In our industry, topics turn hot and cold in record time.  The hot topic this week seems to focus on the safety of using Tokenization as a solution for reducing compliance and security requirements. I found this blog post on StoreFront BackTalk by Walt Conway that poses the question, “What happens to my data if my token vendor goes bankrupt?” Earlier in the week, as part of my ISSA Editorial Advisory Board duties, I reviewed an article that posed some of the very same questions.

Probability and Measure, by John-Morgan

Outsourcing the handling of payment data is a critical decision for merchants to consider, and it should not be taken lightly.

Just like any other major decision any company makes, merchants should perform a risk analysis and deep dive into both the solution and the financial viability of the company. I don’t see this as being any different then finding a vendor to supply tokens for 2-factor authentication, purchasing and deploying a SIEM solution, selecting a hardware vendor, or choosing a company to manage off-site storage for you. The only twist to dealing with payment data is that it is the lifeblood of the business.

While I won’t go into the litany of items that companies must consider before taking the plunge, the financial viability of the entity is certainly a concern. Remember to check the liability, confidentiality, term/termination, and indemnity clauses in the contract, and ultimately the ownership of data and SLAs in the event the company becomes insolvent. Provided all of these things are within your risk tolerance and the underlying technology leaves little to no exposure to you as a merchant, then tokenization is a safe way to go.

This post originally appeared on

Possibly Related Posts: