What Is Tokenization And How Does It Influence PCI DSS Compliance?
The History of Tokenization
Benefits of Tokenization
Tokenization vs. Encryption
Using Tokenization to Keep Cardholder Data Safe
Payment Card Industry Data Security Standard (PCI DSS) & Tokenization
Protecting Sensitive Data with VGS Token
The hard-to-face reality is that billions of personal records are exposed each year.
Massive data leaks, at this point, are becoming a frequent occurrence – with headlines regularly popping up highlighting cybersecurity disasters that have impacted millions of consumers.
It only seems like a matter of time until the next multi-million-dollar data breach settlement will be announced, and another consumer data-handling organization will have their feet publicly held to the fire.
It’s clear that payment processing and storing of consumer data is far from secure. From the improper configuration of web applications to the massive security risk involved in cloud storage generally, companies have wisely been seeking alternatives to storing their own user data and opening themselves up to data breach risk.
For many businesses looking to secure their sensitive data and payment process, one method is tokenization.
But even though its usage is growing, many business owners haven’t implemented a tokenization solution yet because they don’t know what it is or how it works - so they end up missing out on a powerful tool that aids in keeping their data environments more secure.
That’s why we’ve put together this guide on tokenized data. We will outline what this technology does, how organizations can leverage tokenization services to beef up their own data security efforts, and how to ensure you are making the best decision for your needs.
Tokenization is the process of replacing sensitive information with non-sensitive placeholders called tokens, which are randomly generated into data of the same format and have no intrinsic value.
The token has no exploitable meaning and can only be “detokenized” with the original tokenization platform. If a cybercriminal, for example, is able to gain unauthorized access to a database containing tokenized data, it would be a fruitless effort as a token useless to the attacker.
Unlike other security measures like encryption, where a mathematical equation can “solve” the data replacement and reveal the original documentation, tokenization is not reversible. With no mathematical relationship to the original data point, tokenization is widely considered to be a safe way of transmitting and storing critical information.
By swapping out sensitive material with a token that would be totally useless if intercepted or leaked, tokenization provides a secure way of storing important data – like a Primary Account Number (PAN) – without the true cardholder information being exposed. While the data is secure at rest, tokenization does not secure sensitive data in transit – like when it’s being collected and exchanged.
To provide end-to-end security for data both at rest and in transit, you must look for a solution like the VGS Platform using aliases and proxies.
The idea of tokenizing high-value data or financial instruments is far from a new concept, though the modern form of data tokenization didn’t take hold until recently.
Ancient currency systems used to replace valuable assets with coin tokens, and – more recently – systems like subway tokens and poker chips have used placeholder techniques to lower risk and increase efficiency.
Beginning in 1976, surrogate key values were used in data processing to isolate data linked to internal mechanisms of databases and their counterparts on the outside. These same isolation techniques have been extended since then, with the modern form of tokenization being the result.
Tokenization as it’s known today was first created in 2001 by an organization called TrustCommerce, who developed their own tokenization system to help a client business – Classmates.com – with a new type of secure billing system.
Maintaining cardholder data in their systems was deemed as too risky by Classmates.com, so TrustCommerce developed a system where customers could use a token instead of their actual credit card information to make a purchase. TrustCommerce would then take care of the actual payment processing on the merchant’s behalf.
Since then, tokenization has been refined and mainstreamed – making it one of the most powerful security tools available.
When a business implements tokenization as part of its data security program, they enjoy a number of benefits:
Minimizing Contact: Tokenization makes it so that the original data stays safely vaulted in your own data environment, with other parties only receiving the tokens. The real sensitive data remains in a secure cloud vault.
Reduced Data Breach Risk: While tokenization systems don’t 100% guarantee the prevention of data breaches, they minimize breach risk by desensitizing the data with a token while it’s at rest – making it so that there’s nothing of actual value that can be stolen when a security breach happens.
Irreversibility: Unlike encryption technology, in which encrypted data can be “solved” with a powerful enough computer or a stolen decryption key, tokenized material can only be revealed by end-users that are part of the original tokenization platform – such as the payment processor.
Flexibility:Tokenization systems can generate both single-use tokens, like for one-off purchases using a payment card, or multi-use tokens, like when customer credit card numbers are stored to enable faster e-commerce checkout experiences for future purchases.
Easier Compliance: Because tokenization reduces how much of your company’s data environment contains material relevant to privacy regulations, achieving compliance certifications (such as PCI DSS, CCPA, SOC2, GDPR, etc.) is easier, however, there still substantial responsibility and liability that you must shoulder. Other alternatives, such as the VGS Platform, descope your business from PCI, shifting the liability to VGS while you retain the usability.
