The article in Point of Sale News provides a broader definition of tokenization that protects all private consumer data. The article first describes how card data is now being tokenized but points out the need to protect other private consumer data:
“While credit cards are a logical use case to prevent fraud and reduce counterfeit cards, victims of identity theft have learned the hard way that personal information can often be more valuable. Because tokenization technology can also be used to protect different types of personally identifiable information (PII), including financial information and medical records, a better definition for the term is the process of substituting a sensitive data element with a non-sensitive equivalent.
Tokenization separates the customer’s identity from the payment and works by creating a unique, random number that represents actual data. The non-sensitive information, known as a token, is stored and processed in the cloud. As a result, the sensitive data is protected and merchants don’t have the burden of handling customers’ sensitive information. If hackers happen to gain access to the system, they can only see meaningless tokens, instead of credit card or bank account numbers.
Although protecting card numbers is a primary responsibility of tokenization, it is the tokenization of a customer’s ID that will protect all aspects of financial transactions, including what they are purchasing (product SKU data), where and when they shop. This customer shopping data provides merchants with key information about their customers, which should only be shared between merchants and their customers.
Mercator identified this issue and made recommendations for this approach in the conclusion of the Report “Defining a Strategic Path for Banks Regarding EMV, Tokens, Apple Pay, and Mobile Apps” published in May 2015.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story here