Companies pay dearly for data breaches that allow customers' credit card numbers to fall into the wrong hands. At the same time, complying with the security standards established by the credit card industry can carry a hefty price tag. Some businesses have decided that the safest and cheapest way to deal with credit card data is to eliminate it. They are using tokenization, a process in which a credit card number is replaced with a substitute number, called a token, that can't be linked back to the original card number. The credit card numbers may be held by the tokenization vendor or stored in one central, secure location at the company.

Jeff Abrams, continuous improvement process manager at Hill-Rom Holdings, a $1.3 billion manufacturer of hospital beds and other medical equipment in Batesville, Ind., says the need to comply with the Payment Card Industry Data Security Standard (PCI DSS) drove the company's adoption of tokenization.

The share of Hill-Rom's revenue transacted using credit cards has risen to 12%, up from about 2% five years ago, yet the company's procedures for handling cards were inconsistent, reflecting a number of different legacy systems. Though Hill-Rom had never had a data breach, when an outside consultant compared its practices with the PCI standards, "it was very alarming how many holes we had," Abrams says. "But the fixes they were suggesting were just astronomical in cost." The suggested solution involved moving Hill-Rom's J.D. Edwards enterprise resource planning system to a server of its own at an estimated cost of more than $1 million.