While the heavily encrypted credit cards being stored in the SalonTouch database are highly unlikely to be decrypted using a brute force attack, SalonTouch wants to keep this from ever being a possibility. As computer technology becomes faster and faster, the time needed to successfully decrypt the credit card data becomes shorter and shorter. Due to this, SalonTouch 10 will no longer be storing heavily encrypted sensitive credit card data.
The purpose of most encryption tools and techniques is to mask the original data, then allow it to be decrypted at a later time. Encryption uses an algorithm to scramble the credit card information that makes the data unreadable to anyone without a proper key. However, the sensitive card data is intact and resides on an internal database and is seen as a possible vector for attack. While only people with a key can access it, it is possible to “jimmy” the lock by trying every single possible key combination until one works. This is how a brute force attack operates. With enough time, it will get the data out.
Tokenization completely removes sensitive credit card data from a company’s internal networks and replaces it with a unique, generated placeholder, or “token”. Merchants use only the token to retrieve, access, or maintain their clients’ sensitive credit card data. Meanwhile, their clients’ real card data is stored at a highly-secure offsite location with the credit card processor.
Tokens have no meaning by themselves and are worthless to criminals if a company’s system is breached in any way. For example, if a client’s actual credit card number was 8912-1234-5678-9012, the token may be 00008789621546. This token is randomly generated and there is no algorithm to regain the original card number. No matter how fast your computer is, there is no way to figure out what the card number is.
For the merchant, the token is the credit card number and using the tokens does not change a merchant’s payment processing experience. Just like credit cards, tokens can be used for PoS sales, refunds, and reoccurring payments. They are just far safer for both the merchant and the client than actual credit cards.
Removing confidential customer credit card data from their internal networks is one of the biggest reasons why more companies are relying on tokenization. All merchants who accept, transmit, process, or store sensitive credit card data in any fashion must certify that their IT security and business practices comply with 12 rigorous Payment Card Industry Data Security Standard (PCI DSS) requirements.
Many merchants have found tokenization to be less expensive, easier to use, and more secure than end-to-end encryption. Because tokenization removes sensitive cardholder data rendering it useless to criminals, the liability and costs that merchants often associate with PCI compliance is dramatically reduced. Lengthy PCI DSS questionnaires can be reduced to a few simple questions.