Merchant Services
Protect Stored Cardholder Data With Tokenization

Protect Stored Cardholder Data With Tokenization

Businesses like health clubs and utilities that process recurring payments from customers each month face a challenge when it comes to protecting their customers' sensitive payment information.

Obviously, it's more convenient for customers to provide the business with their payment information (credit and debit card numbers, expiration dates, etc.) once, instead of every month. But businesses are understandably cautious about storing this information in their own systems due to the risks of cyber-theft and costly data breaches.

The Solution: Tokenization

The solution to this problem is a data security technology known as tokenization. This technology replaces sensitive payment information in cyberspace with a unique "token" made up of upper- and lower-case alphabetic, numeric and special characters that have no relationship to the information itself. The merchant stores the token, not the actual information itself -- this is instead stored by the merchant gateway provider in a secure, PCI (Payment Card Industry) compliant database located in the cloud.

Tokens are undecipherable, and they only point to the associated payment data -- they don't decrypt it. So they have no value to hackers if they are stolen.

In the case of a recurring monthly transaction, the merchant passes a unique token that represents one card's payment information to the credit card processor, which generates a transaction based on the cardholder data associated with the token. In addition to recurring transactions, tokens can also be used for product returns and refunds. Tokens can be generated via virtual terminals or a card swipe at the merchant's point of sale (POS) terminal.

Layered Defenses

Tokenization is one component of a layered cardholder data defense system that merchants should implement in order to protect cardholder data and adhere to PCI compliance standards.

A layered approach to data security is the best way to protect sensitive payment information. In addition to tokenization, these layers should include encryption, online fraud and verification tools, and an EMV-capable POS terminal.

Learn more about EMV capabilities and requirements from these related articles:

What is EMV and What Does it Mean to You?

EMV Is Coming --  Are You Prepared?

Please contact PNC Merchant Services Customer Service at 800-742-5030 if you have more questions about how tokenization can help you protect sensitive cardholder data.


PNC is a registered mark of The PNC Financial Services Group, Inc.("PNC")

Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.

This Merchant Business Insights e-Newsletter is designed to provide useful and practical information for merchants accepting card transactions. It is not intended to be legal, tax, accounting or financial advice, nor should it be substituted for a full and regular review of the Association Rules and any changes thereto. Internet sites provided in this e-Newsletter are provided as a convenience to our readers. While PNC Merchant Services endeavors to provide resources that are reputable and safe, we are not responsible for the information, products, or services obtained on such sites.