Data tokenization is a popular security measure that businesses use to keep sensitive financial information away from thieves and hackers.
As credit card fraud continues to skyrocket, organizations increasingly rely on tokenization to protect their customers and remain PCI compliant. Whereas EMV chip-enabled cards help with retail credit card fraud, tokenization offers greater security in instances where the chip isn’t physically present — namely during online transactions.
Although the basic concept behind tokenization is straightforward, its use varies from region to region. In the U.S., for example, merchants employ tokenization primarily for financial data. In the EU, merchants use it for a much broader range of consumer information.
How Does Tokenization Work?
With tokenization, a unique and randomly generated ID ("token") is assigned to a particular data point. When making card-based transactions, this data point is usually the customer's 16-digit personal account number (PAN). And the randomly created token uses any combination of alphanumeric characters and numbers.
This unique ID gets encrypted and transmitted from the credit card terminal to the payment processor. The token can then be stored in the merchant’s system instead of the PAN data. The merchant may continue using the token for tracking and reporting purposes as well as to process future transaction. But should any thief manage to get his hands on this token, he won't be able to see the credit card holder’s PAN.
At no point is financial data stored within the merchant's payment system.
How Does Tokenization Differ Outside of the United States?
Stateside merchants and credit card processors use tokenization almost exclusively for financial information (i.e. card-based account numbers). Most other types of customer information are freely shared (or sold) to advertisers and other stakeholders.
But in the EU, privacy laws mandate that merchants protect a much broader range of data. And thus retailers and processors use tokenization for any type of personally identifiable information that can be linked back to the customer. This is to prevent things like names and addresses from being shared with other parties.
In fact, the EU has even codified these privacy principles in its Data Protection Directive. This list includes requirements such as:
- Mandating that customers be notified if and when personal data is collected
- Organizations can only use collected data for clearly stated purposes
- Personal data may not be shared (with other parties) without the user's permission
- All collected data must be securely kept and protected from potential abuse
- When data is shared, merchants must disclose to customers who the recipients are
- Customers must be allowed to access and correct their personal information
Because of these additional restrictions, EU organizations often use tokenization to protect non-financial data, including customer accounts, human resource records and patient records.
The Future of Tokenization in the U.S.
In the wake of recent data breaches, many of the privacy requirements that currently exist in the EU may soon come to the United States. In fact, safe harbor frameworks already exist for American merchants who interact with EU organizations.
In the coming years, U.S. merchants may be required to tokenize more varieties of non-financial information as the frequency and severity of data breaches increase.
To learn more about secure tokenization at BluePay, click here.