Don’t want the risk of handling or storing sensitive payment data on hosted servers? Want to achieve and maintain payment security (Payment Card Industry (PCI)) certification faster and easier? If these are your concerns, then Payment Tokenization is the way to go. It is a great way to reduce the scope of PCI Data Security Standard (DSS). Eliminating the payment data from your network is the only way to ensure that your customers’ sensitive personal information is not compromised during a security breach.
Tokenization is the replacement of sensitive data with a unique identifier that cannot be mathematically reversed. In a transactional environment, tokens take the place of sensitive credit card data. Typically, the token will retain the last four digits of the card as a means of accurately matching the token to the payment card owner. The remaining numbers are generated using proprietary tokenization algorithms.
How It Works
- To make a purchase on a website, the customers will enter their payment card information into the designated payment fields on the order page. When the customer submits the form, the card data is immediately transmitted directly to Card processors like CyberSource for storing, processing, and token generation. The card data never has to get stored in your environment even though you need the card for recurring processing. There are 2 main flavors of tokenization namely Silent Order POST (SOP) and Hosted Order Page (HOP)).
- Card processors return the result by substituting the PAN data with a uniquely generated token, which one can call subscription ID. You store the token in your database for future transactions or chargeback resolution on that account. For your recurring transactions, you just have to pass that token or subscription ID to the card processor. Customer service representatives can easily verify customers, as the custom token will retain the last four digits of the original PAN.
Benefits of Tokenization
- Reduces PCI DSS Scope
- Renders payment card data meaningless to hackers
- Chargeback and payment reconciliation can take place without handling payment data
- Not mathematically reversible
- The format fits legacy payment card data fields
- Integrates with Account Updater to automatically update payment data for fewer failures
The interesting part is that, whether you are starting with an e-commerce system of your own or an already existing one, you can easily use or switch to tokenization. If you are starting new, you will get all your cards tokenized but, if you already have cards, you can get them ‘ONE time tokenized’ using some batch process and then you will be able to switch to tokenization for all future orders.
In the continuing next part of the series, we will look more deeply into the Flavors of Tokenization.
