What is Tokenization?

Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a token.‖ De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.

Depending on the particular implementation of a tokenization solution, tokens used within merchant systems and applications may not need the same level of security protection associated with the use of PAN. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.

The following key principles relate to the use of tokenization and its relationship to PCI DSS:

  • Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s  validation efforts by reducing the number of system components for which PCI DSS requirements apply.
  • Verifying the effectiveness of a tokenization implementation is necessary and includes confirming that PAN is not retrievable from any system component removed from the scope of PCI DSS.
  • Tokenization systems and processes must be protected with strong security controls and monitoring to ensure the continued effectiveness of those controls.
  • Tokenization solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes. Merchants considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their particular implementation, including all interactions with payment card data and the particular tokenization systems and processes.

One of the primary goals of a tokenization solution should be to replace sensitive PAN values with non-sensitive token values. For a token to be considered non-sensitive, and thus not require any security or protection, the token must have no value to an attacker.

Tokens come in many sizes and formats. Examples of some common token formats are included in the following table.

Tokens can be generally identified as either single-use or multi-use. A single-use token is typically used to represent a specific, single transaction. A multi-use token represents a specific PAN, and may be used to track an individual PAN across multiple transactions. A multi-use token always maps a particular PAN value to the same token value within the tokenization system. Determining whether single-use or multi-use tokens, or a combination of both, are appropriate for a particular merchant environment will depend on the merchant’s specific business need for retaining tokens.

When evaluating a tokenization system, it is important to consider all elements of the overall tokenization solution. These include the technologies and mechanisms used to capture cardholder data and how a transaction progresses through the merchant environment, including transmission to the processor/acquirer. The tokenization solution should also address potential attack vectors against each component and provide the ability to confirm with confidence that associated risks are addressed.

The security and robustness of a particular tokenization system is reliant on many factors, including the configuration of the different components, the overall implementation, and the availability and functionality of security features for each solution.

Who is MyPOSDepot?

MyPOSDepot is a bank direct payment processor. There’s no middleman to contend with. When you get your payment processing directly from the source you can save thousands of dollars per year. This money will go straight to your profits. Our experienced account managers will guide you through every step of the way to accepting electronic payments for your business. We customize solutions that fit your specific business needs.

MyPOSDepot’s unwavering commitment to excellence is in providing our nationwide merchant base with the most cost-effective and cost-efficient transaction processing solutions for today, tomorrow and the future. MyPOSDepot will surpass the needs of all our merchants by providing products and services which are unrivaled in the transaction processing industry; by the development of easily upgradeable solutions teamed with quarterly quality assurance calls to every merchant and our attention to detail by providing one-to-one service.

MPD is a payment processor providing merchant services to businesses nationwide. We are headquartered just outside of Philadelphia; MyPOSDepot currently processes in excess of a half billion dollars annually. MPD caters to all avenues of commerce, including retail stores, restaurants, mail order/telephone order, e-commerce, home-based, multi-lane and lodging merchants.

MyPOSDepot is dedicated to providing exceptional customer service to every merchant. We have a 24/7/365 “in-house” customer service department with nearly zero hold times. All merchants receive a quarterly quality assurance call to insure we are exceeding the merchant’s expectations of service. This is one of the reasons why our retention rate is an industry low of 2%. Additionally, agents/MLS of MyPOSDepot have access to the Interactive Representative Information System, an online reporting tool which allows agents/MLS to manage their accounts over the internet. MPD merchants also have access to the Interactive Merchant Information System which allows merchants to see real-time batch information 24 hours after they settle their funds.