Day Four of Five: Rough guide to credit card and PCI issues in travel

NB: This is a guest post by Merchant Link, providers of security and support for credit card transaction and payment systems.

Day Four: Protecting data at rest and data in motion – Tokenization and encryption

credit card4

As you may have noticed, VISA recently came out with guidelines for tokenization. This is after they already established guidelines for point encryption solutions.

Most believe that this latest guidance is indicative of what we will be seeing in the future from the PCI Security Standards Council.

The use of both tokenization and encryption is necessary to ensure protection of credit card information that is stored as well as information that is in transit.

But first, we must understand how each technology works.

Tokenization is the replacement of a data element (such as a credit card number) with another data element which serves as a reference to the original.

This replacement data element is also known as a token.

This token/reference number is stored in a hotel’s computer systems instead of the real credit card number so that if someone tries to steal the credit card number, all they end up with is a non-actionable token that has no value.

The value of a token is that it cannot be decrypted, derived, cracked, or reverse engineered to discover the original value.

Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.

While both have their place, tokenization is more effective at removing data, as encrypted data is dependent on the strength of the encryption as algorithms as well as secure key management practices.

The best security strategy is a layered one where merchants employ both tokenization (to secure data at-rest) and encryption (to secure data in-flight).

By utilizing both technologies, hotel operators and merchants can reduce the scope of their PCI compliance audits, by ensuring data doesn’t reside in full on internal systems.

NB: This is a guest post by Merchant Link, providers of security and support for credit card transaction and payment systems. Follow on Twitter.

Share on FacebookTweet about this on TwitterShare on LinkedInEmail to someone

About the Writer :: Viewpoints

A founding principle of tnooz was a diversity of viewpoints from across the spectrum. Viewpoints are articles by guest contributors from around the travel and hospitality industries. The views expressed are those of the author. and do not necessarily reflect those of the author's employer, or tnooz and its partners.



Your email address will not be published. Required fields are marked *

  1. Scott Franklin

    Good point – we agree that network segmentation is a valuable security practice and tool, and encourage all merchants to evaluate multiple options for securing their networks and protecting their customers’ data. Network segmentation can also reduce the scope of systems that are included in an audit. We favor a multi-layered approach to security and compliance and encourage merchants to investigate tokenization and encryption solutions, as these solutions provide additional security controls beyond those provided by traditional network segmentation and can even further reduce the scope of a merchant’s PCI audit.

  2. Brad Cyprus

    A critical element was omitted from this series! Proper segmentation (splitting up the network so that non-credit card related systems are not able to reach credit card systems) is one of the most important things a merchant can do to keep their network safe. Hotels in particular have numerous systems in play from reservations, room service, point of sale, guest wi-fi, and guest services. However, not all of them need to be interconnected, and even those that do need to communicate with each other should have minimal access for maximum protection. Most hackers gain access to weakly protected systems to see if there is a way to then attack the highly protected credit card system. The bottom line is that two systems should not communicate with each other, then they should be separated on the network level. It is easy to do, and if it is a challange for a merchant to accomplish, then there are numerous compaines like ours out there which are able to assist in setting up proper security.


Newsletter Subscription

Please subscribe now to Tnooz’s FREE daily newsletter.

This lively package of news and information from Tnooz’s web site provides a convenient digest of what’s happening in technology that drives the global travel, tourism and hospitality market.

  • Cancel