Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why We Love AND Hate Tokenization Making Choices, Not Repairs

Published byJudith Jensen Modified over 5 years ago

Similar presentations

Presentation on theme: "Why We Love AND Hate Tokenization Making Choices, Not Repairs"— Presentation transcript:

1 Why We Love AND Hate Tokenization Making Choices, Not Repairs
Your source for payments education Why We Love AND Hate Tokenization Making Choices, Not Repairs Sally Baptiste, Payment Operations Group, LLC – Consultant, Co-Founder Daniel Pelegero, Retail Payments Global Consulting Group – Consultant

2 As We Go Along… What is Tokenization?
Pro’s and Con’s of Using Tokenization Managing Vendors and Migrating Services Effective Usage Types of Tokenization and Features of Various Services Wrap!

3 Tokenization is… Tokenization is the act of substituting sensitive data with a substitute value which cannot be incidentally reverted back into its original form. Detokenization is the act of reversing this process to obtain the original, sensitive data. Encryption is temporary and primarily used for storage. Tokens are designed to be used in place of the original data.

4 Why Tokenize? Risk Exposure Reduction can have a significant impact on the security of your systems. Even in the event of a breach, the data expatriated by hackers is virtually useless – assuming connectivity and access backwards to the token provider is not also accessed. Your company’s risk and insurance profile is positively impacted by the removal of sensitive data.

5 Tokenization can Cause Problems
Once the data is outside of the merchant’s control, any and all processes which work with a unique and indexed data point will need to be re-scripted to work with alternative data. Identifying all of these systems and processes can be problematic. Additionally, layering the tokens, as can occur with wallet tokens, can provide even less interoperability.

6 But It’s Such a Good Idea
Internal Fraud concerns can be significantly reduced. This could allow your company to take advantage of opportunities which add layers of risk to achieve some other goals without the concerns of access to this data. Even detokenized data is available (as a rule) only as a single data point so risk of expansive employee or contractor fraud is severely impaired. Speaking of staff, having alternative tokenized support reduces the risk of ‘tribal’ knowledge being your exclusive protection path for this critical data.

7 Seriously, It Can Harm Productivity
Some services rely on the clear script card number, or at least a portion of it, such as: Account Updater Programs Dispute Management VMPI Interchange Management Least Cost Routing Purchase Card Data Pinless Debit Routing Dynamic 3DS Routing Various Processing Analyses

8 Did I Mention PCI? Reducing PCI Scope by completely removing cardholder data from a merchant’s systems can have significant positive impacts on an annual Payment Card Industry Data Security Standards Assessment. Yes, you still must perform an Assessment… After you confirm the PCI Compliance of your Tokenization vendor, validation of the absence of PAN data is your strongest commitment. If you use a QSA, your annual Assessment expense could also be significantly reduced once the QSA can confirm the correct use of tokenization for the services you claim.

9 The Customer Is Always Right!
The customer never sees a token. This means that Customer Service Teams are interacting with consumers using the only payment information the caller can provide – the PAN. Call times can lengthen Additional Staff Training is Required ‘Swivel Chair’ Services can cause disruption Detokenization or Customer Support bolt-on software must be available throughout call center hours

10 PSP/Acquirers/Gateways
Who Owns the Tokens? Networks & Wallets Issued from EMVCo registered BIN controller 13 – 19 digit number with no support for bank accounts Examples: Apple Pay tokens, Google Pay tokens, Network tokens for CoF PSP/Acquirers/Gateways Replaces PAN with secure and randomly generated number that can be customized for length and format Typically formatted to include the first 6 digits and last 4 digits of Full PAN Merchants Functionally similar to PSP tokens but stored within a merchant’s vault. Additional flexibility and additional compliance overhead

11 The Contract Should Empower You
“You build the contract for the divorce, not the marriage.” Portable tokens should not limit the next vendor selection. Incumbent should be contractually obligated to assist with the conversion to a new provider. Validate Level I PCI Third Party Compliance.

12 Migrating Services/Vendors
If detokenization is required, the current vendor should assist in creating a PCI Compliant method of transitioning the data to the future vendor or system. Additionally, if the data within the token has been altered during the token’s life, such as with an Account Updater service, you must ensure you are receiving the most current data related to that token.

13 Token Attributes to Consider
Hosted and Vaultless Tokenization Preserved and protected vs. cloud-based Preserving and Non-Preserving Formats Tokens styled like PANs or alpha/numeric tokens Durable Tokens and Transaction-Based Tokens Used for the consumer relationship or for the one sale Tokenization against the data At and After Capture Tokenize in cart entry field or after data collection Reversable and Non-Reversable Tokens

14 Having vs. Using Tokenization
Sometimes, a merchant puts tokenization in place and inadvertently other departments cause more PCI and Data Security issues. Chargebacks Customer Call Quality Monitoring VOIP Backups Notepad or Wordpad IT File Recovery

15 Summary & Key Takeaways
Tokenization is an important tool in your data protection arsenal. Carefully select the type of tokenization that best fits your needs and remember that each service has its own features. Pro’s and Con’s of Using Tokenization – There are many of each! Make sure the contract reflects the way you want to use the service. Be careful when shifting from one tokenization service to another. Using tokenization effectively means building FOR its use, not AROUND its use.

16 Don’t forget to submit your session evaluation!
Thank You Don’t forget to submit your session evaluation! Sally Baptiste, Payment Operations Group, LLC – Consultant, Co-Founder Daniel Pelegero, Retail Payments Global Consulting Group – Consultant

Download ppt "Why We Love AND Hate Tokenization Making Choices, Not Repairs"

Similar presentations

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,

Session 4: Data Privacy and Fraud Moderator: Bill Houck, Director, Risk Management, UATP Panelist: Peter Warner, EVP, Retail Decisions Cherie Lauretta,
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Advantages of having integrated ePayments and eCommerce By Fauwaz Hussain Nodus Technologies.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Advantages of having integrated ePayments and eCommerce By Fauwaz Hussain Nodus Technologies.
1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.

1 Credit card operation and the recent CardSystems incident HONG KONG MONETARY AUTHORITY 4 July 2005.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.

Credit / Debit Card Electronic Payments Industry Update on Convenience Fees, Utility Program and More! Presented by: Presented by: Michael Hodge, Regional.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management

Geneva, Switzerland, 4 December 2014 Evolving Payments into The Digital World Richard Smith, Vice President, MasterCard Customer Fraud Management
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, email, or other pathways on the Internet.

E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the Internet.
E-commerce Vocabulary Terms By: Laura Kinchen. Buying and selling of goods, services, or information via World Wide Web, email, or other pathways on the.

E-commerce Vocabulary Terms By: Laura Kinchen. Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office 5-5537.

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October 27-28 th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.

Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
SABRE VIRTUAL PAYMENTS Karen Frayer Sabre Virtual Payments Manager.

SABRE VIRTUAL PAYMENTS Karen Frayer Sabre Virtual Payments Manager.
VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!

VeriShield Protect Revolutionary technology that simplifies PCI DSS compliance with no system upgrades Now available on V x Solutions!
Summary of Changes. General These are changes that have come up in many EMV migrations that I have assessed and been involved in. The changes are broken.

Summary of Changes. General These are changes that have come up in many EMV migrations that I have assessed and been involved in. The changes are broken.
If you are a budding merchant and wants to put up an online business the first thing you need to do is to acquire a payment system wherein your consumers.

If you are a budding merchant and wants to put up an online business the first thing you need to do is to acquire a payment system wherein your consumers.

Similar presentations

Ads by Google