Page 11 - Cyber Warnings
P. 11
Tokenization: What It Is, What It Isn’t, and How It Protects
Merchants
By J.D. Oder II, CTO and SVP of Research & Development, Shift4
In the years since Shift4 introduced tokenization to the payments industry in 2005, it has
become widely accepted, universally adopted, and is currently an industry standard for securing
post-authorization card data for the long term.
However, within the industry, there still exists a lack of clarity about where the line is that
qualifies or disqualifies something as tokenization. EMVCo (the body that determines and
regulates EMV specifications) and PCI have both attempted to standardize tokenization over the
past few years, but neither has succeeded.
Even these two organizations can’t agree on what tokens should look like and how they should
function.
Defining Tokenization
The term “tokenization” is often used incorrectly to describe several different payment security
methods that perform various functions. For example, consumer-based tokenization solutions
may refer to technologies that secure mobile payments (à la Apple Pay) or to card-based token
services more along the lines of PayPal.
By EMVCo’s definition, both would be called tokenization, even though the underpinning
technologies are quite different. I even saw one article that extolled the virtues of point-to-point
encryption as a tokenization solution.
That one is unforgivable, given the fact that these technologies aren’t even in the same security
ballpark.
This fundamental misunderstanding puts merchants at risk of being led astray from the very
tokenization solutions they need in order to secure their business. Tokenization was specifically
designed not to be encrypted data, because by definition, encrypted data is decryptable.
So let’s be clear; tokenization and encryption are not interchangeable. Tokenization is a
random, globally unique, alphanumeric value that replaces payment card data after bank
authorization so the data stored in merchant systems has absolutely zero value outside of their
environment.
It works differently than encryption because each individual token is created when a transaction
takes place, making it organically random with no mathematical pattern to be unlocked.
11 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
