Episode 95 – Hiding Data Jewels in the Tokenization Vault – Alex Pezold, CEO, TokenEx
One of the biggest payments challenges for merchants is how to handle payment data – whether it’s at the POS or in the remote domain where eCommerce and mobile payments take place. A lot of this concern is driven directly by PCI DSS compliance and broadly by the reputational risk data breach represents.
One of the major techniques merchants employ, in order to remove the need to store payment data, is tokenization – the replacement of the high value card data with a low value representation managed by another party. Merchants just store the token for lookup purposes while the third party maintains the database that links these low value tokens to the true primary account number or PAN.
At Glenbrook, we refer to these as merchant tokens because they are specific to and paid for by the merchant. We’ve also heard them referred to as acquirer tokens because the tokenization function is often performed by the merchant’s acquirer, processor, gateway, or payment service provider.
Makes sense, right? Put the radioactive payment card data into another party’s hands.
But for large and mid-size merchants, the provision of tokenization services to an acquirer has a few downsides:
- The token database maintained by the provider is specific to the merchant. If the merchant wants to shift to another provider, tokenization portability can be an issue and a costly one.
- In our merchant work, we are seeing the largest ones looking at a multi-acquirer topology for cost, redundancy, and channel flexibility purposes. But each acquirer will use its own tokenization scheme, adding complexity and limiting functionality.
- Omnichannel merchants may employ one provider for POS transactions and another for eCommerce. That doesn’t work when you want to provide a consistent experience to your returning customer. You want a token that works across channels, i.e. an omnichannel token.
In this Payments on Fire® episode we talk with Alex Pezold, CEO of TokenEx, an acquirer neutral, independent tokenization provider. We talk a lot about protecting payment and bank account data. But we also address the growing need for protecting other data assets and how tokenization can help accomplish that.