"What we're doing here, some people might think that's a little bit of an extreme," says Tony Iskander, manager of global treasury at Hill-Rom. "But there's probably no way you can put a value on keeping a clean name."

Tokenization not only saved Hill-Rom the cost of complying with PCI DSS, it guards the company against the cost of a data breach, which Abrams estimates could total $4.5 million, based on Ponemon Institute data. (The latest Ponemon study found that in 2009, data breaches cost an average of $204 for each customer record stolen, and the average total cost per incident was $6.75 million.)

Iskander says moving to a single system that outsources processing to 3 Delta has had the additional benefit of getting Hill-Rom much more favorable interchange fees. He estimates the lower fees saved the company about $500,000 last year.

Aaron Bills, the founder and chief operating officer of 3 Delta Systems, says the business-to-business model reflects an assumption that a company and its customers will be doing business on an ongoing basis, a model that makes it useful to have a credit card on file. "However, as you increase your store of these cards on file, you increase your risk of data loss and your PCI reporting and risk mitigation requirements," Bills says. By using a token, "you get all the benefit of that recurring access to payment data, but you no longer build the proportional risk by storing it yourself."

"One of our mantras is, if you don't need the data, don't store it," says Bob Russo, general manager of the PCI Security Standards Council. "What you're doing by adding tokenization or encryption or any other kind of technology is adding layers to your security. And obviously, the more layers you have, the more secure you're going to be."

Analysts say they're seeing more and more interest in tokenization, and link much of that to the cost of complying with PCI DSS. Compliance involves a set of questionnaires; outside security auditors do the assessments for big merchants, while companies with fewer credit card transactions can self-administer the questionnaires.

There's no comprehensive data on what compliance costs, but a Gartner Research report on NCR's use of tokenization calculates that the company avoided having to spend more than $3 million on IT development to bring itself into compliance. Gary Palgon, vice president of product management at nuBridges, an Atlanta-based tokenization vendor, says tokenization allowed one of nuBridge's customers, an online retailer, to concentrate card data in just eight of its systems, down from the 88 systems that previously held card data, a move that Palgon says sliced $225,000 off the company's annual audit costs.

Analysts warn that while tokenization may reduce the work involved in PCI compliance, it doesn't eliminate the need to comply. "You still have to keep checking that all the [personally identifiable information] is out of the other servers," says Robert Vamosi, an analyst covering security, risk and fraud at Javelin Strategy & Research in Pleasanton, Calif.

At this point, there are no standards related to the use of tokenization, but the PCI Security Standards Council plans to release guidance later this year.

Given that this is relatively new technology, says Avivah Litan, a vice president and analyst at Gartner Research, companies that are considering using tokenization should check whether the algorithm a vendor uses to produce the token has been vetted by the security community. "If the company can't determine the security of the algorithm, they need to get good references," Litan says.

"You want to find out how they're doing the tokenization," echoes Javelin's Vamosi. "There should be no mathematical way that you can take the token, perform some calculation and arrive at the credit card number."

Vamosi also says that companies should take into account the fact that some tokenization vendors specialize in different industries and might be more or less familiar with certain credit card issues.

While the current interest in tokenization centers on securing credit card data, the technology can also be used for data ranging from Social Security numbers and passport numbers to personal health records. "In the last 18 months, we've seen our customers using it for other types of data," says nuBridges' Palgon, adding that the recent HITECH legislation, which adds bite to enforcement of HIPAA's rules on ensuring the privacy of health records, has fueled interest in using tokenization for health records. And Pro Pay, a Utah-based credit card processor and tokenization provider, recently expanded its services to include tokenization and encryption of Automated Clearing House data.