By Kristen Gramigna
If your business accepts customer payments, it has the potential to be impacted by a security breach. In 2014, National Small Business Association data indicated that nearly 45 percent of small business owners surveyed had been impacted by some form of cyber crime; the breach cost each business about $8,700.
To address the growing issue of data security, President Obama issued an executive order that same year outlining payment security changes intended to protect businesses and customers. Part of that plan outlined the transition to EMV chip-enabled debit and credit cards, which went into effect in the fall of 2015. Here’s a look at why EMV chip card technology and the tokenization process it uses is an important step forward in protecting sensitive data.
The basics of tokenization. Tokenization is a complex process that assigns a unique identifier (the token) to a payment transaction to conceal sensitive data that could be repurposed by identity thieves and cybercriminals if intercepted. When a customer inserts his or her EMV chip card into a point-of-sale terminal, for example, the card shows a 16-digit personal account number (PAN) on the front. Once the card is identified, a token request is sent to the card’s payment network (like Visa). The network assigns a unique identifier (the token) for that transaction. Other parties — like the financial institution involved with the card and the payment processor — are aware that the token relates to a specific transaction for processing and approval. Neither the customer nor the employee working at the point of sale will see the token, nor is it on the receipt or similar transaction records.
Why tokenization is necessary. The Department of Justice estimates that 86 percent of identity theft cases originate with fraudulent use of existing account information. Merchants involved in a data breach could be subject to fines, fees and lawsuits; on top of destruction to brand credibility and loss of customer trust. In lieu of tokenization, a customer’s sensitive information is easily intercepted by cybercriminals in “cyberspace.” It can be repurposed by identity thieves to create counterfeit cards and accounts, to initiate fraudulent transactions, or sold on the “black market” for use by other criminals.
Tokenization acts as an additional layer of security to stop the progress of cyberthieves who succeed in intercepting a payment transaction. The token doesn’t directly correlate to the customer’s personal account information, nor can it be used to initiate fraudulent transactions. In a sense, a token follows the same logic as using a paper shredder to render account information on paper documents meaningless. Though people may find the documents, what they do find can’t be easily pieced together to use fraudulently.
Tokenization makes mobile wallets secure. The idea of paying with a mobile device instead of a card is convenient — but mobile devices are essentially traveling computers. If a mobile device is lost or stolen, tokenization keeps an authorized user from accessing the mobile wallet’s financial data, and protects data in a mobile payment transaction as it passes across a digital network. Like the process used at a physical point of sale, tokenization ensures that the customer’s account information isn’t housed on a mobile device, or held on the server of a mobile wallet provider.
Why business owners should understand tokenization. Merchants can benefit from tokenization by ensuring point-of-sale terminals and mobile payment processing tools use EMV chip card technology. (According to a February 2016 study by The Strawhecker Group, fewer than 40 percent of businesses are equipped to process EMV cards.)
That said, most EMV payment cards reissued in the United States still include a magnetic strip on the back. Merchants may need to educate customers on the benefits of using the chip feature on their card, including a simple explanation of tokenization and why it’s so important to customers in protecting their data.
Tokenization is a complex technology but merchants can better protect themselves and their customers by encouraging customers to use their EMV card reader: A business that isn’t EMV compliant isn’t protected by tokenization. Should a breach occur, the business could also be held liable for the financial and legal damage that follows.
Kristen Gramigna is Chief Marketing Officer at BluePay, a credit card processing firm. She has more than 20 years experience in the bankcard industry in direct sales, sales management and marketing. Follow her on Twitter at @BluePay_CMO.