At the RSA Europe Conference in October, there was a significant amount of buzz around tokenization. Tokenization is increasingly on the agenda as one way to help secure data, and despite being in use by numerous large merchants, there has, up until now, been relatively little awareness elsewhere of what it is and how it can add to the security mix. For example, PCI DSS does not mention it at all at present, however it may be included in the next version of the PCI DSS security standard (version 1.3) which was discussed at the end of October.
Tokenization is, in essence, substituting card details (which can be used for fraud) with random numbers (which are useless to a fraudster). So, when an organisation processes a given transaction, instead of tracking the transaction using card details, it uses a random number (or token) that has been allocated to represent the card. The card details are encrypted, at the point of sale terminal for example, and can be securely protected using a hardware security module. As tokens are used instead of card details to record and track transactions, far fewer locations use card numbers, and the opportunity for data spillage or fraudulent interception is significantly reduced.
It is good to see tokenization on the agenda and this new technology looks set to make a significant impact on the way in which transactions are processed over the next few years.