Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

By Sue Zloth

Last fall the PCI Council announced guidance on point-to-point encryption (P2PE) to help merchants protect their customers’ payment card information. Since then, merchants have had P2PE implementation on their minds.

Recently I’ve been a part of a working group that is evaluating technologies and determining the best ones to secure payment transactions and help reduce scope for PCI. One thing that’s becoming clear is that tokenization cannot be left out of the mix.

As a part of the PCI Special Interest Group (SIG) on tokenization, I’ve been evaluating this technology and offering recommendations for guidance. Although the guidance won’t be out until late spring, I wanted to share some educational information about tokenization that could benefit our readers.

Each week, I’ll post an article about what tokenization is, the types of tokenization, its benefits for merchants and some simple considerations before implementing a tokenization solution.


So what is tokenization?

In its simplest form, tokenization is data substitution.

What does that mean? Well, let’s say that you have the following credit card number:

4467 9388 2077 1234

(Don’t worry, I made this number up).

Hypothetically, if this card number were stolen, it would have a significant value to the thief. The bad guy could sell your number to other bad guys or could simply use your credit card to buy things on your dime.

However, if that same credit card number were tokenized, the real numbers would be replaced by other numbers that have no value at all. The tokens are worthless, replacing the original number with ones that don’t have any value:

1234 5678 9012 1234

This way, if the card is stolen, it can’t be used to make purchases and would be of no use to the bad guys.

It is impossible for a thief to crack the code and derive the real credit card number from the token. The real credit card information is sent to a centralized and highly secure server to be stored.

Next up in this series: Token Types

Powered By DT Author Box

Written by Merchant Link Staff

Merchant Link Staff

Merchant Link’s SecurityCents blog is essential reading for merchants in the retail, lodging, and restaurant industries looking to secure their customers’ credit card data. Check the blog regularly to read what our industry experts have to say about the latest developments in the world of payments, payment data security and technology, PCI compliance, and more. We invite you to leave comments and share your insights and opinions.


There are 3 comments for this post.

  1. Tweets that mention Merchant Link SecurityCents :: Tokenization :: Devaluing your data with tokens -- on February 22, 2011 5:36 pm

    [...] This post was mentioned on Twitter by Shany Seawright, Ryan Schradin. Ryan Schradin said: Sue Zloth of Merchant Link shares the 411 on #tokenization and benefits of devaluing your customers’ data. #security [...]

  2. Merchant Link SecurityCents :: Tokenization :: An intro to tokens: card-based vs. transaction-based on March 2, 2011 10:52 am

    [...] you may have read in my previous post, I’ve been working with the PCI Council Special Interest Group to provide recommendations on [...]

  3. Merchant Link SecurityCents :: Tokenization :: Shopping for a tokenization solution on March 14, 2011 2:00 am

    [...] you’ve been following along in this series of posts on tokenization, you should now understand what tokenization is and the difference between card-based and transaction-based tokenization.  Now you’re ready to [...]

Write a Comment