master_2182364bAccepting credit cards at your business is necessary in today’s modern economy. Making it easier and more convenient for your customers to pay not only provides better service but can also increase your bottom line. But accepting credit cards isn’t without risk. Minimizing merchant risk is important to card service providers, so Rick Montgomery of Northern Air Merchant Services has provided three tips on how you can work with your provider to reduce credit card risks.

Why Credit Cards are Risky

Credit cards can be risky to merchants because they are easily monetized by thieves, and the merchants bear much of the risk of loss if the data is stolen, lost or exposed. In order to establish industry guidelines for handling credit cards, the Payment Card Industry (PCI) Council’s Data Security Standard (DSS) explicitly lists the requirements for protecting sensitive cardholder data.

In accordance with industry mandates, multiple authentication mechanisms have been developed to better ensure data security and to prevent fraud. The goal of a layered security solution (like First Data’s TransArmor solution) is to layer the defensive technologies of endto-end encryption and tokenization together to prevent the theft of cardholder data in both transmission and storage.

The costs associated with a cardholder data breach are substantial—and frequently can be the end of the line for a small merchant, which may not be able to absorb tens or hundreds of thousands of dollars in investigation fees and penalties that can result from an incident. The average business cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record in 2010. Both of these numbers are up in comparison to 2009, when the average organizational cost of a data breach was $6.75 million and the average cost per compromised record was $204. Regulators are working to crack down on noncompliant businesses, and are encouraging them to implement required data security controls.

1. PCI – DSS compliance

Credit cards can be risky to merchants because they are easily monetized by thieves, and the merchants bear much of the risk of loss if the data is stolen, lost or exposed. In order to establish industry guidelines for handling credit cards, the Payment Card Industry (PCI) Council’s Data Security Standard (DSS) explicitly lists the requirements for protecting sensitive cardholder data.

In accordance with industry mandates, multiple authentication mechanisms have been developed to better ensure data security and to prevent fraud. The goal of a layered security solution (like First Data’s TransArmor solution) is to layer the defensive technologies of end- to-end encryption and tokenization together to prevent the theft of cardholder data in both transmission and storage.

The costs associated with a cardholder data breach are substantial—and frequently can be the end of the line for a small merchant, which may not be able to absorb tens or hundreds of thousands of dollars in investigation fees and penalties that can result from an incident. The average business cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record in 2010. Both of these numbers are up in comparison to 2009, when the average organizational cost of a data breach was $6.75 million and the average cost per compromised record was $204. Regulators are working to crack down on non- compliant businesses, and are encouraging them to implement required data security controls.

 2. Use tokens reduce security risks

Tokenization reduces security risk by removing sensitive credit card data and replacing it with the tokens. When the first transaction with a particular credit card is performed through a merchant using a tokenization solution, the credit card number is sent to a tokenization vault. This vault then generates a unique token and maps it to the card number. Once this is done, the merchant does not need to present the credit card number again, and can use the unique card-based token instead for all business processes that would have been accomplished with the credit card. All subsequent transactions with that credit card will produce the exact same token, allowing merchants to track individual consumer spending behavior. Ala a new marketing tool! Well-designed tokens include a multitude of security features, and typically preserve the format of the original Personal Account Number (PAN) in order to minimize modifications to existing business systems and processes.

In the case of First Data’s TransArmor solution, the index table that relates the token value to the PAN exists only inside of the processor environment at First Data—there is no way that the TransArmor tokens can be reverse-engineered or algorithmically decoded to produce the PAN. This is achieved by using strong random-number generation processes to produce the first 12 digits and then combining that with the last four digits of the original PAN. The token then resembles the format of a card number without any of the financial value or risk.

Even if the tokens are stolen from the merchant’s environment, the thieves are going to be frustrated when they learn that the tokens are worthless.

3. Make sure you are your processor are addressing the risk of compromise

Some merchants may have the misconception that as long as the tokens are stored outside of their card data environment, their liability is shifted to the entity storing those tokens, but this is not necessarily true. Merchants will almost certainly be exposed to a proportional amount of liability in the event of a breach, depending on who houses the tokenization vault and what level of indemnification is provided. Merchants should be sure to select a service provider that is clearly qualified and willing to accept the security risks of protecting cardholder data, of their everyday business. Some processors and providers also offer a warranty on the tokens based on the security architected into the system. However, not all service providers are capable of providing this level of safeguards, so merchants are advised to approach all tokenization solutions with caution, and ensure that proper due diligence is performed when selecting a tokenization provider.

By requiring an extra step to monetize the data (i.e., conversion of the token to the PAN at time of settlement), the merchant employs a secure payment mechanism and transfers the risk of holding cardholder data upstream to its processor—the entity best designed to handle that data.

Summary

We have discussed some scary stuff. Taking cards for payment is risky but tokenization technology helps merchants decouple the value of customer intelligence from the previously unavoidable risk of handling cardholder data and accepting the associated compliance costs. If actual PAN (Personal Account Number) data is stored or transmitted inside the merchant environment—even encrypted or truncated—the merchant’s environment is in scope from a PCI compliance perspective. By storing and using tokens instead, merchants can reduce their PCI compliance obligations dramatically. Furthermore, longterm storage of encrypted PANs is currently limited to three years, but tokens remove that restriction and allow a merchant indefinite retention, for long-term data trending/marketing/advertising with all of the additional benefits described above. Why manage a higher level of risk, liability and cost than necessary? Get tokenized.

Rick Montgomery of Northern Air Merchant Services is a local provider of payment processing solutions for merchants in the Wausau and North Central Wisconsin. With years of experience in the industry and a local connection to the community, he will be a partner in helping your business succeed. Customer service is a top priority, he provides both personal service and a direct connection by phone or email if you have questions.