Credit card processing encompasses credit card transactions as an entire process. The system takes what are more or less tokenized funds from customers and transfers them to merchants in exchange for products and/or services.
But, before we look into how credit card processing has developed as an essential tool, we need to understand what’s known as data security tokenization first.
A brief look at data security tokenization
Tokenization, in the context of data security, refers to a process that substitutes sensitive data elements for a non-sensitive element (a token) with no value. The token itself does map back to the sensitive data elements through the tokenization system implemented to conduct the process.
Naturally, many tokenization systems are designed to prevent ‘reverse engineering,’ or, in other words, methods that may reverse and trace back to the original sensitive data.
A ‘complete’ data tokenization system typically supplies data processing applications that authorize token requests (through interfaces) or the ability to convert tokens back into sensitive data.
Data tokenizations systems are commonly used for safeguarding sensitive financial data, such as data associated with bank accounts, financial statement and credit card transactions. Any type of personally identifiable information, whether financial or not, typically get protected (through encryption) with the use of a data tokenization system.
Credit card processing and data tokenization
Over the past few decades, credit card processing has undergone significant changes, specifically changes in its security systems.
The Payment Card Industry established standards for the operational and technical requirements for credit card processing point of sale systems. Much of these point of sale systems comply with current Payment Card Industry PIN Transmission Security (PCI PTS) and Payment Card Industry Data Security Standard (PCI DSS) requirements.
When it comes to data security tokenization, it’s heavily implemented to meet current PCI standards, specifically for properly encrypting data in credit card transactions. A common example of tokenization being applied in PCI DSS mandate is using the technology to convert customer credit card numbers into randomly-valued tokens.
Tokens, in accordance with PCI DSS standards, are formatted in different ways, depending on the type of point of sale system. Some point of sale systems with this technology generate mock values that more or less match the original data’s format.
Payment card data is often formatted into tokens at the same length of the primary account number associated with the payment card. A common marker of this system is the characteristic last four digits of a payment card seen near the bottom of receipts.
Both token and original data are respectively stored within the receiving system and secure tokenization system, and the original data is often mapped back to the token for payment authorizations conducted using the token itself.
Data Tokenization, End-to-End Encryption and POS
One of the key mechanisms of action at a point of sale is a credit card swipe. The customer swipes their card at the point of sale to pay for their transaction.
The main mechanism of action takes the credentials (card number) from the customer’s credit card via the POS magnetic stripe, accessible from the terminal. From that point, the now tokenized financial data travels to a financial processor (usually a bank) to authorize the transaction, to which the customer is able to purchase their goods or services.
Behind this mechanism of action, however, is a critical flaw. Many traditional and modern POS systems lack what’s known as end to end encryption.
End-to-end encryption (E2EE) is a type of digital communications paradigm of uninterrupted data protection between two parties. Its main mechanism of action involves the first party encrypting the data, so that only the second party can decrypt and eventually process that information. No third parties are involved in the exchange.
The main purpose of E2EE is preventing other parties from discovering, tampering or hijacking data transmissions between two consenting parties. Nowadays, many Internet application service providers, such as email providers, have implement or will implement E2EE within their current infrastructure.
E2EE will play a large role in fortifying current security measures used in POS systems.
The theorized mechanism of action would depict the direct encryption of a credit card number through the magnetic card reader. From that point, the tokenized data would be sent through the POS terminal and to a financial processor for authorization. Only the participating parties would have access to the transferred data and the transaction itself.
The main purpose behind adding on E2EE functionality to current POS systems is the fact that many are unprotected when it comes to data transmission. Data tokenization isn’t enough to keep sensitive financial data to both parties at once.
Malware for POS systems actually exists. Utilizing end-to-end encryption would, theoretically, prevent most POS systems from experiencing security issues found in those without such security measures.