Tokenization technology has been available to keep payment card and personal data safer for several years, but its never had the attention its getting now in the wake of high-profile breaches.
Still, merchantsespecially smaller oneshavent necessarily caught on to the hacking threat or how tools such as tokenization limit exposure.
That gap in understanding places ISOs and agents in an important place in the security mixits their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is, experts said.
The biggest challenge that ISOs will see, and are seeing, is this lack of awareness of these threats that are impacting that business sector, says Paul Kleinschnitz, general manager and senior vice president of cyber security solutions at First Data Corp. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next.
Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets.
But its complex and not enough ISOs understand it, even though it represents a potential revenue-producer.
And the industry as a whole is confused over tokenization standards and how to deploy and govern them.
But for the past year, First Data has focused on teaching ISOs and merchants about security threats and options to combat it, Kleinschnitz said.
We are bringing solutions to the market that have encryption, tokenization, EMV and PCI compliance, breach protection and other data security products in a single solution, he said. Our ISOs are going to be able to sell that to their merchants.
ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council otfen say about the technologyits a needed layer of security to complement EMV cards.
EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database.
The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Targets card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldnt have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.
A database full of tokens has no value to criminals on the black market, which reduces risk for merchants, Kleinschnitz said.
Unfortunately, the small merchants have not accepted the idea, or the reality and fact, that there is malware attacking their point of sale and they are being exposed, he maintained.
Thats why ISOs should determine the level of need for tokenization in their markets, says payments industry analyst Todd Ablowitz, president of Centennial, Colo.-based Double Diamond Group, LLC.
It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in, Ablowitz told ISO&Agent Weekly. If you are selling to dry cleaners, you probably dont need to know much about tokenization. But if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.
Tokenization is critical for some applications in payments, Ablowitz noted. Any sort of recurring billing that stores card information should be leveraging some form of tokenization, he said.
Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor, he maintained.
The point is that its an important value to the merchant to be able to tokenize the card number in recurring billing.
But ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization.
EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. Its working on standards for payment tokenization with the Clearing House, which establishes payment systems for financial institutions.
Both entities were working on separate standards until The Clearing House joined EMVCos tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.