PCI and Tokenization: Are Either the Answer for E-Commerce Merchants?

By CardNotPresent.com StaffSee Comments Below

E-commerce merchants spend an ever-increasing amount of time and resources trying to protect the payment card data of their customers. Compliance with the Payment Card Industry Data Security Standards (PCI-DSS) and tokenization are two arrows in the quiver of just about every merchant when it comes to ensuring their customers can pay for goods or services without fear of having their personal information stolen. According to one consultant’s estimate, nearly a third of consumers affected by the breach of a merchant’s systems will terminate their relationship with that merchant.

So are PCI compliance and tokenization serving the purpose for which they are designed? Are they worth the resources being expended on them? Increasingly, in the case of PCI compliance, the answer seems to be no. For tokenization, the benefits are clearer, but the process comes with its own set of challenges. Regardless of the strategies they choose to employ to secure data, merchants must remember why it’s vital in the first place: to preserve their brand.

The Myth of PCI

PCI It is becoming increasingly apparent to payment security professionals that compliance with the PCI standards is not sufficient to adequately protect customer payment card data nor are many of the companies engaged in compliance efforts keeping their eye on what’s truly important. PCI is a minimum standard, not the end goal. Companies that treat it as the goal often succumb to a false sense of security.

The bare facts suggest that PCI compliance alone does not equal protection for a merchant’s customers. If the merchant is going through the motions of compliance simply to avoid the fines associated with ignoring PCI (which a Poneman Institute study released little over a year ago suggests) then it is endangering its brand by leaving itself open to breach. Experts continue to preach that the framework provided by PCI-DSS is valuable but many e-commerce businesses look at it as a test to be passed. Once the hurdle is vaulted, many companies don’t keep up with the lessons they learned in their efforts to achieve compliance.

Often, companies go through the PCI audit and make necessary changes, but forget about compliance until it’s time for the next annual assessment. Business dynamics and the state of security can change any time between audits. And, as various experts have pointed out, many of the highest-profile breaches have occurred at companies that were PCI compliant.

Seeking Standards for Tokenization

Tokenization, which removes a customer’s private financial information from a merchant’s payment systems, is an added layer of security to prevent a breach and preserve a merchant’s trusted brand. But tokenization comes with its own set of problems. As a fairly new technology seeking adoption in the market, tokenization suffers from the same malady that has affected other emerging technologies: lack of a clear technological standard.

Some experts have called for the establishment of a governing body similar to the PCI Security Standards Council that could lead the effort to standardize the technology employed by a growing number of payment service providers. But, while the card networks put their might behind the PCI-DSS, there has not yet been a movement by industry leaders sufficient to produce similar critical mass in regard to establishing standards for tokenization. Until then, what can merchants do if they wish to employ the technology as part of a data security regime?

Protect the Brand

Unfortunately, there is no easy way out for merchants serious about preserving their brand. They must work hard to protect their customers, but there are advanced solutions from major payment service providers that enable merchants to completely outsource the removal of customer data from their system. Implementing such a system would require choosing a vendor that brings all layers of security to bear.

While PCI compliance isn’t absolute, it’s a baseline requirement for any security vendor that a merchant would hire. If nothing else, experts say, PCI certification illustrates a vendor’s diligence. If the merchant chooses a tokenization approach to remove data from their business environment, despite the lack of clear standards in the industry, there are a few things to consider when choosing a service provider. It’s vital that a vendor be stable, be able to convert legacy data that already exists into tokens and provide true random number tokenization.

There are any number of vendors equipped to provide a service that can completely remove payment card data from a merchant’s system. And, those that do so are protecting their customers, and consequently themselves, from cyber attack. E-commerce merchants that align themselves with any of the larger companies, will find they have the flexibility and ability to insulate themselves from the worst effects of a data breach.


Comments on this article…

Greg McGraw
 

There were three keywords that stood out to me in your article; Compliance, Security and Brand. I think we can all admit that spending resources is a precious thing for online merchants. I have found in our payment security business that PCI compliance is the catalyst and not the end game for merchants. Our merchants are looking for ways to secure their data and reduce the risk of breach but, the real concern is minimizing the damage to their brand in the event of a breach. The cost of breach fines and remediation pales in comparison to the opportunity cost of a breach to their brand. Consequently, larger CNP merchants are looking for any way to secure (ie, tokenization) the data but wrestle with the challenge of securing the initial acceptance of cardholder data the first time to even get it tokenized. Your last paragraph is the most important point. Don’t secure the data, remove it–and remove the risk of breach through prevention as opposed to detection and remediation. Hosted payment pages and outsourced payment acceptance are back in the mainstream, according to analysts and major payment processors as long as they are compliant, secure AND preserve the brand.

Greg McGraw 
View his profile 
     
Dana Barciz 
View her profile 
 

Great question. I’m on the fence about it as I tend to see the issue from all the stakeholders. I think online merchants just want to run their business and they don’t want to keep up with PCI requirements that are always changing and some fear are not able to keep up with the changing technology and the ever evolving fraud tactics. I wonder if we will see a combination of Tokenization and some sort of automated PCI tools and then Breach or Fraud insurance.

     
Howard Falcon 
View his profile
 

Tokenization will not affect Fraud as much as most think it will and PCI is ok as long as you are compliant, if you get breached you are not compliant by default regardless if you followed all the requirements.

A cardholder swipes a card for a transaction. The card number is presented and a token is passed back instead of the Auth Code. If you are doing recurring charges then a token is used for the charges instead of the card number. Returns / Credits use the token as well, but if not available then the card number can be used. The initial process requires the card number.

