Have you ever wondered how a business, service or website is able to put your card on file, so it can be used for future purchases, returns, or ongoing subscriptions with automatic periodic billing? Surely, a business would be foolish to actually store your card information. (Stop calling me Shirley) How's this work?
A Little Card Credit History
Well, in the past, businesses did just that -- they stored your credit card information. Your name, your card number, the expiration date, and even your CVV code. How they stored it was also big problem, and this persists even today. Storage ranged from sophisticated, encrypted and isolated computers and databases to handwritten notes being stuffed into a drawer. While some storage methods were arguably more secure than others, the problem still existed -- someone other than you and a bank was holding onto your card info. And if you watch the news for more than 10 minutes, you'll probably run across a data breach that spilled out millions of credit cards. Not good.
Fortunately in December 2004, American Express, Discover, JCB International, Mastercard and Visa became the founder members of PCI-DSS or Payment Card Industry Data Security Standards. PCI was developed as a set of security standards for all merchants and payment processing organizations comply with. This organization and its standards have evolved over the years to keep up with new technology, threats, and to ultimately help merchants protect the cardholders (you and me) against fraud. While many businesses are PCI compliant, many are not. As such, it can be in your interest to ask questions, use common sense, and avoid businesses you don't trust from holding onto your card information.
That said, how is it that businesses, that are PCI compliant, able to "store" your card information for future billing? Let me introduce you to our good friend, Tokenization.
What is Tokenization?
Tokenization sounds technical, and it is, but it boils down to a very simple idea -- let's replace some important information with a simple placeholder.
For example, let's take the info on a credit card (the number, the name, the expiration, and the CVV code), and just replace it with XYZ123ABC. This new value is called a "token", its purposefully unique, and will never be used again. That's it! We've tokenized a credit card.
Wait a second, there's gotta be more to it than that.
Okay, you're right, there's a bit more.
When a business wants to "store" your card information, the full process looks like this:
- Your card info is securely entered into a temporary form (not saved nor logged)
- Your card info is transmitted (over an encrypted connection) to the business' payment processor (bank), and requests a token for the card.
- The payment processor generates a unique token for the card, makes an entry in their system with your info and the business that requested the token.
- The payment process transmits only the token back to the business
- The business stores the token and clears the form you entered in step one
All of these steps take mere milliseconds, and the end result is that the business' computers, logs and employees have none of your card information. Instead, the payment processor (with bank-level security) holds the card infor in an encrypted and heavily protected manner -- literally with a level of security that most businesses would not be able to achieve nor afford.
When the business needs to bill you or you want to use your card that is on file, all the business needs to do is send the token and the amount to the payment processor. The business has no card info, the card info is no longer being transmitted, and life is good.
What if the business is attacked or has a data breach?
Here's the great part. If the tokens that the business is holding are somehow stolen, the tokens only work for the business that they were issued to. In short, a thief couldn't steal a token from Netflix and use it to buy something on Amazon - it just doesn't work that way. Additionally, businesses have additional security features on their side that would prevent an attacker from using your Amazon token with another Amazon account.
In summary, credit card tokenization is one of the many methods and practices that PCI-DSS requires all merchants comply with, and Milwaukee PC is no exception. You can rest assured that MPC is working hard to keep your private information private.
If you're a business that is looking for help with properly securing on-premise and/or online payments, please reach out to our MPC Web Division that specializes in websites, web apps, software development, and payment processing; or one of our MPC B2B teams. Remember: PCI Compliance is a vital part of your business! The fines and reputation destruction can be business-ending.
Want to learn more about PCI-DSS? Peer down the PCI Compliance rabbit hole at Wikipedia.
Here are some additional credit card tips:
- Never email credit card information - email is inherently insecure and leaves a trail
- Never give your card information to someone randomly calling you, it's likely a scam
- It's sometimes unavoidable, but businesses are not supposed to record phone calls when taking card information over the phone
- A trusted online payment method is typically more secure than handing your card to someone, faxing it, or otherwise opening the opportunity for someone to make a copy/photo of it -- with a properly secured online payment, there's end-to-end encryption, and only the payment process/bank "sees" the card.
- Be aware that card skimmers are a thing, and how to potentially spot one
- Want an extra layer of protection, try a burner credit card service like Privacy.com