Credit card tokenization helps to protect merchants from credit card theft. Tokenization technology replaces the customer’s credit card number with a different identifier to uniquely distinguish the customer’s credit card during settlement of a transaction. This technology eliminates the need to store credit card numbers on persistent media on the merchant’s site. All sensitive information that is stored for credit card processing is kept off site.
Encryption technology is used to store customer credit card data. While the encryption technology is secure, it requires ongoing maintenance tasks to maintain the security. Managing this technology can be cumbersome for merchants. Many smaller merchants do not typically employ Management Information System (MIS) staff to monitor networks and security infrastructure. Larger Enterprise clients can incur large auditing charges to verify that each property is compliant with Payment Card Industry Data Security Standards (PCI DSS).
In a typical restaurant payment scenario, a server picks up a guest check with the credit card to be used for payment. The server swipes the credit card on the Point of Sale (POS) application and the credit authorization with the credit card number is sent to the credit card payment processor. The payment processor returns a valid authorization code and, along with the payment, a token is also returned to identify the credit card during the transaction’s settlement. Any record of the original card number, expiration date, and track data is erased from memory. When the voucher prints, all that remains is the last four digits of the original credit card number and a token that identifies the card to the payment processor for future operations.
Consider the same transaction, but with the network connection to the credit card processor offline. In this case, the server must manually authorize the credit card and the credit card payment processor cannot provide a token. The credit card data must be stored until a token can be acquired by the POS system (usually at transaction settlement time). At that point the sensitive credit card information is purged from the application.
Table 5-3 Loadable Credit Card Tokenization
| Loadable Credit Card Driver | Requires Tokenization? |
|---|---|
|
CAPMS |
Optional |
|
Dollars on the Net by Shift4 |
Yes |
|
Fusebox by Elavon |
Optional (Elavon sets tokenization) |
|
VisaD |
No |
Parent topic: Payments and Currency