As you can imagine, the security around the technology for the payment card industry (PCI) data is quite complex. It needs to be in order to prevent third parties from taking your guests’ sensitive data and using it for unwanted purposes.
While you could take a full course to learn how data encryption and data tokenization (two different things!) work, know that the latter is considered a better method of quickly securing a cardholder’s information. As such, tokenization is given a higher PCI compliance grade. That’s also why our signature product, TransForm, tokenizes and securely stores credit card information after each transaction is approved via the payment gateway.But what is a token? As a hotelier, you may be more concerned about ADR, RevPAR and OTA commissions, but it doesn’t hurt to know just a morsel about the security software that protects your guests’ sensitive data.
Unlike encryption which takes a piece of data (in this case, a credit card number and other associated details) and jumbles it according to an algorithmic key into ‘ciphertext’, a token is a randomly generated, alphanumeric string that acts only as an indexed reference point for the piece of data.
So, even if a really powerful computer can breach a cloud storage facility and can figure out an algorithmic key, it won’t matter because there’s nothing to decrypt. A token is ‘meaningless’ as they say. It’s just a point on a map but not the treasure itself.
Unlike data encryption, the token can only be matched with, or mapped to, the original piece of data within a token vault which often comes with its own additive layers of security beyond tokenization. This allows for the token to be shared amongst third parties without compromising the sensitive information. With this procedure in place, tokenization presents two powerful use cases for credit card payments.
First would be recurring transactions, in that the token can be accessed and shared by the cardholder or hotel team members through less secure channels without having the original data leaving the token vault (and making that sensitive information vulnerable to exposure or interception).
Second would be ‘prompts’ where a token value can be format-preserved so that a customer or merchant can get a hint at the sensitive information without revealing the full card. The most common example of this is the **** **** **** 1234 printed on a receipt or other document referencing the card. In this case, a server, front desk agent or sales manager is still only seeing a token which has its length preserved to be the same as the actual card and its format preserved so that the last four digits of the token are the same as those on the actual card.
All told, tokenization is a great tool that the credit card information uses to protect cardholders from harm and fraud. Tokens are but one of many features that TransForm has to ensure maximum PCI compliance – ask us to see what other tools our platform comes with.