Not too long ago, much of the world made the transition from swiping payment cards to inserting them into a chip reader to prevent bad actors from duplicating payment card documentation onto a new card. Similarly, tokenization is aiming to stop the same type of fraud, but specifically to battle the threat of online or digital breaches.
Especially when compared to similar security techniques, like encryption, tokenization has emerged as a safe and cost-effective way to protect all sorts of digital assets, from bank account numbers to Social Security Numbers (SSNs) and other types of Personally Identifiable Information (PII).
To understand the advantages of using tokenization, it’s helpful to compare the technique with one of its primary competitors – encryption.
Before tokenization started to gain momentum in the tech or payments processing worlds, encryption had historically been a preferred technique for safeguarding sensitive material.
Encryption is the process of transforming sensitive material into a complex, unreadable format that can only be deciphered with a secret key. Decryption is the reverse process and only users who possess the decryption key are able to “crack” the complicated equation, which still contains the sensitive documentation encoded within.
The biggest, most important difference between tokenization and encryption is that only encryption is reversible, because an algorithm is used to secure the data – which can be decoded if the key isn’t strong enough or a malicious actor’s computer is sufficiently powerful to solve the algorithm.
Moreover, encrypted sensitive data leaves the organization, while tokenized material stays put in its secure vault and only the non-sensitive placeholder tokens are transferred elsewhere.
Another important distinction between a token and encrypted data is that tokenized data is not actually “real” data - it’s simply a reference to the real data.
Because of this distinction, tokens for cardholder data are not considered cardholder data under the definitions outlined in PCI DSS, whereas encrypted cardholder data is still cardholder data. A database containing tokens does not have to meet the same PCI requirement around the storage of the data that an encrypted cardholder database must meet.
Because of its irreversibility and high level of security, tokenization solutions have become popular for the protection of payment data, like debit and credit card numbers. Tokenization solutions have made payment processing safer and easier for banks, retailers, and service providers worldwide, as credit card data can be stored and referenced for future transactions without being revealed in the process.
What tokenization achieves for businesses is incredibly valuable. Besides secure payment processing, it provides an easier path to obtaining compliance certifications for things like PCI DSS, SOC2, and a number of other compliance regimes.
However, tokenizing sensitive data does not eliminate the need to achieve and certify PCI DSS compliance – although it can reduce the number of system components to which PCI DSS compliance would apply.
With tokenization, sensitive data is mostly hidden. But, there are two points where tokenized data still remain within the scope of PCI DSS compliance: the data vault and the original point of capture.
But what if businesses could offload this data risk fully, and enjoy the benefits of tokenization while keeping all the original data completely off their own systems?
Payment Card Industry Data Security Standard (PCI DSS) & Tokenization
Fortunately, tokenization is a PCI-approved method of protecting payment card industry data and is authorized by the PCI Security Standards Council (SSC) to use in pursuit of PCI Compliance.
The PCI SSC makes all these requirements clear in their guidelines for tokenization.
Tokenization, however, does not mean that your business has instant compliance – it is simply one ingredient of a complete data security program that could qualify you for a PCI DSS Compliance certification.
If you are looking for an end-to-end solution that shifts the risk from your business, then a solution like the VGS platform is what you need.
While tokenizing sensitive data alone does not eliminate the need to achieve and certify PCI DSS compliance, it is possible completely descope from PCI, a business can partner with a data custodian (VGS) that handles 100% of data capture and vaulting – removing any compliance risk and completely avoiding data leaks.
VGS Token is a PCI-certified tokenization solution offered by Very Good Security – a VISA-backed software solutions provider. Our end-to-end platform uses aliases (a type of token) and proxies to ensure that sensitive data from payment processing doesn’t touch your own systems, while still empowering your business to collect, transfer, and store any type of documentation just like you would normally.
Not only can you go contact-free with VGS aliasing technology, your compliance obligations and liabilities will be shifted from your business to VGS, making compliance significantly easier and faster to achieve. We are talking days compared to months.
When businesses implement VGS solutions to handle their sensitive data, they instantly inherit VGS’s best-in-class security posture, which enables them to fast-track their certifications like PCI, SOC2 and others.
If you are really only looking for a pure tokenization solution, then we are offering free tokenization storage through the end of 2020. Right now, business is tough and many are facing significant headwinds, so we are making things easier as the world works to restart by providing powerful, unlimited tokenization at no cost until January 1st, 2021.
For a free demo of the VGS Dashboard, and to get started with your free unlimited volume of tokenized records, just reach out to us.
unlimited volume of tokenized records, just reach out to us.