PCI compliance requires strong encryption of electronically stored cardholder data, and that can be expensive. Even though encryption is advocated by the PCI DSS council, it can be a very cumbersome expense for companies having to protect cardholder data for thousands of customers. Another consideration is the fact that encrypted values typically use more memory in the company database than the original value, requiring even more storage expense. One industry report found that companies with 100,000 or more customers can expect to pay around $6 each for data encryption protection. The bill seems to grow and grow to keep your customers safe and to maintain your company’s PCI compliance.
Another intrinsic drawback to on-site electronic storage of encrypted data is the risk of thieves obtaining encrypted files. Cyber criminals have methods to “reverse engineer” the unique encryption key used in encryption software. Once this is done, since all encrypted data will be a function of a single encryption key, the thief will be able to decode all of the encrypted files they stole.
Tokenization of cardholder data provides a level of protection that cannot be attained even with the strongest encryption software available. The way it works is that instead of encrypting the card number tokenization takes the original card number and assigns a unique surrogate value to the number that can’t be reverse engineered because no mathematical formula is used to generate the surrogate values. After it’s tokenized the original card number is stored off-site in a tokenization service’s super high security storage facility. The merchant using the tokenization service is able to use the token values for day to day customer interaction. When it’s time to charge a customer’s card, the token value only is used by the merchant’s software, so the merchant never even has the original card number in their possession again for even a moment after its initial tokenization.
The implications of this technology with regard to PCI Compliance are far reaching for companies with large client lists. Since the sensitive data is stored off-site, the expensive PCI DSS network scans become moot; there is no cardholder data for the merchant to protect. Independent of the reduced cost of basic PCI compliance requirements is the reduced cost of software and system memory required for encryption software. The peace of mind that goes along with all might just be invaluable.