Fraud in credit card and other financial transactions is a major problem, and considerable resources are devoted to securing credit card and other account information provided to merchants by payers. A single breach of security incident can compromise millions of credit card accounts, and such breaches are reported on a regular basis.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud. Annual PCI compliance audits by an external Qualified Security Assessor (QSA) are required for organizations handling large volumes of transactions. The security and organizational measures required to comply with the PCI standards, and the cost of the annual audits, are borne by the individual organization. Underlying software applications may require substantial modifications to achieve compliance, and significant changes in organizational structure and operating procedures may also be required. Thus, the time, effort, and cost required for merchants and processors to obtain PCI certification to receive and use credit card data are substantial.
In one approach to managing these costs, credit card processing organizations have used tokenization to provide a link to credit card data for purposes of storage and retrieval. Tokenization is the process of replacing some piece of sensitive data with a value that is not considered sensitive outside the environment where it is stored and used. The token is a symbolic representation of a financial instrument or instruction that is only meaningful to participants in the processing cycle, and safeguards the permissible use of and access to the financial instrument to authorized users. In the payments industry, tokenization has become a popular means of bolstering the security of electronic transactions while minimizing the complexity of compliance with industry standards and best practices.
In the PCI context, tokens are used to reference cardholder data that is stored in a separate database, application or off-site secure facility that is PCI compliant to the appropriate level. Therefore, the token, which is non-sensitive data, can be stored and used in a wide range of systems in the organization, without bringing those systems within the scope of a higher-level PCI audit and more stringent compliance requirements.
However, there are limits in functionality of existing tokenization methods. There is a need for improvement in conventional approaches to obtaining and using account information to process financial payments.