In recent months, the PCI Security Standards Council has continued to weigh the merits of what they have deemed as “emerging technologies”. The first is end to end encryption and the other is tokenization. These two solutions have quickly become the favorites among all other emerging technologies.

Tokenization is an attempt to mitigate the risks inherent in storing credit card data. In the same way that end to end encryption helps to protect data in transit, tokenization helps to protect data at rest. Data in transit is increasingly targeted by hackers (and making big headlines), it is easy to overlook the fact that data at rest can be equally prone to theft.

As a process, tokenization replaces credit card data with a unique "token" that acts as a reference pointer to that credit card data. Using this logic, a credit card transaction sends this reference pointer token along the payment chain. At the processing end of the payment chain, the token is verified and the transaction processed, all without having exposed any sensitive cardholder data to the various networks along the payment chain. And because tokens are produced for accounts, rather than for specific transactions, stored tokens can be effectively used for scheduled automatic payments as well.

Because the merchant uses a “token,” rather than real credit card data, and relies on the payment processor to assign that token (and to transmit and/or store card data), merchants relying on tokenization decrease their “scope” relative to PCI compliance, transferring the onus of the most critical aspects of PCI compliance to the payment processor.

Tokenization eliminates the need for actual credit card data to be stored or transmitted by the merchant and, in many cases, allows for an easier PCI SAQ process. And with some payment solutions offering both tokenization and end to end encryption, the result is an integrated solution that protects data both in transit and at rest.