Friday, January 15, 2010

'Tokenization' touted to increase credit card data securities (Part 3)

Magic? Or mayhem?
Making credit card data disappear sounds simple enough, but like all good magic, there are a few tricks to it -- tricks that merchants, processors and card issuers want to learn more about before they embrace it as the panacea to data theft.

So far, Dave Taylor, a former Gartner analyst and founder of the PCI Knowledge Base, a panel of experts that supports best practices in payment securities, has been impressed by the potential of tokenization.

"It is gaining traction now," says Taylor. "Even six months ago, there was very little awareness of it, even among larger organizations. Merchants are very likely to save money with tokenization."

With awareness comes scrutiny, however.

"There is an increased awareness that this is not child's play, it's not something that is that easy to do," he admits. "If an organization has had problems dealing with encryption, they're probably also going to have problems dealing with tokenization."

In addition to concerns over the securities of the hardware intercept at the POS terminal, Taylor says merchants are unsure how tokenization will integrate with other automated systems that also use card data for things like sales auditing, loss prevention and loyalty programs.

Leach agrees: "There is confusion about charge-backs and whether merchants need to retain that information. Another concern is debit card transactions. Is tokenization a solution for all kinds of payment transactions? How does a tokenized solution manage the PIN block, for example?"

Those are all questions Leach hopes to answer when his council digs into emerging technology proposals this year.

If tokenization does gain momentum, Taylor says it could serve to steer consumers away from merchants whose cups are half-full of cardholder data toward those whose databanks are empty.

"Customer service organizations market that they're keeping the data for the convenience of the consumers," he says. "They could just as easily market that they don't keep data, and that that is safer for you. Why don't they market that?" News: Credit cards for small business owners