The Tokenization, PCI and Fraud Prevention Puzzle

Tokenization and Fraud Prevention are complimentary security tactics in any eCommerce environment. Tokenized payment architecture is a necessity to minimize PCI scope, while fraud prevention is a central building block to a safe payment stream.

The way in which these two “close friends” are architected, and implemented goes a long way to determine the success of each. Fraud prevention tools are most effective when ingesting large amounts of transactional details, in order to spot the anomalies and their interconnection. The full raw credit card number is often a key to this data set. Many fraud tools work best with a full card number. Tokenization replaces the full card number. How can this be reconciled in a symbiotic manner, preventing fraud and reducing PCI scope?

The short answer: how you put the puzzle pieces together makes all the difference.

There are several “flavors” which could be selected based upon your downstream fraud prevention data needs. Tokenizing at the browser level (e.g. via iframe), or even a hosted payments page offered by a payment service provider (PSP) have impacts of varying severity on the integrity of the dataset necessary for effective fraud prevention, and your fraud prevention architecture and toolset strategy. Likewise, tokenizing in-line in your payment processing flow through a merchant gateway or merchant acquirer (e.g. Cybersource or Chase Paymentech), or through a service offered by your fraud solution provider (like Retail Decisions, ReD) can add flexibility, but has its trade-offs such as the potential need to expand your PCI compliance scope to specific systems supporting your website. Internally hosted token vaults offer unique fraud prevention capabilities, but have their own unique set of challenges. There are ways to make each “flavor” of tokenization work with fraud prevention, but they vary in complexity and accuracy.

Before your begin down the path of tokenization, or before your select a fraud prevention strategy, first consider the impact one has on other, and select a strategy that works most holistically for your organization. While there are best practices in both spaces, there is no “one size fits all”. Create a secure payments architecture that allows both parts of the band to play their best for you!