Tokenizing the Omni-Channel Environment

Transcription

1 Tokenizing the Omni-Channel Environment August 2014 $ Whitepaper

2 Tokenizing the Omni-Channel Organization Executive Overview Every organization today receives some form of payment from their customers. Retailers in particular must cater to the immediate and varied demands of customers who want to buy now or they will quickly go elsewhere. Businesses must have an omni-channel environment to take payments via an online storefront, a call center operator, an app on a mobile device, or at a self-service checkout in a brick and mortar store. In fact, almost all organizations need an omni-channel strategy to add secure payment channels with the flexibility to do business with anyone, anywhere at anytime. With omni-channel flexibility comes the technical, legal, and financial hurdles of Payment Card Industry (PCI) compliance to ensure that payment data is secure and safe from data breaches. And no matter how many layers of security controls that you wrap around your sensitive data, as long as it is captured, stored, processed, or transmitted in your environment, it is vulnerable to attack. Should there be a major breach of your customer data, your very business is at risk with the resulting hefty fines, lawsuits, loss of consumer confidence, and adverse publicity. To help you sort through the challenges of developing a secure omni-channel payment strategy, this white paper provides evidence and examples of: Why organizations with omni-channel strategies need a tokenization solution that keeps payment card information out of reach of data thieves. How tokenization not only protects your customer data, but also enables you to grow past traditional acceptance channels without adding additional risk. Why it is more secure and flexible to use a cloud-based tokenization solution rather than an on-premise solution. The advantages of using a tokenization solution from an independent provider rather than your payment processor, and how that gives you the freedom and flexibility to change your payment service provider as needed to enhance your business. The importance of incorporating a cloud-based tokenization platform in addition to other layers of security antivirus, intrusion detection, Security Information and Event Management (SIEM) to protect payment card data and other sensitive information. How TokenEx has helped organizations across different industries with their specific data sets and business needs quickly and easily integrate with a secure, cloudbased tokenization platform that removes the burdens of PCI Compliance and the consequences of losing customer data. Gauging the Risks of an Omni-Channel Strategy As a retailer catering to store, internet, and mobile customers you are by default an omni-channel business. Your call centers take payment cards over the phone, web stores receive credit card numbers, and brick and mortar stores use virtual terminals or self-checkout stations. All these payment channels accept, process, and store millions of records a day of very sensitive data that can result in severe economic and legal penalties if stolen or accessed by unauthorized personnel inside or outside the organization. The fact is, the more channels you provide for accepting payments, the more risk points you create. Unfortunately, your customers demand the convenience of all these payment channels, so if you don t provide them, you run the risk of losing sales. In their th Quarter Threats report, McAfee Labs researchers highlight a dramatic increase in Point of Sale (POS) malware: "During the last few years we have seen a notable rise in the malware families POSCardStealer, Dexter, Alina, vskimmer, Project Hook and others, many of which are available for purchase online. Securing Omni-Channel Data on a Global Scale 1.

