With any POS system, your credit/debit card data is susceptible to theft and fraudulent use.
This is primarily because your card information passes through an entire process chain, once you pay your merchant for the goods and your card is swiped at a POS system. This processing chain includes consumers, merchants, payment processing units, card brands, and the issuing bank.
Data thieves are able to exploit all vulnerable points along the processing chain and gain access to your credit card details.
To protect this Personally Identifiable Information (PII) from exposure and fraudulent use, the Payment Card Industry Data Security Standard (PCI-DSS) was introduced.
Under the US Federal Law, all merchant banks are responsible for ensuring that merchants comply with the PCI security protocol.
This means that the merchants can either employ an independent Qualified Security Assessor (QSA) to issue a Report on Compliance (ROC) after an audit, or opt for a POS system with built-in tokenization to ensure compliance with PCI.
What is Tokenization?
Tokenization is a process through which the customer’s card data is replaced by a token number for use by the merchant POS system.
Tokenization uses token “vault”, which is a centralized and highly secure server that contains a database customer’s credit card numbers and the token number assigned to each card.
In the process of tokenization, a customer’s card information (once the card is swiped at the merchant’s POS) is remitted to the token vault. The vault assigns a token number to each card, which is unique and can only be identified by the merchant POS system.
This token number is assigned by the vault after appropriate authorization with the issuing bank. For any future transactions, the token number can be used by the POS, instead of the card number. This secures the customer’s card data from theft, as the token number replaces the card number in POS for further post-authorization transactions.
PCI Compliance through Tokenization
As a merchant, tokenization will provide you with several benefits:
- In the event of a breach of your POS system, your customers’ sensitive card information will remain safe from theft and fraudulent use. The token number assigned and stored in your POS will be of no use to the data thieves as they are only dummy figures.
- Your Cardholder Data Environment (CDE) will be reduced if you use token numbers for back-end business applications. This is a fundamental requirement for PCI compliance.
- Tokenization ensures a reduction in PCI scope and can save you time and money.
Tokenization is recognized by the PCI Security Standards as, “a merchant’s validation efforts by reducing the number of components which are subject to PCI DSS requirements and audit”.
An advanced concept of tokenization that ensures optimum protection for your customers’ data and further compliance with PCI requirements is the Network-Level Tokenization.
This tokenization scheme assigns a specialized BIN number, generated by 3-D protected software.