Though an extremely effective solution to a very specific problem, tokenization is more of a single piece of the security puzzle than the end-all of stopping data theft and credit card fraud.
Tokenization doesn’t guard against card skimmers, and it is not intended to be used as an alternative to EMV. Additionally, this security measure doesn’t add any greater validation of the sale than what is already there.
Merchants might also be reluctant to handing over their customer data to a tokenization provider. Merchants fear tokenization because they fear giving up control of what they consider to be their own data, according to Rick Lynch, Verifi's senior vice president of business development.
Some providers have made it difficult for a merchant to retrieve their original data once it has been tokenized, which can be a problem if the merchant no longer wishes to use the service or wants to switch providers.
Perhaps one of the biggest hurdles for widespread tokenization practice is the cost of implementation. Major companies might have the means to add it to their security protocol, but many medium and small merchants simply aren’t able to afford the added cost of tokenization. The merchant is then faced with a less-than-ideal decision: go without or pass the cost on to the consumer. Both positions come with their share of problems.
Those who go without face increased security risk to their customers’ information, and a breach could mean losing customers on a grand scale. On the other hand, raising prices will force customers to seek alternatives, again, potentially meaning the loss of a great deal of business.
Some merchants seek out cheaper custom variations of tokenization technologies, which might not be nearly as secure. The landscape has been muddled with many different systems, which will cost more in the long run to rein in.
A closer look at the books, however, could reveal that It might make more sense to spend the extra money now to avoid a major hemorrhage later—essentially viewing the cost of tokenization like an insurance cost. Because it eliminates the need for merchants to actually store credit card data, tokenization can also significantly reduce PCI scope, which also means lower operational costs.
In addition to eliminating sensitive data from the merchant’s environment, tokenization can also help decrease instances of fraud and chargebacks that come from unauthorized use of credit or debit cards. A reduction in chargeback expenses—from issuing refunds for an otherwise valid sale to chargeback representment costs to fees and penalties incurred as a result of an increased chargeback rate—can more than make up for the added expense of a proper tokenization adoption.
However, this reduction in chargebacks as a direct result of tokenization isn’t something that will be seen until there is a grand-scale adoption.
Tokenization is a tool that should be combined with data encryption to meet data security best practices. It is a versatile security measure that can be applied to any transaction method that uses a credit or debit card, including emerging new payment methods such as mobile wallets. The best bet is a multilayered security strategy that makes use of various tactics, platforms and experts that protect merchants and their customers throughout the entire transaction lifecycle.
These solutions often give merchants better insight into what’s working and what isn’t in terms of their security, and ways to detect fraud, resolve disputes early and avoid and reduce chargebacks.
Matthew Katz is CEO at Verifi.
