In an effort to completely remove sensitive data from the reach of a breach (so to speak) credit card numbers can be replaced with a randomly generated alphanumeric string of characters, which in effect becomes the card number for that particular system. This process is known as tokenizing credit card data to secure it against theft. In essence, the actual credit card number is stored in a remote data vault and replaced with a string of characters that’s useless outside of the system within which it was generated.
How Tokenization Works
As a parallel, think of tokenization as the coins you get at a game arcade. You put cash in a machine, which then issues a number of tokens whose value is commensurate to the dollar amount you fed into the machine. The tokens can then be used for game play—but only at that arcade. They are valueless everywhere else because they are only compatible with the games at that venue.
Alphanumeric “tokens” replace card numbers in ecommerce so the information a perpetrator of data theft would get is useless outside the system from which it was stolen. Randomly assigned, they bear no similarity to the numbers they supplant. Reverse engineering them to get to the actual number the token represents is next to impossible. You never see the actual credit card number at your site, so it isn’t there to be stolen if your security is compromised.
Tokenization vs. Encryption
While tokenization and encryption may appear similar on the surface, they are quite different. Even free ecommerce websites employing tokenization are more secure because tokenization is irreversible. The representative string of characters bears no mathematical relationship whatsoever to the actual number. No formula can be applied to the token to get it to reveal the card number. Meanwhile encryption must be reversible by necessity. When a purchase is made, the number is encrypted to travel across the internet to your site where it is decrypted to compensate you for the purchase. Thus, encryption is only as strong as the algorithm used to accomplish it. Given the ever-increasing amount of computational power available to the average person, it’s only a matter of time until encryption is rendered obsolete,
Practical Applications of Tokenization
You are very likely carrying tokenization technology around with you right now in your smartphone. Both Apple Pay and Android Pay rely upon it to secure payments. If you’re currently using the feature, when you registered a card with the device, the card’s number was replaced with a token. If your phone is stolen, thieves will not have access to your card number because it isn’t there.
At your ecommerce store, when you have a tokenization algorithm in place and a consumer pays for an item with a credit card, your software platform feeds the credit card’s number into its tokenization engine. A string of characters is then generated at random to represent the card number, which is stored in a remote data vault. If this is a return purchase, the tokenization engine will retrieve the previous token it assigned to the card and use it to complete the transaction. Even if your site is hacked and your customer list is compromised, their credit card data won’t be there for the hackers to acquire.
If you’re considering tokenizing credit card data to secure it against theft for your ecommerce site, make sure the provider you choose is compliant with the Payment Card Industry Data Security Standards (PCI DSS) governing tokenization. If they are, you’ll find the work you have to do to keep your site PCI DSS compliant will be significantly reduced, which is yet another advantage of employing tokenization to secure your customer’s payment data.