3 What is Tokenization? The purpose of tokenization is to swap out sensitive data typically payment card or bank account numbers with a randomized number in the same format, but with no intrinsic value of its own. This differs from encryption where the number is mathematically changed, but its original pattern is still locked within the new code. Encrypted numbers can be decrypted with the appropriate key whether through brute computing force, or through a hacked/stolen key. Tokens, on the other hand, cannot be decrypted because there is no mathematical relationship between the token and its original number. Tokens can be single use (a one time debit card transaction) that are not stored in the system, or multi-use (a credit card number of a repeat customer) that is stored in the database. A critical second step is to keep tokens separate from the original data. When only the tokenized values are present in the IT systems of an organization and the matching payment information is secured in an offsite data vault, those IT systems are no longer in the scope of PCI compliance. Using Tokenization to Secure Highly Sensitive Data Getting payment data out of your IT environment is critical to minimizing your organization s security risks as well as the scope of costly PCI compliance. The key is to intercept any payment data coming into your systems as early as possible in the transaction flow and tokenizing the data effectively making all the data that is stored in your environment worthless to data thieves. While the tokenized data is of no value to hackers, it can still be used within your business processes the same as payment card data. For a brief description of the tokenization process, see the sidebar: What is Tokenization? An example of highly sensitive data that you need to keep available for business use is payment card data from repeat customers those who agree to store their credit card information with you for recurring orders. As a convenience to the customer, this is a competitive edge. But storing multi-use data poses a heightened security risk. TokenEx converts multi-use payment data into high-value tokens that randomize the first 12 digits and keep, for example, the last four digits intact. The real data is stored off-premise on the TokenEx platform. The locally stored tokens are readily available for you to use. Payment information is not the only data you have to worry about either. Personally Identifiable Information (PII) can be just as toxic to your business in terms of maintaining customer trust. For more information on how TokenEx can help you protect all types of sensitive data, see the sidebar: Protecting Personally Identifiable Information with Tokenization. On-Premise vs Cloud Tokenization Platforms While typical on-premise systems can provide adequate tokenization, all the sensitive payment data still flows through your network and are stored in your servers thus negating the risk and compliance benefits that tokenization can provide. While the local tokenization process successfully randomizes the data between your point of acceptance and the tokenization on-premise solution, data thieves can find intricate ways to breach your systems and steal the payment data as revealed by the Target point-of-sale hack. With on-premise tokenization, all the systems that capture, store, transmit, or display the original payment data must still conform to PCI standards. Thus on-premise solutions do not relieve your organization of the time and expense of obtaining and maintaining PCI compliance. There are over 300 controls for credit card data alone to attain PCI certification. In order to remain certified you must maintain encryption between clients and servers; perform constant penetration, wireless, and application testing; and keep up with quarterly scanning and reporting. The total costs and manpower associated with PCI compliance are enormous. TokenEx relieves an organization of most of the burden of PCI compliance as well as the risk of storing sensitive data. In a typical TokenEx client s organization, payment data is swapped with a token at the point of acceptance, so that the payment card data never enters downstream systems of the business environment. Only the tokens, generated by the TokenEx cloud-based platform, are ever stored in or flow through the business systems. TokenEx enables you to continue with business as usual, using customer information for analytics and tracking, but without having the actual data stored anywhere in your systems, thus greatly minimizing the scope of PCI compliance. Securing Omni-Channel Data on a Global Scale 2.

4 Protecting Personally Identifiable Information with Tokenization According to the Symantec 2014 Internet Security Threat Report, over 552 million identities were breached in 2013, putting consumer s credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, addresses, login, passwords, and other personal information into the criminal underground. Against this onslaught you face a huge challenge: failing to secure customers PPI data can be catastrophic to your business reputation. Tokenization and off-site data vaulting can thwart the most nefarious of attacks from gaining any type of usable information financial or personal. However, most tokenization solutions from payment gateways deal only with payment data, not PII, HIPAA data, or data sets covered by diverse international rules and regulations that vary by country. Obviously it is uneconomical and much more work to maintain two systems, one for financial payment data and one for PII data. However, a worse result of having two sets of tokens, using different encryption standards, can lead to the risk of commingling the token sets, resulting in data corruption. TokenEx is unique in its ability to provide a single platform for tokenizing all of your sensitive datasets and ensuring it is protected in one cloud. TokenEx s tokenization platform stores the original value of the PII data and the associated token available to use when needed so your business continues to operate as usual after your sensitive data is tokenized and secured. Building a Tokenization Platform While it may seem simple enough to build your own tokenization system, putting the effort into building and supporting an on-premise solution does not absolve you of PCI compliance and its significant overhead. Building and maintaining a robust Application Platform as a Service (apaas) for tokenizing any type of sensitive information and storing it separate from the payment data is a significant task. Done properly, a tokenization apaas securely stores the data in a cloud-based data vault that can communicate seamlessly with payment processors, gateways, and service providers. Creating a complete tokenization apaas requires extensive security and payment processing expertise, data center management experience, deep knowledge of software-as-a-service architecture, and a long-term commitment to building the infrastructure to support it. TokenEx has invested the time and talent to create a flexible and robust apaas platform for tokenizing payment and PII data, relieving your organization of the overhead and expense of trying to do it yourself. Maximize Flexibility of Payment Service Providers Most merchants typically choose a payment service provider based on price and stay with them for years. Among payment processors, the actual transactions are a commodity, with little differentiation other than a few micro-cents here and there. Payment gateways, on the other hand, attempt to garner your transaction volume by adding value through various means, including rudimentary tokenization. The caveat is that their tokenization is proprietary to the payment gateway and they will often be resistant to returning your data to you should you seek to migrate to another payment service provider. If and when they do accommodate your request, the data is returned in batch form including payment card numbers. By possessing that data again, you bring your environment back into PCI scope. This is not only extremely time and labor intensive, but an obvious security risk because customer payment data is now in your system, ready for harvesting. Have you prepared your systems for that challenge? When you partner with TokenEx, there is no lock-in either through accessing your own data or your choice of payment service providers. Your data is always your data, with TokenEx as the custodian, keeping it secure and out of your environment. In addition, TokenEx is 100% payment service provider agnostic you choose processor, gateway, and hardware combinations to suit your business needs. BANK $ $ Securing Omni-Channel Data on a Global Scale 3.

