Protecting customer payment information in the retail industry

Any retailer that accepts credit and debit cards as forms of payment must also take industry-approved measures to protect customer information. Typically, this means some form of encryption. However, the PCI Security Standards Council last year came up with guidelines for another method, known as "tokenization."

According to the council, it is "a process by which the primary account number (PAN) is replaced with a surrogate value called a token." Subsequently, "de-tokenization is the reverse process of redeeming a token for its associated PAN value."

Since the token is randomly generated, unlike standard encryption methods, there is no danger of a thief obtaining a key needed to revert the token into the original PAN. One would have to have access to the actual system where the process was initiated.

Alex Belgard, an information engineer with electronics retailer Crutchfield Corp, explained in a recent Network World interview why his company is moving toward tokenization.

"[Belgard] also notes that the latest version of the Payment Card Industry (PCI) standard, which any business processing payment cards must follow, has some changes in it related to how to store an encrypted hash of a credit card that appear to add complexity to encryption use," the article said. "Since tokenization is also an accepted PCI security practice to protect credit and debit cards, Crutchfield decided the time was right to shift away from encryption for PCI data and toward tokenization."

Whether a company chooses to encrypt customer payment information via traditional methods or go the tokenization route, they should also be using software for credit card processing that allows them to generate reports helpful in monitoring curious anomalies. This includes information about voids, edits and other data that could indicate fraudulent activity.

Leave a Reply

Scroll to Top