Tokenization is the way to prevent e-commerce security breaches

E-com security breaches are increasing in frequency at an alarming rate, but there is a way to prevent them from: tokenization.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach

E-com security breaches are increasing in frequency at an alarming rate, but there is a way to prevent them from: tokenization.

Tokenization is the one-way process of converting a credit card number into a unique value that by itself holds no value. Tokenization can be used to prevent actual credit card data from ever touching a retailer's server, where the majority of data breaches occur.

This can be achieved by having the customer's shopping cart submit card information to the merchant's processor along with a unique merchant identifier. The payment processor can then generate a token and send it back to the customer's cart. Once the shopping cart receives the tokenized payment information it can submit it along with other purchase information to the merchant who in turn passes the tokenized data back to the processor for payment authorization.

Many payments processors don't utilize tokenization for e-commerce, yet it's the most foolproof way for retailers to proactively protect themselves and their customer's card data with a high level of security. In addition, this form of tokenization can also assist merchants in reducing their Payments Card Industry (PCI) scope.

The e-commerce credit card transaction process incorporates many intricate steps. During a non-tokenized e-commerce transaction, the valuable card data essentially embarks on a journey, passing from customer browser to the e-commerce merchant's website, thru the merchant's network to the processor and then on to the card associations and the issuer. The most vulnerable stage of this process, and the place where credit information is historically at risk the most, is the retailer's server. By utilizing the tokenization previously described, it's possible for the card data to bypass the merchant server completely.

Through tokenization, a payment processor is transforming valuable credit card data into an irreversible, unique identifier that has no intrinsic value if intercepted and cannot be used for fraudulent purposes. For example, credit card 4444 3333 2222 1111 would be tokenized as A12BD33BDLB349BOeOIKL338. This means the tokenized data is useless to anyone outside of the processing company, which ensures the information is safe as it progresses through the various stages of the transaction.

Some processors tokenize data in the post-authorization stage only, allowing consumer credit information to sit on potentially unsafe retailer servers until the transaction has processed. Tokenization from the start of the transaction protects data earlier in the lifecycle of the transaction.

Most well-known data breaches have occurred at the server level, so tokenizing card numbers before they reach that point mitigates security risks by a significant margin. The ITRC reports hacking as the number one cause for breaches. Thus, the ability to prevent card data from reaching the server is a particularly valuable benefit for e-commerce retailers, as it basically makes credit card information hacker-proof in their network.

By tokenizing data before submission to the merchant the consumer can be assured that even if hackers break through a system and gain access to a merchant's server, they won't be able to obtain any sensitive information. If this type of system is in place and a breach does occur, the business will be able to focus on the system flaw that allowed the breach, without worrying about consumer information being in the hands of fraudsters.

Highest level of protection

While there are a multitude of different bundles and software that can be used to fend against security breaches, nothing ensures the high level of protection for e-commerce that tokenization instills. This component recognizes that hackers can always potentially find a way into a system, which is why it morphs data as soon as possible and never allows it onto the retailer servers, making any stolen information useless. By providing this ability, processors not only take the lead with security, but also make themselves more marketable to retailers, because they are absorbing the responsibility of security breaches, removing the blame from brand servers.

Security is going to remain a hot topic as long as breaches continue to occur. Hackers aren't ever going to go away in the progressively digital age, but back-end processing technology can continue to fight by making it harder for them to walk away with the information they're looking for. Using e-commerce tokenization puts the best line of defense in front of payments technology, beating hackers at their own game.

SecureNet is streamlining the way businesses accept payments. SecureNet's integrated suite of payment tools is the simplest and most advanced way for merchants of all sizes to manage commerce in any environment: in-store, online and via mobile devices. The industry first, single stack API platform is backed by detailed business analytics that help merchants make informed decisions to grow their business. SecureNet's unique direct connection to card networks makes pricing the most transparent and straightforward in the industry. SecureNet is headquartered in Austin, Texas. Find more information at

Join the CSO newsletter!

Error: Please check your email address.

Tags e-commercecredit card authorizationsecurityinternetTech Primers

More about SecureNet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Avery Buffington, Information Security Architect, SecureNet

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place