Tokenization: The Wave of the Future

Tokenization is the wave of the future. Banks are already pushing for this technology to be globally instituted as part of their industry, and other industries are sure to follow suit. The management of sensitive data is…sensitive, and regulated policies and strict guidelines can only protect the consumers and companies that engage in internet purchases from fraud and malfeasance. This is where tokenization fits in. While consumers are becoming more comfortable with making online purchases and sharing personal data online, the threat of this information falling into the wrong hands is a viable risk. Tokenization reduces this risk.

Tokenization is the process of replacing information with a proxy. Instead of a client’s credit card number being stored in a company’s database for hackers to possibly retrieve, the proxy number is used, which protects both the consumer and the company from underhanded activities. As technology changes and progresses, cloud based transactions will take center stage, since storing information in the cloud requires less of a financial investment from a company. Tokens are stored off-site, so the protected information is not available to someone who might break into the business’ records, so a client’s credit card number would never be accessible. The crook would wind up with a nonsensical number; one that would be worthless. This type of forwarding thinking is projected to be the possible business norm by 2020.

Already, tokenization is widely becoming the solution of choice for many businesses who operate online. By replacing personal data, including credit card numbers, birthdates, social security numbers, and other guarded information with a unique token, businesses can comply the standards set by the Payment Card Industry Data Security Standard, also known as PCIDSS, and even HIPAA standards, for Health Insurance Portability and Accountability Act. Tokenization is already used by government entities, healthcare, and retail, just to name a few.

Tokens come in two forms—format preserving and non-format preserving. The former mimics the information it is standing in for, so a social security number consisting of nine numbers would be replaced with nine characters complete with dashes. A non-format preserving token would be a series of numbers, and letters that do not correspond to the original information; it just replaces it so that the true information can’t be compromised.

The newest technology in credit card and debit cards has been the embedded microchip which has all but replaced the magnetic strip on the cards. While it is difficult to extract information from these cards, the recent breach at both Target and Experian has called for more stringent restrictions to safeguard client’s information. To illustrate how tokenization would work at either a point of sale transaction or an online purchase, the credit card number is entered and the number is sent to an off-site tokenization system. At that point, a random token made up of either numbers, letters or a combination of both is used to replace the credit card number. Both numbers are stored in a data vault. The proxy is returned to the point of sale or website where the transaction originated to represent the client’s credit card number in the system. This all happens instantaneously, so there is no down time while the token is generated and retrieved.

The biggest benefit to all involved is that the credit card data model, in this example, is protected from various threats and can only be deciphered by the payment processor. The widespread use of tokenization will dramatically reduce the amount of online fraud from unsavory characters trying to steal personal information. The tokenization process works for the information recipient, regardless of the industry. In addition to credit card numbers and social security information, tokenization is used in safeguarding medical records, usernames, and customer account information and can be used for various forms of payment, like gift cards and Apple Pay. Previously this information could be stolen if a merchant’s system was hacked; with tokenization, they are no longer required to store this information in their system and the use of tokenization meets Payment Card Industry (PCI) standards for the merchant. Since the information is saved in the off-site location, the company charging the card can access it again if the customer makes another payment or would like to set up reoccurring payments. Tokenization is easier and safer for all parties involved in a transaction, even if that just involves sending personal information to your dentist!

While the concept of tokenization isn’t necessarily new, it is still in the beginning stages for many industries. As with the adoption of any new protocols for regular business, it takes time for people to get acclimated. Businesses are slow to try new concepts in fear that they may fail, or, worse yet, that someone will find a way to navigate through a backdoor and be able to compromise information. Tokenization has yet to fully be embraced, but it is becoming accepted as the “next new thing”, much like the credit cards with the microchip embedded in them. A real plus for customers is that they will do nothing differently at the point of sale or when they send information online; it is essentially the same process for them with better safeguards.

How do you know if the use of tokenization will benefit your business? If you have any monetary transactions, either point of sale or web-based, tokenization would be advantageous for your liability protection. Even if you just correspond with patients, from a doctor’s or dentist’s office, tokenization can protect your patient’s vital information, which also protects your business. By implementing this standard of operation, you will not have to make many adjustments to your current payment or information gathering systems; tokens are formatted as the information they represent, so minimal changes are required by the vendor who uses them. If you do decide to use tokenization to protect sensitive data, formulating a relationship with a trusted third party tokenization solution provider is a must. This outside entity will be the one that houses all the data for you and your customers, so it is important that you find someone compliant and reliable. The wide-spread use of tokenization will soon be mainstream, so it is definitely something for your company to explore in advance.