5 The Need for Tokenization In a Layered Security Model In addition to payment data, every organization has intellectual and confidential data to protect. Latest figures show that an average of 200 attacks per minute from Denial of Service, to malware intrusions, to phishing probes occur in aggregate against US companies alone. The actual number is probably far greater considering most organizations do not report their breach activity. The number of cyber-attacks seeking intellectual property will only increase with growing international competition and trade. Therefore, most organizations must build, buy, or subscribe to other security technology to guard against the arsenal of threats. Unfortunately, no security solution has yet proven to be impenetrable, especially with the proliferation of zero day exploits. Out of thousands of attacks it only takes one successful intrusion to do irreparable harm to your organization if critical payment data still resides within your business systems. That s why even with sophisticated security solution guarding the gates, it is still imperative that your customer data is tokenized, with the real payment data safely offsite. The one successful intrusion that the hackers worked so hard at results in a payload of tokenized data that is useless to anyone outside your organization. So while security systems are a must have to protect all aspects of your IT environment, tokenization and offsite-storage of sensitive data is the only way to ensure that hackers get nothing but random numbers for all their work. Wouldn t that give you a feeling of satisfaction? All Industries Need Omni-Channel Tokenization Solutions As discussed throughout this paper, every organization that accepts payment card data is especially at risk of being targeted by data thieves. With organizations taking payments through more diverse channels, the security risks continue to grow as does the cost of complying with a growing legion of rules and regulations not the least of which is PCI compliance. TokenEx helps organizations in a variety of industries protect their sensitive data while saving time and money by avoiding many of the PCI compliance headaches. Here are three industry-specific examples of how TokenEx helps clients with growing omni-channel payment strategies overcome the accompanying data security challenges. The Omni-Channel Retailer: Tight Security on a Tight Budget The omni-channel challenges of retail organizations have been well discussed in this paper, but there are some specific areas that TokenEx differentiates its services for retailers. One of the most overriding concerns of retailers is the razor-thin margin that constitutes their profits. Any additional layers of IT security, changes in hardware, or costs associated with PCI compliance cut into those margins and are highly scrutinized. As a result, retailers are often reluctant to invest in technology-intensive solutions even in the face of large fines should sensitive data be lost. TokenEx provides an economical path to rid payment data from retailers IT environment, pushing the boundaries of PCI compliance outward to the very edges of the customer/retailer interface. This greatly reduces the cost of PCI compliance by significantly reducing the scope of the systems that are impacted. By replacing payment card data in back office systems and storage servers with tokens and moving the payment data offsite to the secure TokenEx cloud much of the IT environment is spared PCI scrutiny. This saves significant IT funds that can be repurposed to grow the business by adding more payment channels and integrating with service partners. Retailer Benefits from Seamless Integration of Service Providers In order to ensure a seamless customer experience, retailers especially those with web-centric storefronts need to integrate their payment channels with other services, suchas direct marketing providers, fraud prevention services, and order fulfillment centers. The challenge is to integrate these third-party organizations into the transaction flow without exposing the payment data to them. Tokenization provides an ideal solution. TokenEx is service provider agnostic, providing integration among all retailer s partners. For one large retail client, TokenEx provided custom tokenization integration between the retailer s website store, the fraud prevention provider, the marketing service, and the fulfillment vendor. After the TokenEx integration, all of the partners in the payment and supply chain only had access to the tokenized payment information, yet were able to provide credit card fraud protection; marketing analysis on customer behavior and campaign success rates; and order fulfillment using verified payment data. TokenEx enabled the retailer to remove their own back-office systems from PCI scope as well as the interfaces to their partners systems thus smoothing integration and improving the flow of commerce. Securing Omni-Channel Data on a Global Scale 4.

