Using tokenization to fight hackers

August 27, 2014

Tokenization is a great way to prevent e-commerce security breaches and ensure that consumer information remains safe.

Tokenization is a great way to prevent e-commerce security breaches and ensure that consumer information remains safe.

Tokenization is a process that converts credit card values into new digital representations of the consumer’s card that, on their own, hold no real value. According to TokenEx, the process works as follows:

  1. First, the shopper enters his or her card data into forms on the website, in order to complete the purchase.
  2. The sensitive values within each field are then encrypted.
  3. Encrypted data is then converted into tokenized data that can be used to process the payment.

Despite the fact that many retailers don’t utilize tokenization, it is one of the best ways to safely transmit consumer payment data, Avery Buffington, an information security architect for SecureNet, wrote on NetworkWorld. In addition, implementing tokenization can reduce a vendor’s Payment Card Industry scope. Buffington employed an example, converting a fake credit card number to a tokenized value.

“For example, credit card 4444 3333 2222 1111,” he wrote. “Would be tokenized as A12BD33BDLB349BOeOIKL338.”

Typically, the false credit card number would remain as is during transmittal. Information is much more vulnerable during this process. When data isn’t tokenized, it is sent from the card-holder’s browser to the e-commerce merchant’s website. Then, the card data moves to a payments processor, followed by a trip to the card associations and the issuer. During this journey, especially within the retailer’s server, card information can be stolen, according to Buffington.

Switching to tokenization ensures that consumer data remains secure, and that vendors are PCI compliant. PCI compliance refers to vendors’ responsibility to keep consumers’ card data safe. There are 12 requirements that have to be maintained in order to be considered PCI compliant, according to the PCI Security Standards Council. Businesses should have systems in place to instill confidence in the fact that consumers’ information is safe from data breaches.

And one of the ways to ensure this is tokenizing card data. It is important to remember that data should be tokenized before it even reaches the retailer’s server, since this is where the majority of card data thefts occur, according to Buffington. When data is tokenized before it ever reaches the merchant’s server, then hackers who manage to breach it will have no useful information to collect.

E-commerce data breaches are on the rise
In 2013 the number of data breaches increase 53.6 percent year-over-year, with 54 percent of those hacks targeting e-commerce retailers, according to a Trustwave report. In 2013, 55 percent of the data stolen by hackers was card payment data.

“In addition to brick-and-mortar locations, databases involved in e-commerce payments continue to be common targets of attack,” the report says. “As has been the case for more than 15 years, poor coding and data storage practices have left sites vulnerable to SQL injection, whereby criminal hackers gain access to cardholder data stored in databases.”

An SQL injection is when a hacker inserts malicious code that are capable of downloading bits of data, according to Internet Retailer.

Additionally, the size of a retailer will not deter hackers – big or small, every vendor is vulnerable to a data breach, making it all the more important that they utilize tokenization. Many mid-sized or smaller retailers believe that hackers will not target them because of the limited data, available, but no one is safe, Internet Retailer explained. Most thieves are simply searching for data that is easy to exploit, and a long list of small businesses may be easier to attack then one large corporation.

Tokenization will be the best way to ensure that data is secure immediately and that costly data breaches do not occur, according to Buffington. 

“Hackers aren’t ever going to go away in the progressively digital age, but back-end processing technology can continue to fight by making it harder for them to walk away with the information they’re looking for,” he wrote. “Using e-commerce tokenization puts the best line of defense in front of payments technology, beating hackers at their own game.”

Back To Blog