Our products: shopify-pos/ /magento-pos/ /woocommerce-pos/ /bigcommerce-pos/ From the payment security world, tokenization is universally thought of as an industry standard. However, there is still some confusion about the specific history and purpose of this technology, in addition to how to […]
From the payment security world, tokenization is universally thought of as an industry standard. However, there is still some confusion about the specific history and purpose of this technology, in addition to how to identify and prevent subpar copycats — or”faux-kenization” — solutions.
The Origin of Tokenization
Shift4 is the inventor of this technology as we know it now. In 2005, they published the initial payment information tokenization solution, which they called TrueTokenization. The theory behind the ahead-of-its-time technology was straightforward: to procure post-authorization card information for the long run. It was created as an response to the gigantic threat of information breach facing merchants who stored transactional information for yields, incremental authorizations, monthly billing, and much more.
By way of instance, hotels typically save their guests’ card numbers from the time the booking is made until after the last checkout. This implies maintaining hundreds — if not thousands — of card numbers on file at one time, which left them with a enormous quantity of risk if they are breached. Tokenization solved this problem by replacing the stored cardholder information for every individual transaction using a random, alphanumeric value that would have no significance in the hands of information thieves. When Shift4 published tokenization, they challenged the standard and demonstrated that sensitive, vulnerable card information does not actually have to be kept, even in card-on-file environments.
Fast-forward 13 decades. In a bit more than a decade, tokenization has gone from up-and-coming notion to being approved as a must-have technology for companies in virtually every sector. In actuality, Forrester Research and Forbes recently recorded it at #2 on their list of top data privacy and security tools. Not bad for a teen.
Now that you have gotten a crash course in tokenization, Here Is What merchants should consider when looking for a truly secure solution:
1. Tokenization Isn’t Encryption
While both are useful, it is important to comprehend the difference between the tokenization and encryption of payment card information during a transaction. Tokenization was not designed to encrypt cardholder data. Instead, it was meant to be a globally unique, alphanumeric value that replaces payment card information after bank consent, so the information stored in merchant systems has no value beyond their own environment.
Launched in 2017, the EMV® Payment Tokenisation Specification Technical Framework refers to both card-based tokenization and mobile payment tokenization, such as Apple Pay, Google Pay, and other mobile pockets. However, in nature, these approaches are much closer to an encryption or cryptographic hash, and labeling them as tokenization isn’t only misleading and confusing — it is really very dangerous to merchants.
2. Tokens Ought to Be Randomly Generated
Tokens should not keep a one-to-one relationship with one debit or credit card. A trusted tokenization solution will assign a token for each and every transaction. This guarantees that tokens are not predictable and can’t be reversed or unencrypted. Additionally, because accurate tokenization is alphanumeric, there are enough possible permutations which they’ll never be replicated within even the biggest payments ecosystems.
Again, this varies from the safety features of mobile pockets and card-based tokenization solutions. Although they’re known as tokenization, these solutions are not actually tokenization in any respect. Instead, they’re consumer-based token services that want to protect the cardholder — not the merchant.
3. Tokenization Works Well With Others
As I mentioned, there is a difference between tokenization and encryption, but it does not mean that merchants must choose one or the other to secure their payments from hackers. The best strategy merchants can use is to layer multiple payment protection solutions collectively. This will cover more entry points in their payment environment and supply the most thorough protection against data breach.
By way of instance, merchants who accept EMV payments must also have point-to-point encryption (P2PE) and tokenization solutions. This way, they’ve EMV to reduce counterfeit card fraud, P2PE to encrypt data in the terminal, and tokenization to replace the information stored after the transaction. We call this the Payment Safety Trifecta.
Not All Tokenization Solutions Are Created Equal
Since payment information tokenization has become such a widespread technology, there have sadly been a high number of substandard versions of the real thing. As the inventors of the tech who set the initial high standard and continue to keep it, Shift4 has the benefit of having the ability to quickly identify which solutions are in fact tokenization and that are the watered-down imitations. Unfortunately, it is not always that simple for everybody.
The bottom line is, if merchants rely too heavily on those”faux-kenization” solutions, believing they do more than they really do, it may end up doing more harm than good for their organization, image, and pocketbook if hackers opt to come knocking and they are not equipped.
Now it’s time to update the news:
►►► ConnectPOS is a cloud-based POS software compatible with multiple platforms including Magento, Shopify & Shopify Plus, and BigCommerce.