Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches.

Still, merchants—especially smaller ones—haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure.

That gap in understanding places ISOs and agents in an important place in the security mix—it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is, experts said.

“The biggest challenge that ISOs will see, and are seeing, is this lack of awareness of these threats that are impacting that business sector,” says Paul Kleinschnitz, general manager and senior vice president of cyber security solutions at First Data Corp. “Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next.”

Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets.

But it’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer.

And the industry as a whole is confused over tokenization standards and how to deploy and govern them.

But for the past year, First Data has focused on teaching ISOs and merchants about security threats and options to combat it, Kleinschnitz said.

“We are bringing solutions to the market that have encryption, tokenization, EMV and PCI compliance, breach protection and other data security products in a single solution,” he said. “Our ISOs are going to be able to sell that to their merchants.”

ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council otfen say about the technology—it’s a needed layer of security to complement EMV cards.

EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database.

The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.

A database full of tokens has no value to criminals on the black market, which reduces risk for merchants, Kleinschnitz said.

“Unfortunately, the small merchants have not accepted the idea, or the reality and fact, that there is malware attacking their point of sale and they are being exposed,” he maintained.

That’s why ISOs should determine the level of need for tokenization in their markets, says payments industry analyst Todd Ablowitz, president of Centennial, Colo.-based Double Diamond Group, LLC.

“It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in,” Ablowitz told ISO&Agent Weekly. “If you are selling to dry cleaners, you probably don’t need to know much about tokenization. But if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.”

Tokenization is critical for some applications in payments, Ablowitz noted. “Any sort of recurring billing that stores card information should be leveraging some form of tokenization,” he said.

Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor, he maintained.

“The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing.”

But ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization.

EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions.

Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry