March 2012
For anyone who does business online, one of the biggest issues is compliance. Making sure that your customers' details are secure can be a burden on even the most sophisticated business. So what's the alternative?
Compliance. It's a word that can cause even the most security conscious e-tailer's to have a pang of anxiety. With a huge burden on businesses of all kinds to look after their customer data in a responsible way these days, managing the impact of that can quickly turn into a big cost for the unprepared.
With the advent of the Payment Card Industry Data Security Standard (PCI DSS), it's been more important than ever for businesses to demonstrate that they can be trusted to take care of their customer data. It's for good reason, too - the cost of fraud to UK business in 2011 alone was more than £2billion according to some reports, and the PCI DSS is about more than just protecting consumers - it's about reducing that impact on bottom lines over the long-term, too.
For many businesses, especially those with high transaction volumes or a high percentage of repeat business, the IT infrastructure and resource costs of securely managing customer data can be high. A 2010 insight report by the Insight Security Group at Royal Holloway University Hospital showed that some merchants expected to spend more than £5million becoming PCI DSS compliant.
While compliance may cost however, simply avoiding storing customer details altogether isn't a solution either. Shoppers will quickly make their feelings known if they're being asked to re-enter the same data every time they want to make a purchase, and a slow payment process can quickly lead to them looking elsewhere.
Thankfully, as it so often does, the latest technology is helping to provide an effective solution to this ongoing challenge. Tokenisation, a way of swapping sensitive customer data for substitute, less critical information, is quickly taking off as an ideal solution for organisations that want compliance without the associated costs.
It's a process that's akin to electronic sleight-of-hand. With Tokenisation, sensitive customer data is never actually stored by the merchant. Instead, when the customer enters their payment information, it's diverted to the Tokenisation vendor's secure system and exchanged for the eponymous 'token'.
In the case of WorldPay, that token is a Reference Order Code, 'masked' information that can’t be accessed for fraudulent use but can still be used to authenticate customer payments.
In essence, Tokenisation provides e-tailers with a way of offering customers the same benefits of a single click payment process, without needing to store or transmit sensitive data like credit card details. The customer's profile can be saved in the same way as a normal payment, while their vital data lives somewhere else, ensuring that the business doesn't lose out on the loyalty opportunity.
That's good for business, and not just from a pure regulatory standpoint. Tokenisation actually reduces the overall level of PCI DSS compliance that merchants need to abide by, because their sensitive customer data is stored somewhere else entirely. That quickly translates into savings, with potential reductions in IT infrastructure and management costs.
Tokens offer greater flexibility for merchants, too. Once they're securely stored, they can be processed at a much later date. For anyone offering customised products, staggered purchases, subscriptions or repeat orders, the same token will be valid over and over again. It works the same way for anyone who needs to hold on to customer details for a security deposit, too.
Of course, security works both ways. Just as customers want to know that their information is safe, e-tailers want to know that they're not being defrauded. That's why tokens undergo the same stringent fraud checks as 'normal' payments. WorldPay even makes the same fraud screening tools available as it does for 'standard' payments, allowing customers to fully authenticate and check transactions.
With Tokenisation working across all sales channels - from internet payments to Mail and Telephone Orders - it's little wonder that it’s already proving to be a popular way for businesses to shake off some of the PCI DSS burden.
