The State of Credit Card Security in the Gift Industry
The Gift and Home industry are increasingly under siege by credit card fraud. There are numerous points in the supply chain at which credit cards are vulnerable to theft. In response to this challenge, Agency Software companies have taken steps to guard against compromise through a process known as “tokenization”. The purpose of this white paper is to keep SYNQWARE vendors abreast of these steps.
Here’s how it works in token-based systems such as Pharos, RepZio/Shopzio, Aleran, RepTime, and Ribbon:
When an order is placed with a rep, the rep does not enter the credit card directly into the order-writing software. They open what is called an "iFrame”, and enter the credit card directly with the payment processor for that vendor.
The credit card then makes its way to the payment processor for that particular vendor. Let’s say, Authorize.Net or Chase Paymentech or STRIPE.
The payment processor receives the raw credit card data, and returns a “token” which is specific to that vendor and that transaction.
This token is then transmitted from the Agency Software to the vendor, to be settled once the order has shipped.
It is crucial to understand the difference between a “token” and a “raw credit card”. If a raw credit card is stolen, the thief can use that credit card to purchase whatever they wish, wherever they wish, on an ongoing basis. A token, being specific to a transaction and a vendor, can only be used to pay that vendor for that transaction. It cannot be used to purchase goods elsewhere, or once the token has been charged. Thus, thieves typically don’t invest much effort in stealing tokens.
The good news is that Pharos, Repzio, Aleran, RepTime, and Ribbon have been extremely proactive in implementing tokenization and api encryption for all of their agencies and all of their vendors. When orders are transmitted to the vendor, through SYNQWARE or through any other delivery system, what travels with the order is a TOKEN, not a RAW CREDIT CARD NUMBER. That eliminates the possibility of theft.
What follows is a summary of steps taken by the leading Agency Software companies to guard against credit card fraud.
ALERAN: (API-based): ALERAN utilizes a secure point to point encrypted API, precluding the need for unencrypted data files. There are no files involved in the delivery process.
PHAROS (token-based): There is some initial setup involved to create the “handshake” between the vendor’s payment processor and the rep software. This is common to all token-based agency software systems. Pharos has built out integrations to over sixty payment processors, meaning that no Pharos vendor ever needs to receive a raw credit card.
REPZIO (token-based): RepZio / ShopZio integrates securely to many payment processing gateways via their secure gateway and then stores the returned credit card tokens for future use. A tokenized version of the credit card can then only be processed by the vendor through the payment provider ensuring a secure PCI compliant transaction.
RIBBON (token-based): Ribbon uses a card vaulting API to tokenize credit cards for over 40 supported gateways. Very little set up is required for the handshake if vendors use one of the supported gateways. Ribbon uses Stripe as the default built-in gateway, enabling lower processing fees to vendors.
REPTIME (token-based): RepTime similarly works with a gateway that interacts with all major processors, allowing vendors to use any processor covered by that gateway.