Tokenization, a security technique that eliminates card data from merchant systems, provides a clear benefit to merchants but can be difficult to manage without the support of a processor.
The process of tokenizing card data replaces sensitive account information with a "token" value that is worthless to fraudsters if it is stolen. Protegrity USA Inc. said May 23 that it will provide a "vaultless tokenization" service to processors after three years of selling tokenization software directly to merchants.
Vaultless tokenization eliminates the need to store tokens in databases. The service helps processors and gateways lower costs while providing the fraud-prevention service across their entire client base.
"Processors were looking for one place to establish an entire 'token-server farm' for data from thousands of merchants," Raul Ortega, vice president of business relations for Protegrity, tells PaymentsSource. "With vaultless tokenization, much less space is required to keep records."
Essentially, a processor needs only one dedicated computer running the vaultless tokenization software and one or two employees to monitor the tokenization process, Ortega says. This eliminates the costs involved in operating several servers.
Protegrity's announcement comes about a month after company executives spoke in favor of a fraud risk shift from merchants to processors in light of the Global Payments Inc. data breach (see story).
Tokenization has traditionally required storing data in a "token vault" on a computer server, Ortega says.
Protegrity developed vaultless tokenization software that creates "look-up tables" for tokenization and detokenization, eliminating the past practice of vault-based services in which large databases were used for cross-referencing tokens with card data, Ortega says.
Protegrity plans to announce in June a major processor that has signed an agreement for the vaultless tokenization software, Ortega says.
Protegrity's "timing is great" in offering the tokenization service to processors right on the heels of the Global Payments breach, Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource.
"This really allows all processors to take a fresh look at what they are doing and, in the long run, could help them avoid fines and other problems stemming from breaches," McNelley contends.
Processors can offer vaultless tokenization to merchants as part of the U.S. effort to migrate to the secure EMV chip-card standard, McNelley says.
"Processors will be talking to merchants about upgrades to the payments infrastructure anyway, and they will be able to introduce or up-sell on the fact they can provide tokenization," McNelley says.
Because the tokenization process removes primary account number data from the payment environment, processors can tell merchants that Protegrity's service can reduce the scope and costs of complying with the Payment Card Industry data security standard, she adds.