6 Insurance: Expanding Omni-Channel Payments and PII As Insurance companies expand their offerings globally they add payment channels as well as increase the scope of the information they collect on their customers. They are adding call centers to sell policies, collect monthly payments, and field policy claim information. They are creating web stores to enroll new customers and accept recurring payments. And they are expanding their mobile workforce to sell policies, collect personal information, and evaluate claims. With this rapid expansion, insurance companies need to push as many of their backend business systems out of the scope of PCI compliance as possible to greatly reduce IT security costs and labor. By tokenizing payment and Personally Identifiable Information (PII) at the point of entry whether web store, call center, or mobile field agent and storing it in TokenEx s data vault, all sensitive data is effectively removed from backend systems, leaving only the tokenized data to use in business processes. More Global Customers Means More Types of Sensitive Data Global insurance companies also face an expanding range of stringent international regulations on the control of personal data with each country enforcing different rule sets. This greatly increases the types of data that must be carefully guarded from unauthorized access. With the capability to tokenize any data set and a comprehensive understanding of international laws defining data security for PII, TokenEx provides an ideal security solution for insurance organizations. An international insurance client of TokenEx was rapidly expanding their range of payment channels to accommodate a wider range of global prospects. When collecting financial data, they also need to record national identification numbers, health information, birth dates and other forms of PII. This creates a large and growing database of information that, should unauthorized personnel access it, would have significant legal ramifications. TokenEx was able to tokenize and vault all the payment and PII data, leaving only the tokenized data in the insurance company s systems. In addition, TokenEx created custom token formats that retained the meaning of the original data. The implementation relieved the organization of the PCI compliance for most of their systems, reduced their liability for the other forms of data, and kept the value of the data for use in business processes. Not-for-Profit: Expanding Field Operations Without Expanding PCI As with retailers, not-for-profit (NFP) and charity organizations operate on very tight operational budgets. Charities in particular are under constant pressure and monitoring to devote only what is necessary of their funding to operational expenses. However, in order to attract donors these organizations are adding payment channels to make it as convenient as possible for their target audiences to contribute and at as low a processing cost as possible. As they move towards low-cost self-services web-centric donation acceptance capabilities with stored payment cards for recurring donations the cost of PCI compliance grows proportionally. One of TokenEx s NFP clients was looking to expand their mobile donor collection channel. At the time, they already had a homegrown tokenization solution, but since it was an on-premise system, the original payment data was still held in their databases, which had to be PCI compliant. Adding a global mobile data collection system for use on ipads, iphones and other devices would greatly increase the amount of data collected and stored, stressing their systems and creating many more PCI liabilities at the mobile interfaces. When TokenEx replaced the homegrown tokenization solution and started tokenizing and storing the payment data, it relieved the NFP organization not only from PCI compliance for their internal systems but also the significant operational overhead. TokenEx was also able to provide a flexible interface for all the mobile devices in order to tokenize the incoming payment and donor information at the time of capture in the field. This enabled the widespread deployment of the mobile donation apps. The NFP was able to expand their donor collection efforts globally, while greatly reducing the overhead that their internal tokenization system had required. Want to Know More About How Tokenization Can Secure Your Payment Channels? Our clients depend on TokenEx to provide a complete and customizable tokenization solution for their omni-channel payment streams as well as their PII data. Let us explain how a unified cloud tokenization platform can help your organization add payment channels while limiting the scope and costs of PCI Compliance. Visit us at or call for an appointment to discuss your specific challenges. TokenEx, LLC : 1350 South Boulder Suite 1100 Tulsa, Oklahoma Securing Omni-Channel Data on a Global Scale 5.