For E-Commerce Merchants they must follow PCI and Tokenization is something they need to use for the After Sale Transactions. Perhaps I don’t totally inderstand Tokenization and I am willing to hear more but I do believe this is how it basically works, somewhere the initial card entry is just that, the initial card entry.

I believe the answer to the question is No PCI and Tokenization is not the total answer. CVV + AVS + other searches such as use of shipping address verification, email, extended cardholder verification outside the Visa and MasterCard relm because who can remember yet another password.

Breach Insurance is available and you can’t get it through your MSP then find one that can provide it. PCI isn’t in the business of Tools and doesn’t care what you implement as long as you follow the requirments, they are concerned about the flow of data only not the cardholder or their information.

Don’t think that PCI isn’t important, it is very important and tokenization is just another step to secure the using of a card number at verious steps within the transaction process

   
Ben Ben Aderet  

Interesting article. I agree with your comment about the lack of standardization in regards to tokenization solutions. I believe the council will eventually apply the HSM security requirements ( View PDF here ) as the baseline for the regeneration engine that is the base of every tokenization solution. They will probably have to boost it up and give more emphasis on the surrounding layers since the HSM security requirements only deal with the core requirements and lack all reference to the Tokenization server interfaces.

Btw – I also agree with the fact that PCI is a minimum standard and not an end goal but, unfortunately, I see many companies implement a tokenization solution as a bypass for real, hard core security requirements that actually help you protect your organization.

Ben Ben Aderet
View his profile
     
STEPHANE CZARNOCKI  

Tokenization presents an apparent simplicity that seems appealing at the first glance, but anyway the real cardholder data must be protected somewhere. The (long term) solution is a global roll-out to chip technology. In such case the fraudster cannot re-use compromised cardholder data without the card’s chip.

Stephane Czarnocki
View his profile
     
Ray Moyer
View his profile
 

A proper token solution is hard core security. I would argue that a merchant who employs outsourced tokens and therefore has no payment data within their enviorment is safer than a merchant who does (whether encrypted or not). The hacker who gains access to a merchant using tokens cracks the safe only to find its empty. Furthermore employees actually present a higher threat for data thefy liabilty; especially employees who may have the proper credentials to obtain useful data. Effective tokens must not have any formulation related to the orignal payment data and tokens must provide the merchant no loss of functionality. Remember PCI and its requirements are burdens placed on the merchant who has historically already been paying too much for payment acceptance. The payment industry needs to start delivering the security solutions without additional cost as part of their offering to the merchant community.

Ben Ben Aderet
View his profile
 

A proper token solution may very well be hard core security – for Credit Card information alone. In most instances it will do no good for your overall information security level. You basically outsource your credit cards to an external trusted party, but you don’t address your other risks. Speaking from a risk management stand point, you only take care of one or two risks: credit card leakage and non compliance. Granted, with a proper tokenization solution you have dismissed yourself, or rather mitigated, from those two risks (usually), but what about your other risks such as website defacement, DDOS attacks, data leakage of other sensitive information (surprisingly, some organizations consider their financial data and customers data even more sensitive that credit card numbers 🙂 and more?

As a PCI QSA I would argue in favor of tokenization because it is aligned with PCI and gives a satisfying solution to the merchant/service provider in an affordable price. As a security guy I would say that the story doesn’t end with tokenization.

Ray Moyer
View his profile
 

I agree with your security view, However, anyone can expand the discussion to a wide variety of security and risk issues, including hard theft of merchandise by employees out the back door of the warehouse. The context of this token solution discussion is limited and not meant to address every secuity or risk management issue.

   
Roland Katona  

I believe 3D secures solves the problem a better way. Risk, if any, is at the side of vendors, service providers, banks (each of those certified with associations), not the merchants. Using that, there should be no need to care about card data on the merchant side, because there wouldn’t be any. Customers and transactions are identified by other IDs such as customer ID, transaction ID or a basket ID. Merchant shouldn’t care about card number and stuff at all. Merchant only needs to be able to make track of customer’s spending in order to apply loyalty schemes and stuff to even attract him more. Allowing merchants storing the card data in the past (some non 3D secure solutions) just created the need for PCI, because it went too far (big hacks and such things). It’s time to make customer and merchant not to care about card number and not to let them store it, when we talk about e-commerce.

Roland Katona
View his profile
Craig Thomson 
View his profile
 

Employing tokenization addresses part of the PCI requirements and generally reduces the cost of compliance by reducing the scope of an audit. Tokenization is only as effective as the policies and practices of the organization that is storing the data of course and the merchant in most cases still needs to collect the initial card data (if only 1 card at a time) in order to create the token.

Ray Moyer
View his profile
 

Craig, you are correct that the policies and practicies of the entity providing the token need to be strong and merchants need to fully understand the underlying structure of those outsourced solutions. However, there are a number of fuctional tools that can be provided by a payment processor or VAR that can alleviate even the merchants requirement to collect payment data. We have clients who never have the payment data enter or touch their systems

Craig Thomson 
View his profile
 

Ray – You touch on an important aspect of PCI in that individual QSAs interpret the standards differently.

I have had more than a few merchants who uses a tokenization solution who have been told by their QSA that their systems still must undergo audit because the browser session on the pc/server forwarding the inital token request could be compromised with a trojan or sniffer.

Now you could solve the problem by having all of the web sites and services hosted by the gateway / processor but then you probably don’t need a tokenization solution in that case.

Roland Katona
View his profile
 

I have one commercial aspect speaking for 3D secure. In our market, Slovakia, there are approximately 35% Maestro cards, 50-55% percent Visa Electron Cards and remaining 10-15% embossed cards. We know, that Maestro card can be used for e-commerce only with 3D secure technology. This means 35% of our market would be dead for e-commerce usage without 3D secure.

   
    Tell us what you think & fill in the form below.