A Forrester Research report analyzes the early successes and failures of Apple’s mobile payments system.
By putting credit card details into vendors’ hands retailers can shield themselves from security risks.
If a hacker can breach the data security protocols at the Federal Reserve Bank, as one did last year, just how secure is an e-retailer’s stored payment card data? It’s a question that e-retail executives say they lose sleep over.
Tokenization may help them get some rest. With tokenization, customer payment card data are replaced with a token that acts as a proxy during most of the payment process. This means retailers can store and use tokens within their systems without security fears because the tokens themselves are valueless.
That provides more than peace of mind. It means a retailer’s computer networks, customer databases, call centers and other locations that might otherwise store credit and debit card numbers no longer fall under the scope of the Payment Card Industry Data Security Standard created by card networks like Visa, MasterCard and American Express. Any part of a retailer’s network that stores actual card data must comply with the increasingly rigorous PCI standard; no card data means the network is out of scope, that is, it doesn’t have to comply with PCI rules.
The promise of reduced PCI compliance work helped convince Sage Software Inc., which develops and sells business software, to replace card data with tokens in its online stores and phone center in October. “Our scope will be much smaller now,” says Harshal Patil, senior systems analyst. “If we had not gone for this implementation, all our servers and systems would be within the scope of PCI and the costs associated with those were really high.” While Patil did not detail Sage’s PCI expenses, experts say a retailer already PCI-compliant can spend $10,000-$30,000 annually on security audits, and retailers becoming certified for the first time can expect to spend more.
Thanks to the tokens, Patil expects Sage will be able to meet its PCI obligation by filling out a 13-question yearly self-assessment form, rather than having security assessors visit and evaluate the company’s facilities as was required when Sage held payment card data in-house.
Examples like this show the value of tokenization. But retailers have concerns that are limiting adoption, experts say. Many vendors offer tokenization, but their track records with tokens are short. The PCI Council, which oversees the security standard, hasn’t issued tokenization rules, and when it does early adopters may have to revise their systems.
E-retailers who use tokenization say they realize they are on the leading edge, but say the benefits they expect are worth it. And some analysts agree.
“The potential is unlimited,” says John Kindervag, a Forrester Research senior analyst. “I suspect that within two to five years almost all transactional traffic will be tokenized. There’s no reason for it not to.”
The promise of reducing PCI burden is attractive, agrees Avivah Litan, research director at Gartner Inc. “No one wants liability for securing card data and everybody wants a reduced audit scope,” she says.
An armful of payment industry vendors offer tokenization—at least half a dozen vendors added such services in 2010 alone. Today’s offerings come from three types of vendors: payment processors, payment security software firms and payment gateways. Of the three, Kindervag says he expects payment processors will be most attractive to e-retailers. “In five years, we’re not going to be talking about which is best from which vendor. It’s going to be about which processor I want to use,” he says.
One concern is that since tokenization technology varies from one provider to another, a merchant switching providers might have trouble reclaiming data. Recognizing that worry, payment processor Litle & Co. guarantees it will facilitate such a switch, says Osman Perksoy, Litle’s tokenization product manager. “Most merchants don’t want to be locked in with a solution,” he says.
Processors’ pricing varies. Some charge per-transaction, with rates varying on volume. Others compute the fee into standard transaction costs. Litle & Co. charges based on volume and a fee for each token created.
No vendor has emerged as a clear market leader, and that’s also contributing to tokenization’s slow adoption. “They are all talking about tokenization but most haven’t gotten customer references,” Litan says.
The PCI Council says tokenization guidelines are in development and that the council is optimistic about tokenization’s potential to bolster security. But vendors and their clients will have to modify their systems once standards emerge, notes Jeremy King, European director of the council.
Online furniture retailer CSN Stores turned to Litle, already its payment processor, and implemented tokenization in June 2009. When a consumer enters her payment card information at CSN Stores’ checkout page, she is actually entering the information on a page provided by Litle. A 16-character token is created as she types. Litle stores on its network the real payment card data, the token and the encryption keys that match the card number and token. It sends the token to CSN Stores and processes the payment.
“With everything that has happened with companies losing credit card data, there’s a big risk. Using tokenization makes me feel better and it makes our team feel better that we have it,” says Nicholas Malone, chief financial officer at CSN Stores. While he would not provide details, he says the cost of adding tokenization to Litle’s processing services “is not material at all.”
Patil says Sage Software considered two other tokenization vendors but decided to go with Paymetric Inc. because it was satisfied with other Paymetric services it used. Paymetric intercepts the card number and turns it into a 25-character token, preserving the last four digits of the card number so that Sage can distinguish among multiple cards maintained on an account. Paymetric sends the token to Sage and acts as the intermediary between Sage and its payment processor.