Tokenisation: maximising security around sensitive information
Customer information security must become a top priority for merchants, especially with fraud instances on the rise. There are plenty of ways to protect sensitive information, some more effective than others. Therefore, merchants need to be careful when implementing their payment systems. One of the preferred methods of securing personal data is tokenisation.
Tokenisation is a process designed to maximise the security of information stored in a database; through which an important and meaningful piece of data called a primary account number (PAN), is transformed into a non-sensitive random set of characters: the token.
Since tokenisation is often mentioned alongside encryption, it is useful to make a clear distinction between the two security processes. Unlike encryption keys, tokens can be considered more secure because they are neither generated mathematically nor with algorithms. Therefore, a token cannot simply be guessed by a hacker, leading it to be the preferred form for use in payment processes.
Once tokens are generated from the original data, they will then be kept at a token vault, the only place where the link between the sensitive data and the token is established.
The Payment Card Industry (PCI) has established the use of tokens as one of the most effective ways of complying with their security standards and reducing the risk of incurring fines. Instructions on tokenisation by the PCI can be accessed here. PCI Security Standards aims to enhance payment security for both consumers and merchants.
Furthermore, merchants must keep up to date with the upcoming General Data Protection Regulation (GDPR), which will be coming into force in 2018. GDPR will be a game changer for information security. Before its introduction, fines for breaching data protection rules could go up to £500,000. But soon, companies which fail GDPR compliance could be facing fines of up to €20m or 4% of worldwide turnover, whichever is higher.
It is crucial to note that GDPR applies to any company handling its customers’ personal information; thus, the entire retail chain is subject to its ruling. Ignorance of the terms of GDPR can be severely harmful to retailers and companies alike. City AM reported that 18% of small businesses would be at risk of insolvency if they were fined due to lack of compliance.