One of the protections that a merchant service provider can offer is tokenization. Tokens are used as identifiers, and they don’t have anything exploitable about them. Those protections make each transaction safer, and enable customers to do business with mobile devices, chip cards and new forms of payment.
Tokenization is a highly secure way to accept credit cards, provided that the system exists in an isolated or segmented part of the system. A vacuum, as it were.
Credit card processing companies that rely on tokenization must be designed so that tokens won’t be reverse engineered with any sort of reliability, which is why random numbers are frequently utilized. The token can’t be reverse engineered if a new random number string is chosen for each session, but the token takes the form of a login credential. On the user side, all he or she sees is a login screen followed by an account dashboard.
Behind the scenes, tokens are like masks at a masquerade party. They hide the identity of what’s beneath that mask, but allow everyone to mingle relatively privately. The security controls are like bouncers for that party, looking at each mask to verify it’s allowed to access the data it’s looking for. In this manner, direct attack is quite difficult to pull off. One would need to be able to discover the algorithm used to create the tokens, then duplicate the tokens reliably within that system.
Not an easy task to say the least.