1 / 16

Why We Love AND Hate Tokenization Making Choices, Not Repairs

Why We Love AND Hate Tokenization Making Choices, Not Repairs. Your source for payments education. Sally Baptiste, Payment Operations Group, LLC – Consultant, Co-Founder Daniel Pelegero, Retail Payments Global Consulting Group – Consultant. As We Go Along…. What is Tokenization?

kacia
Download Presentation

Why We Love AND Hate Tokenization Making Choices, Not Repairs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why We Love AND Hate TokenizationMaking Choices, Not Repairs Your source for payments education Sally Baptiste, Payment Operations Group, LLC – Consultant, Co-Founder Daniel Pelegero, Retail Payments Global Consulting Group – Consultant

  2. As We Go Along… • What is Tokenization? • Pro’s and Con’s of Using Tokenization • Managing Vendors and Migrating Services • Effective Usage • Types of Tokenization and Features of Various Services • Wrap!

  3. Tokenization is…

  4. Why Tokenize? Risk Exposure Reduction can have a significant impact on the security of your systems. Even in the event of a breach, the data expatriated by hackers is virtually useless – assuming connectivity and access backwards to the token provider is not also accessed. Your company’s risk and insurance profile is positively impacted by the removal of sensitive data.

  5. Tokenization can Cause Problems Once the data is outside of the merchant’s control, any and all processes which work with a unique and indexed data point will need to be re-scripted to work with alternative data. Identifying all of these systems and processes can be problematic. Additionally, layering the tokens, as can occur with wallet tokens, can provide even less interoperability.

  6. But It’s Such a Good Idea Internal Fraud concerns can be significantly reduced. This could allow your company to take advantage of opportunities which add layers of risk to achieve some other goals without the concerns of access to this data. Even detokenized data is available (as a rule) only as a single data point so risk of expansive employee or contractor fraud is severely impaired. Speaking of staff, having alternative tokenized support reduces the risk of ‘tribal’ knowledge being your exclusive protection path for this critical data.

  7. Seriously, It Can Harm Productivity Some services rely on the clear script card number, or at least a portion of it, such as: • Account Updater Programs • Dispute Management • VMPI • Interchange Management • Least Cost Routing • Purchase Card Data • Pinless Debit Routing • Dynamic 3DS Routing • Various Processing Analyses

  8. Did I Mention PCI? Reducing PCI Scope by completely removing cardholder data from a merchant’s systems can have significant positive impacts on an annual Payment Card Industry Data Security Standards Assessment. Yes, you still must perform an Assessment… After you confirm the PCI Compliance of your Tokenization vendor, validation of the absence of PAN data is your strongest commitment. If you use a QSA, your annual Assessment expense could also be significantly reduced once the QSA can confirm the correct use of tokenization for the services you claim.

  9. The Customer Is Always Right! The customer never sees a token. This means that Customer Service Teams are interacting with consumers using the only payment information the caller can provide – the PAN. • Call times can lengthen • Additional Staff Training is Required • ‘Swivel Chair’ Services can cause disruption • Detokenization or Customer Support bolt-on software must be available throughout call center hours

  10. Who Owns the Tokens?

  11. The Contract Should Empower You “You build the contract for the divorce, not the marriage.” • Portable tokens should not limit the next vendor selection. • Incumbent should be contractually obligated to assist with the conversion to a new provider. • Validate Level I PCI Third Party Compliance.

  12. Migrating Services/Vendors If detokenization is required, the current vendor should assist in creating a PCI Compliant method of transitioning the data to the future vendor or system. Additionally, if the data within the token has been altered during the token’s life, such as with an Account Updater service, you must ensure you are receiving the most current data related to that token.

  13. Token Attributes to Consider • Hosted and Vaultless Tokenization • Preserved and protected vs. cloud-based • Preserving and Non-Preserving Formats • Tokens styled like PANs or alpha/numeric tokens • Durable Tokens and Transaction-Based Tokens • Used for the consumer relationship or for the one sale • Tokenization against the data At and After Capture • Tokenize in cart entry field or after data collection • Reversable and Non-Reversable Tokens

  14. Having vs. Using Tokenization Sometimes, a merchant puts tokenization in place and inadvertently other departments cause more PCI and Data Security issues. • Chargebacks • VOIP • Notepad or Wordpad • Email • Customer Call Quality Monitoring • Backups • IT File Recovery

  15. Summary & Key Takeaways • Tokenization is an important tool in your data protection arsenal. • Carefully select the type of tokenization that best fits your needs and remember that each service has its own features. • Pro’s and Con’s of Using Tokenization – There are many of each! • Make sure the contract reflects the way you want to use the service. • Be careful when shifting from one tokenization service to another. • Using tokenization effectively means building FOR its use, not AROUND its use.

  16. Thank You Don’t forget to submit your session evaluation! • Sally Baptiste, Payment Operations Group, LLC – Consultant, Co-Founder • Daniel Pelegero, Retail Payments Global Consulting Group – Consultant

More Related