If you offer EFT memberships, you already know how valuable the EFT revenue is to the success of your business. Consider the scenario where your EFT revenue drops to zero. For my salon chain, that would be disastrous.
EFT requires the ability to bill your members on a monthly basis, and therefore you need their credit card information. Due to fraud, the PCI Compliance requirements are becoming increasingly complex. To address this issue, merchant providers are moving towards a tokenization based approach to minimize data breach situations.
The idea of tokenization is simple. Instead of saving actual credit card numbers which can be compromised, you only store a digital key that represents the card. A digital key is a fancy name for a number that represents the card, but is different from the card. When you want to charge the card, this digital key is electronically sent to the merchant and they charge it on your behalf.
The bulk of PCI Compliance becomes the bank’s responsibility with tokenization. It is for them to ensure that the credit card numbers are stored in a secured environment with no access to actual card numbers. If your key is stolen, it is of no value to the thief and they cannot do anything with it.
Great idea, however here is the problem. What if you are not satisfied with your current system? What if you are not happy with your credit card processing rates? What if new fees magically appear on your statements unannounced? What if you lose all the chargebacks, even when you presented all the documentation? To add to your misery, you pay the chargeback fee even when you win the dispute. What if you were planning to sell your business in 2 years, and the potential buyer of your salon uses their own software and merchant bank?
How valuable would your business be without EFT? Can you take your EFTs with you if you change your software and your merchant?
If the answer is no, then think hard. Tokenization solves the problem of security, but creates a bigger problem. It puts you, the business owner, between a rock and a hard place: Stick with the current providers that are not helping your business bottom line, or start over fresh on your EFTs.
So how do you choose between having your credit card data secure, and being able to change your software or merchant when you want to?
The answer lies in a hybrid solution that offers the best of both. Get the benefits of tokenization technology, but also be able to retrieve the credit card data when needed. This solution entails charging the cards via tokenization, but allows you to retain an encrypted copy of the data in a secure electronic vault that only you have access to. This dramatically reduces the risk and exposure because you are still using tokens to charge the cards, but should it be necessary to retrieve the actual card numbers, you have that capability.
This solution can even co-exist with your current software or merchant in many cases. If you are not ready to change things up just yet, but want to stay prepared for it, this might be the right solution for you.
So, who owns the key to your data?