businesses should ensure any payment data they have access to is tokenized.
However, simply because the credit card number is replaced with a token doesn’t mean that the data still can’t be stolen and used to commit fraud. Cybercriminals today are finding solutions to gain access to payment data no matter what form it’s in – tokenized, encrypted, or in the clear (meaning the credit card data can be seen which is a huge no-no!). Once they have the data, they have created sophisticated programs to try to crack the payment data. While the risk is low that tokenized data can both be stolen and payment information accessed, it’s still a possibility.
“It’s important to understand that while minimizing the risk of payment card data theft by removing the data from your environment, there is still a risk a cybercriminal can successfully gain access to the tokens and then impersonate the real customer to commit fraud. The focus shifts from data protection to identity and access management.” Says Jeff Man, PCI – QSA.
To protect your business, it’s imperative you work with a reputable payment company that will manage your payment data according to PCI compliance standards and specific tokenization requirements while reducing the PCI scope within your own environment. They will help you identify the best tokenization strategy for your business. The implementation of tokenization needs to be done carefully and thoughtfully to lower any risk of data being used to commit fraud. If not managed correctly, it leaves your business at risk.
For more information on tokens, PCI security, and our solutions, visit us here.