In today’s economy, companies are more and more offering their products and services via electronic means. In essence the entire economical spectrum is growing aggressive over how fast and how many transactions can be executed over a time period, and thus companies made every effort to ensure service Availability to drive in more revenues. But this e-commerce surge came at the expense of customer data Confidentiality.
In the last few years the e-commerce industry witnessed some blockbuster data breaches. Without naming any particular institution, the extent of these compromises was devastating and affected millions of consumers and ultimately cost merchants millions of dollars. The number one reason behind these breaches by decree of industry experts is the merchant’s inability to effectively store and protect cardholder data.
PCI-DSS is the de facto industry standard for the security and the protection of cardholder data. In effect, every entity that stores, transmits, or processes credit cards is subject to compliance with PCI-DSS requirement put forth by Visa and MasterCard, or risks losing the ability to accept credit card as a form of payment, or even worse, in the case of compromise, getting slapped with hefty penalties along with a major blow to its reputation.
PCI-DSS requirements are very strict and highly encourage NOT storing cardholder information unless there’s a business need to keep it. Many merchants feel that they must store cardholder data for a reason or another, but this decision comes at the high cost of becoming compliant with PCI 200+ requirements. Based on surveys the average cost of PCI compliance is around 500,000 but it can be in the millions depending on the size of the complexity of the organization.
Payment Processors have developed and perfected a Tokenization solution that alleviates the costs and the challenges associated with storing customer payment account data including ACH and Credit Cards. The Payment Processor encrypts and stores cardholder data in a highly secured environment and returns a unique token per payment account number. The merchant can store this token and use it to invoke future payments or refunds. Most importantly, in the event of theft this token is of no value to criminals. So they can’t use it to make purchases or sell it to some other entity.
Payment Account Tokenization Step by step:
- Merchant transmits a payment transaction over a secured channel (SSL)
- The processor processes the payment and stores the payment information in a high security PCI compliant environment.
- The storage server or servers return a unique token to the Merchant
- The merchant stores the token instead of Credit Card or Bank Account Information
- The merchant uses the token for future payments or for refunds as needed.
In addition to the obvious risk reduction from not having to store cardholder and ACH data the Merchant’s PCI compliance process is dramatically simplified and less costly.
Ahmed Tantan is co-Chief Information Security officer in charge of compliance at PayDQ a level 1 Payment Processing company in council bluffs Iowa.
www.paydq.com
