At a security conference in Las Vegas in 2005, attended by Shift4 customers, software developers, and representatives from all of the credit card associations, Shift4 announced the availability of Tokenization for Point-of-Sale (POS) systems that were integrated with Shift4's Software as a Service (SaaS) DOLLARS ON THE NET^® payment gateway. Since that day, Shift4 has processed over a billion tokenized transactions through hundreds of token-capable interfaces.

Shift4 is considered the inventor of Tokenization and the first to coin the term.

In the last couple of years, various companies have jumped on the Tokenization "bandwagon" with solutions that they call Tokenization. Unfortunately, most use the word to mean virtually any technology that enables the card number to be replaced or modified. Some of these so-called Tokenization solutions are card number encryption, some are card number hashing, some are merely card truncation or obfuscation; some are used "in-house," and some are used direct to processor. Most handle "at-once" transactions but do not handle post-authorization processing. Consultants, Qualified Security Assessors (QSAs), and even the PCI council itself have clouded the issue of what Tokenization is really intended to be.

For that reason, Shift4 has chosen to refer to its Tokenization solution - the original, authentic solution - as TrueTokenization.

TrueTokenization is a technology solution that replaces cardholder data (CHD) to address the vulnerability issues associated with the storage of sensitive CHD. Historically, CHD has been stored and utilized to enable merchants to perform various business-related functions including credits, tips, tabs, and incremental authorizations. TrueTokenization provides merchants with the same functionality without the security risk that is present if the CHD is retained.

TrueTokenization provides full support for:

• Book & Ship
• Credits
• Incremental Authorizations
• Multiple Charges on a Single Invoice
• Recurring Billing
• Card on File
• Tips & Open Tabs

With TrueTokenization, merchants no longer need CHD past the initial electronic payment authorization request, so there is no reason to store this potentially hazardous information. Instead, when a transaction is authorized, Shift4 replaces CHD on the POS system or Property Management System (PMS) with a 16-character, globally unique, randomized, alphanumeric representation of the data called a "TrueToken."

A TrueToken is a unique ID created to reference the actual data associated with a specific transaction. Because no encryption key management remains with the merchant, the only place a TrueToken can be decrypted is at the Shift4 DOLLARS ON THE NET gateway. The real CHD is securely stored in Shift4's PCI-compliant data centers. A TrueToken spans the lifetime of a transaction, so it provides all the same business functionalities merchants expect. If an adjustment or additional authorization is necessary, the token is sent to Shift4 who then translates it, obtains an authorization code from the processor, and returns the code with the token back to the merchant.

A TrueToken is constructed to include the last four digits of the card number it references, so all PMS and POS system reports remain fully functional. The DOLLARS ON THE NET gateway also retains up to a 24-month archive of the merchants detailed transactions history to be used for auditing, chargeback defense, or other requests for information. All of this state-of-the-art functionality is included in the DOLLARS ON THE NET service at no additional charge.

With TrueTokenization, the burden of storing and protecting the CHD lies with the gateway, where it should be. For the merchant, the implementation of TrueTokenization is a seamless transition that provides real security while saving time, money, and resources, as well as helping to simplify PCI compliance. TrueTokenization assures that data is taken out of the scope of PCI or State and Federal Law.

The Merchant Perspective

If a merchant has cardholder data - encrypted or not - on their system and it is breached (logically) or stolen (physically), the merchant is required to report that breach to their bank, to the card associations, and under various state and federal non-public information laws, to the government. Some states even require that the merchant reports the breach to individual cardholders.

The costs associated with a breach are immense, regardless of whether or not the data lost was encrypted. The damage to the company's brand alone can negatively impact sales to a degree that is not even measurable. Add to that significant bank fines and the communication costs to inform customers. And even if the merchant can absorb all of the above costs, from the time of the breach forward the merchant is considered to be a Level 1 merchant and is required to pass a security audit every year thereafter.

With TrueTokenization, the merchant maintains no card data. So even if the merchant's system is breached or stolen, there is no reporting requirement. No card data means no reporting, no brand damage, no bank fines, no cost of informing customers, and no audit requirement as a Level 1 merchant.

Click to read about TrueTokenization from a Tech Developer perspective.

For a more detailed look at Tokenization and its advantages over encryption for storing CHD, request a copy of the Tokenization in Depth white paper by calling our sales department at (702) 597-2480 and selecting option 3.

Hear what Chris Mark of The Aegenis Group has to say about Shift4's Tokenization solution in these YouTube videos.