By J. Ashley Oblinger, Esq.
Over the last few months, we have all experienced many changes to our daily activities, from sheltering in place to social distancing to general uncertainty. One of the smaller changes that has come from the COVID-19 pandemic is the increased shift away from paper money transactions to credit card and electronic payments.
Credit card transactions have long been a staple of the self-storage industry. One of the biggest concerns we hear with regards to credit card payments is the storage of a tenant’s credit card information, and rightfully so, given the dangers and seriousness of cyber-attacks and credit card fraud. As payment technology rapidly increases, merchants face increased threats to security breaches trying to steal customer information that can be used in nefarious ways. Fortunately, technological advancements have allowed for more secured ways in which to retain a customer’s credit card information. One of these advancements, tokenization, actually incorporates an old method into a new world problem.
Credit card tokenization is the process by which the Primary Account Number on the credit card (the credit card number) is replaced by a unique, mathematically irreversible token. In the case of credit card numbers, the token is a series of randomly generated numbers and/or letters used to represent the credit card number. The token effectively takes the place of the credit card number and is used to process and complete transactions on the credit card without the credit card account information being stored by the merchant. The merchant only sees and stores the token and only the payment processor has the ability to decipher the token under your merchant account. The actual credit card number is held in a secured token vault. If the credit card needs to be billed again (such as for monthly rent, assuming the customer has consented to the charge for the recurring rent), the token is used to charge the card and the processing company identifies and decrypts the token, which results in the credit card account being charged, all without the use of the actual credit card number.
The token is similar to an arcade token or casino chip that is used in place of money and is only good at that particular arcade or casino. The credit card token has no value outside of its use by the merchant with the credit card processing company, and the credit card processing company is the only one who can decipher the token to place a charge on the credit card account. Consequently, if there is a security breach and the token is stolen, the thief would not have the credit card numbers or personal information but rather would only have the token. Since the token can only be used by the merchant, can only be used with the credit card processing company, and cannot be reversed engineered, the token is useless to the thief. Thus, the credit card account and the information associated with the account are protected from would-be hackers and thieves.
Many people are familiar with encryption; and tokenization has some similarities to encryption. Both encryption and tokenization secure information by altering it so that it appears unreadable to those without the proper tools to translate the information. Additionally, encryption and tokenization are both used to reduce the scope of Payment Card Industry (PCI) compliance by reducing the amount of systems and people that have access to customers’ credit card information. They differ in that encryption runs the credit card number through an algorithm and the credit card number is turned into indecipherable data that can only be deciphered, or unlocked, with a key. The biggest difference between the two is that encryption is mathematically reversible, and tokenization is not because it is created through random algorithms. Because encryption is reversible, it is possible for a hacker to obtain the original account information on the card, thus making tokenization more secure than encryption. Further, tokenization is cheaper and generally easier to use than encryption and requires less work to be PCI compliant.
With the amount of computer hacking occurring and the liabilities and costs associated with a security breach, any merchant that retains its customers’ credit card information should seriously consider any and all methods to secure their customers’ information. The purpose of tokenization is to provide a secure way for merchants to maintain customer credit card accounts and prevent wrongdoers from stealing customers’ payment data or personally sensitive data. It is a method that can be used by all types of merchants, including self-storage operators. Tokenization is quickly emerging as a cost-effective method to secure customers’ credit card account information and will likely play a significant role in securing financial information in the future.