Tokenization is the way to prevent e-commerce security breaches

  • by

By Avery Buffington, Information Security Architect, SecureNet, Network World | August 25th, 2014

E-com security breaches are increasing in frequency at an alarming rate, but there is a way to prevent them from: tokenization.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach

E-com security breaches are increasing in frequency at an alarming rate, but there is a way to prevent them from: tokenization.

Tokenization is the one-way process of converting a credit card number into a unique value that by itself holds no value. Tokenization can be used to prevent actual credit card data from ever touching a retailer’s server, where the majority of data breaches occur.

This can be achieved by having the customer’s shopping cart submit card information to the merchant’s processor along with a unique merchant identifier. The payment processor can then generate a token and send it back to the customer’s cart. Once the shopping cart receives the tokenized payment information it can submit it along with other purchase information to the merchant who in turn passes the tokenized data back to the processor for payment authorization.

Many payments processors don’t utilize tokenization for e-commerce, yet it’s the most foolproof way for retailers to proactively protect themselves and their customer’s card data with a high level of security. In addition, this form of tokenization can also assist merchants in reducing their Payments Card Industry (PCI) scope.

The e-commerce credit card transaction process incorporates many intricate steps. During a non-tokenized e-commerce transaction, the valuable card data essentially embarks on a journey, passing from customer browser to the e-commerce merchant’s website, thru the merchant’s network to the processor and then on to the card associations and the issuer. The most vulnerable stage of this process, and the place where credit information is historically at risk the most, is the retailer’s server. By utilizing the tokenization previously described, it’s possible for the card data to bypass the merchant server completely.

Through tokenization, a payment processor is transforming valuable credit card data into an irreversible, unique identifier that has no intrinsic value if intercepted and cannot be used for fraudulent purposes. For example, credit card 4444 3333 2222 1111 would be tokenized as A12BD33BDLB349BOeOIKL338. This means the tokenized data is useless to anyone outside of the processing company, which ensures the information is safe as it progresses through the various stages of the transaction.

Some processors tokenize data in the post-authorization stage only, allowing consumer credit information to sit on potentially unsafe retailer servers until the transaction has processed. Tokenization from the start of the transaction protects data earlier in the lifecycle of the transaction.

Most well-known data breaches have occurred at the server level, so tokenizing card numbers before they reach that point mitigates security risks by a significant margin. The ITRC reports hacking as the number one cause for breaches. Thus, the ability to prevent card data from reaching the server is a particularly valuable benefit for e-commerce retailers, as it basically makes credit card information hacker-proof in their network.

By tokenizing data before submission to the merchant the consumer can be assured that even if hackers break through a system and gain access to a merchant’s server, they won’t be able to obtain any sensitive information. If this type of system is in place and a breach does occur, the business will be able to focus on the system flaw that allowed the breach, without worrying about consumer information being in the hands of fraudsters.

Highest level of protection

While there are a multitude of different bundles and software that can be used to fend against security breaches, nothing ensures the high level of protection for e-commerce that tokenization instills. This component recognizes that hackers can always potentially find a way into a system, which is why it morphs data as soon as possible and never allows it onto the retailer servers, making any stolen information useless. By providing this ability, processors not only take the lead with security, but also make themselves more marketable to retailers, because they are absorbing the responsibility of security breaches, removing the blame from brand servers.

Security is going to remain a hot topic as long as breaches continue to occur. Hackers aren’t ever going to go away in the progressively digital age, but back-end processing technology can continue to fight by making it harder for them to walk away with the information they’re looking for. Using e-commerce tokenization puts the best line of defense in front of payments technology, beating hackers at their own game.

SecureNet is streamlining the way businesses accept payments. SecureNet’s integrated suite of payment tools is the simplest and most advanced way for merchants of all sizes to manage commerce in any environment: in-store, online and via mobile devices. The industry first, single stack API platform is backed by detailed business analytics that help merchants make informed decisions to grow their business. SecureNet’s unique direct connection to card networks makes pricing the most transparent and straightforward in the industry. SecureNet is headquartered in Austin, Texas. Find more information at