Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Card Not Present, CenPOS, credit card processing

Main menu

Skip to primary content
  • Home
  • Christine Speedy, Author
  • Interchange Rates
  • How much can I save?
  • Glossary: Payment Processing Terminology
  • Merchant Alerts & Rules Links
  • Merchant Security : PCI Compliance (Sticky)

Post navigation

← Previous Next →

What’s the difference between tokenization and encryption for payment card data?

Posted on May 9, 2012 by Christine Speedy

Tokenization is the process of replacing sensitive data with a meaningless number. There is no universal standard for tokenization in payments. The key principal is that no part of the token has any relation to the credit card or check data.  The tokens themselves are useless outside of the system for which they are designed to be used. Tokens can be created for one time use or stored for recurring.

Encryption is the conversion of data into a form that cannot be easily read by others. That which is encrypted can be decrypted.

Payment card industry data security standards (PCI DSS) do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction, with very rare exception.  If you store card data on your servers, regardless of access limitations, you’ll have a hard time proving your company was PCI Compliant in the event of a data breach. The financial liability, and potential criminal liability, is substantial.

If PAN data (primary account/ credit card number ) is encrypted, it’s still within the merchant scope for PCI because it can be decrypted. The exception is if the merchant is using a third party that is using PCI Compliant strong encryption, and there is no ability for the merchant to decrypt the data and get back PAN’s. *

Tokenization helps merchants reduce the scope for PCI DSS compliance whenever credit card data is stored, because the merchant cannot reverse engineer to access the PAN data. Encryption can be used by the third party to protect the data in the token vault. It is not required by PCI.  When a merchant uses a token to process a transaction, the associated payment information in the vault is delivered to the processor. How and in what format? The logical and physical elements vary by provider and specific controls are secret for security reasons, but it’s a fair question to ask when considering a new provider.

The CenPOS payment platform uses both tokenization and encryption for maximum reduction of PCI scope for merchants, and for data security throughout the payment cycle. It provides the most flexibility for merchants, because they can change processors with no disruption to their business.

*Refer to PCI guidelines for further details. Official PCI Security Standards Council Site


0
0

Related posts:

  1. payment processing software for medical billing companies
  2. First Data Selects SecurityMetrics for PCI Initiative
  3. Shift4 Releases Payment Data Security Strategy Podcast to Simplify PCI
This entry was posted in merchant account Q&A, PCI Compliance, security and tagged credit card encryption, PCI compliance, pci dss, recurring billing, tokenization by Christine Speedy. Bookmark the permalink.

About Christine Speedy

payment processing consultant
View all posts by Christine Speedy →

Recent Comments

  • Christine Speedy on Magento Developer Alert: Visa Mandate and Payment Gateways
  • Christine Speedy on How do I reset Ingenico ISC 250 or 350 terminal?
  • Jeremy Scott Ayers on How do I reset Ingenico ISC 250 or 350 terminal?
  • Christine Speedy on Level 3 processing for Magento
  • Carnivoros Anonimos on Can I get a merchant account if I don’t have a social security #?
Proudly powered by WordPress