Lately it seems that not a day goes by where we don’t hear about a breach of credit card security at a major retailer. Some of the breaches are caused by poor security practices in relaying credit card information between retail point of sale systems and the backend systems. Some have been breached at the backend systems where additional information may even been compromised. Currently I am subscribed to an identity protection service paid for by a retailer. Previously it was my bank that paid. This year I have had one credit card replaced by the issuer because of fraudulent activity detected.
Digital wallets like Apple Pay and Google Wallet protect your credit card information by not exposing your credit card number but instead submit a secure identifier through the payment processing system. Retail chains have also proposed a new competing method targeted for 2015, CurrentC , under the joint venture Merchant Customer Exchange (MCX) that will use QR codes to present a secure transaction token. The MCX members Wal-Mart and Best Buy have announced that they will not accept Apply Pay but promise to offer an app for your phone.
But what about the non-retailers like yourselves who don’t use point of sale systems and need to accept credit cards, debit cards, and/or ACH payments? Your customers likely won’t wander into your office to pay with their MCX phone app. What if you to need to bill your customers on a recurring basis which means you have to securely store their credit card data to use for each payment? Currently most credit card processing solutions offer protection by complying with thePayment Card Industry Data Security Standard (PCS-DSS). The PCI-DSS guidelines define how credit card data should be stored, processed and/or transmitted. All credit card information must be encrypted at all times.
However, even using the highest standard of encryption might be risky since credit card information is still being stored on your system and hackers have proved to be quite creative. A higher level of security is available. This new level is similar to digital wallets in that it deploys tokens for payment processing. With tokens the credit card information is never stored on your system. The PCI-DSS standard accepts tokenization as method to meet their guidelines. The credit card is submitted once to the payment processer who returns an encrypted one-time token. For a repeat transaction the one-time token is submitted and replaced by another one-time token.
The bottom line is by employing tokens results in a more secure environment for both you and your customers.
- Credit card data in never stored on your system.
- Tokens can only be used once.
- Tokens are issued by a secure service provider and not generated by your system.