With all the self-help risk management advice and security experts out there, you would think we would know better. But for many retailers, maintaining a secure posture continues to be a challenge.  It isn’t hard to see why when they’re mostly focused on selling things and not managing risks while for hackers, their main focus is on risk – exploiting vulnerabilities.

One straightforward way to mitigate a compromise is to lessen the amount of value stored in your premise. In the case of payment transactions, merchants should not keep credit cardholder data at the point of sale. This way, should a network breach occur, it won’t hurt as much.

Replacing Data with Tokens:

Money aside, data is the most important thing to a hacker. By moving it, or never having it in your systems – like depositing money in a bank instead of leaving it under your mattress, they can’t get to it. This is what tokens do. They act as a transaction placeholder without value but is recognized by the system for validation. In the event of a compromise, hackers will only find tokens and not the valuable data transmitted.tokenization

Because tokenization eliminates the need for stored customer data, the impact on PCI compliance is a positive one – saves both time and money. Many payment processors and software vendors offer some form of token technology however, using a payment processor’s specific token could lock you in, so buyer beware. Better to find a company that supports multiple payment processors, or is processor agnostic.

Not a Magic Bullet:

While tokenization is in many ways the pinnacle of data protection technologies: the physical and logical separation of payment and privacy information, it is not a magic bullet. For example, things like end-to-end encryption during the acceptance and authorization process or, enhanced card and cardholder authentication coupled with tokenization, also play important roles in card data protection.

What does this mean to you? While global standards are being sorted out, organizations should consider implementing a solution after they’ve properly assessed the risks and benefits involved.

If you need help with the analysis, please feel free to message me.