From the July-August 2010 issue of Treasury & Risk magazine

Data Goes Incognito

New tokenization technology lets companies substitute unrelated numbers that can't be linked back to customers' credit cards.


Companies pay dearly for data breaches that allow customers' credit card numbers to fall into the wrong hands. At the same time, complying with the security standards established by the credit card industry can carry a hefty price tag. Some businesses have decided that the safest and cheapest way to deal with credit card data is to eliminate it. They are using tokenization, a process in which a credit card number is replaced with a substitute number, called a token, that can't be linked back to the original card number. The credit card numbers may be held by the tokenization vendor or stored in one central, secure location at the company.

Jeff Abrams, continuous improvement process manager at Hill-Rom Holdings, a $1.3 billion manufacturer of hospital beds and other medical equipment in Batesville, Ind., says the need to comply with the Payment Card Industry Data Security Standard (PCI DSS) drove the company's adoption of tokenization.

The share of Hill-Rom's revenue transacted using credit cards has risen to 12%, up from about 2% five years ago, yet the company's procedures for handling cards were inconsistent, reflecting a number of different legacy systems. Though Hill-Rom had never had a data breach, when an outside consultant compared its practices with the PCI standards, "it was very alarming how many holes we had," Abrams says. "But the fixes they were suggesting were just astronomical in cost." The suggested solution involved moving Hill-Rom's J.D. Edwards enterprise resource planning system to a server of its own at an estimated cost of more than $1 million.

Instead Hill-Rom decided to outsource its payments processing and adopt tokenization at the same time. It turned to 3 Delta Systems, a Chantilly, Va.-based third-party processor and tokenization vendor. Under the new system, just a few people at Hill-Rom can accept customer credit card numbers; those employees immediately call 3 Delta to obtain a token that substitutes for the credit card number in Hill-Rom's systems and can be used for things like charge-backs. The credit card numbers are stored by 3 Delta.

"What we're doing here, some people might think that's a little bit of an extreme," says Tony Iskander, manager of global treasury at Hill-Rom. "But there's probably no way you can put a value on keeping a clean name."

Tokenization not only saved Hill-Rom the cost of complying with PCI DSS, it guards the company against the cost of a data breach, which Abrams estimates could total $4.5 million, based on Ponemon Institute data. (The latest Ponemon study found that in 2009, data breaches cost an average of $204 for each customer record stolen, and the average total cost per incident was $6.75 million.)

Iskander says moving to a single system that outsources processing to 3 Delta has had the additional benefit of getting Hill-Rom much more favorable interchange fees. He estimates the lower fees saved the company about $500,000 last year.

Aaron Bills, the founder and chief operating officer of 3 Delta Systems, says the business-to-business model reflects an assumption that a company and its customers will be doing business on an ongoing basis, a model that makes it useful to have a credit card on file. "However, as you increase your store of these cards on file, you increase your risk of data loss and your PCI reporting and risk mitigation requirements," Bills says. By using a token, "you get all the benefit of that recurring access to payment data, but you no longer build the proportional risk by storing it yourself."

"One of our mantras is, if you don't need the data, don't store it," says Bob Russo, general manager of the PCI Security Standards Council. "What you're doing by adding tokenization or encryption or any other kind of technology is adding layers to your security. And obviously, the more layers you have, the more secure you're going to be."

Analysts say they're seeing more and more interest in tokenization, and link much of that to the cost of complying with PCI DSS. Compliance involves a set of questionnaires; outside security auditors do the assessments for big merchants, while companies with fewer credit card transactions can self-administer the questionnaires.

There's no comprehensive data on what compliance costs, but a Gartner Research report on NCR's use of tokenization calculates that the company avoided having to spend more than $3 million on IT development to bring itself into compliance. Gary Palgon, vice president of product management at nuBridges, an Atlanta-based tokenization vendor, says tokenization allowed one of nuBridge's customers, an online retailer, to concentrate card data in just eight of its systems, down from the 88 systems that previously held card data, a move that Palgon says sliced $225,000 off the company's annual audit costs.

Analysts warn that while tokenization may reduce the work involved in PCI compliance, it doesn't eliminate the need to comply. "You still have to keep checking that all the [personally identifiable information] is out of the other servers," says Robert Vamosi, an analyst covering security, risk and fraud at Javelin Strategy & Research in Pleasanton, Calif.

At this point, there are no standards related to the use of tokenization, but the PCI Security Standards Council plans to release guidance later this year.

Given that this is relatively new technology, says Avivah Litan, a vice president and analyst at Gartner Research, companies that are considering using tokenization should check whether the algorithm a vendor uses to produce the token has been vetted by the security community. "If the company can't determine the security of the algorithm, they need to get good references," Litan says.

"You want to find out how they're doing the tokenization," echoes Javelin's Vamosi. "There should be no mathematical way that you can take the token, perform some calculation and arrive at the credit card number."

Vamosi also says that companies should take into account the fact that some tokenization vendors specialize in different industries and might be more or less familiar with certain credit card issues.

While the current interest in tokenization centers on securing credit card data, the technology can also be used for data ranging from Social Security numbers and passport numbers to personal health records. "In the last 18 months, we've seen our customers using it for other types of data," says nuBridges' Palgon, adding that the recent HITECH legislation, which adds bite to enforcement of HIPAA's rules on ensuring the privacy of health records, has fueled interest in using tokenization for health records. And Pro Pay, a Utah-based credit card processor and tokenization provider, recently expanded its services to include tokenization and encryption of Automated Clearing House data.

Comments