Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Tokenisation is the way to prevent e-commerce security breaches

Avery Buffington, Information Security Architect, SecureNet | Aug. 26, 2014
Tokenisation can be used to prevent actual credit card data from ever touching a retailer's server, where the majority of data breaches occur.

E-com security breaches are increasing in frequency at an alarming rate, but there is a way to prevent them from: tokenization.

Tokenization is the one-way process of converting a credit card number into a unique value that by itself holds no value. Tokenization can be used to prevent actual credit card data from ever touching a retailer's server, where the majority of data breaches occur.

This can be achieved by having the customer's shopping cart submit card information to the merchant's processor along with a unique merchant identifier. The payment processor can then generate a token and send it back to the customer's cart. Once the shopping cart receives the tokenized payment information it can submit it along with other purchase information to the merchant who in turn passes the tokenized data back to the processor for payment authorization.

Many payments processors don't utilize tokenization for e-commerce, yet it's the most foolproof way for retailers to proactively protect themselves and their customer's card data with a high level of security. In addition, this form of tokenization can also assist merchants in reducing their Payments Card Industry (PCI) scope.

The e-commerce credit card transaction process incorporates many intricate steps. During a non-tokenized e-commerce transaction, the valuable card data essentially embarks on a journey, passing from customer browser to the e-commerce merchant's website, thru the merchant's network to the processor and then on to the card associations and the issuer. The most vulnerable stage of this process, and the place where credit information is historically at risk the most, is the retailer's server. By utilizing the tokenization previously described, it's possible for the card data to bypass the merchant server completely.

Through tokenization, a payment processor is transforming valuable credit card data into an irreversible, unique identifier that has no intrinsic value if intercepted and cannot be used for fraudulent purposes. For example, credit card 4444 3333 2222 1111 would be tokenized as A12BD33BDLB349BOeOIKL338. This means the tokenized data is useless to anyone outside of the processing company, which ensures the information is safe as it progresses through the various stages of the transaction.

Some processors tokenize data in the post-authorization stage only, allowing consumer credit information to sit on potentially unsafe retailer servers until the transaction has processed. Tokenization from the start of the transaction protects data earlier in the lifecycle of the transaction.

Most well-known data breaches have occurred at the server level, so tokenizing card numbers before they reach that point mitigates security risks by a significant margin. The ITRC reports hacking as the number one cause for breaches. Thus, the ability to prevent card data from reaching the server is a particularly valuable benefit for e-commerce retailers, as it basically makes credit card information hacker-proof in their network.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.