March 6, 2012

Executive Insight: All or Nothing Tokenization

Are you the all-or-nothing type? Are you the type that can’t even get started if you know going in that 100% success is an impossibility? Many people take this view with tokenization, but let me tell you why that’s a dangerous position to support.

First, let’s look at an example. Let’s suppose a hotel company’s central reservation system (CRS) tokenizes all the cards used in its domestic properties but, for whatever reason, is unable to tokenize the cards used in its international locations. This means that there will still be card numbers in the CRS – and therefore, the CRS will remain in PCI scope. So, does the effort of tokenizing whatever data you can remain worthwhile?

To those who would say no, I have to ask why you considered tokenization in the first place. Was it just to simplify PCI, or did you actually hope to increase your security and lessen your breach profile? Those who give up on tokenization simply because they have a few records that can’t be tokenized usually fall into the former camp.

Remember that the ultimate goal of tokenization, at least in our opinion (and being that we invented it, it’s a pretty definitive opinion), is to remove sensitive cardholder data (CHD) from the merchant’s system in order to lower their breach profile and remove the risk of data loss should a breach occur. Sure, this action often simplifies PCI compliance issues, and that’s a fringe benefit we’re quite proud of (and quick to promote in our marketing materials). But, if you’re in the situation where the PCI benefits may not be fully realized, that should in no way discount the significantly lower breach profile, and the drastic reduction in potential liability you’ll see by tokenizing as many records as possible.

The card brands have specific requirements for the number of cards that must be compromised in order to consider it a breach. While they vary by brand, it is almost always a substantial amount. So, if you tokenize enough of your records, you may even be able to avoid being labeled as “breached” altogether. If your international cards (or whatever other cards you have that cannot be tokenized) are the only ones possibly compromisable, you may well remain below that threshold – especially if only a portion of your database is breached.

Even in the worst case scenario – your entire database is breached and you are found liable for the situation – there are still positives to having made the attempt to tokenize. First, on the PR side, you can tell your clients that you made considerable efforts to secure your data, investing time and resources into tokenizing all possible accounts (that won’t entirely stem the tide of public opinion – but it will go a long way to help). Second, because “true” tokens have no relationship to the actual card data and therefore do not count as CHD, you will not be liable for their theft. Instead, you’ll only face the fees and fines associated with the few records that contained actual CHD.

Ultimately, there is no silver bullet to card data security. There is no all-or-nothing answer to the question of how to secure CHD; and that’s why all-or-nothing demands on a solution are both unwise and impractical. Do the best you can with what you have available to you. Big or small, it will pay off in the long run.