Merchant Security, Tokenization and the
Fairy Tale of Outsourcing PCI

Given the high cost of compliance and the operational risk of non-compliance, merchants are between the proverbial rock and hard place. Merchants are looking at how to mitigate both the cost of compliance and their risk profile. With Data breaches, fraud and the scope of PCI Compliance expanding, tokenization of card numbers has emerged as a trade-off rich approach for merchants.

A new report from Mercator Advisory Group’s Emerging Technologies Practice, Merchant Security, Tokenization and the Fairy Tale of Outsourcing PCI looks at merchant strategies to meet and lower their PCI compliance burden and examines tokenization in great detail.

Based on the findings of this research report, it’s Mercator Advisory Group’s position that merchants can improve their risk profile and lower PCI compliance costs through third party storage of card data. That said, choosing the tokenization vendor to provide that service requires careful selection and evaluation of the trade-offs involved.

“Going down the tokenization path requires an eyes-wide-open process to balance PCI compliance cost avoidance against business continuity risk,” comments George Peabody, Director of Mercator Advisory Group’s Emerging Technologies Advisory Service and author of the report. “Not only are there risks with reliance on third party operations, the decision should be made considering the enterprise’s information security strategy and with the expectation that end-to-end encryption of card data may well become a PCI requirement in the future.”

For merchants anxious to change their PCI compliance profile, Peabody states that the growing number of tokenization vendors and the range of delivery models that include card processing give merchants plenty of choices. Tokenization does require, however, varying levels of integration by the merchant running from the simple to months of recoding line of business applications.

Report Highlights Include:

  • As hackers continue to breach the payment network, the average cost per data breach now exceeds $6.65 million.
  • As new attack vectors are identified, the cost of PCI compliance rises in parallel, into the millions per year for large merchants.
  • Tokenization and the outsourcing of card number storage is a leading technique to limit the scope of a merchant’s PCI audit and to outsource liability in the event of a data breach, an appealing combination to cost conscious merchants.
  • Tokenization is available through multiple delivery models and a growing variety of vendors, from licensed software to outsourced providers including card processors.
  • End-to-end encryption may well be the end game recommendation of PCI and, if data breaches continue to plague the payments industry and occupy headlines, that recommendation may become a mandate within two years.

One of the 6 Exhibits included in this report:

Third Party Care and Control of Data Contributes Disproportionately to Record Losses

Companies Mentioned in This Report:
Shift4, Braintree Payment Solutions, Merchant Link, Electronic Payment Exchange (EPX), Paymetric, nuBridges, Elavon, Southern Data Comm, Heartland Payment Systems, RBS Worldpay, VeriFone, Semtek, Magtek, Magensa, Hypercom, Ingenico, Hannaford, TJX, Verizon, Oracle and Microsoft

This report contains 28 pages, 6 exhibits and 4 tables.

Members of Mercator Advisory Group have access to these reports as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits. Please visit us online at

For more information and media inquiries, please call Mercator Advisory Group’s main line: 781-419-1700 or send email to

Mercator Advisory Group is the leading, independent research and advisory services firm exclusively focused on the payments industry. We deliver pragmatic and timely research and advice designed to help our clients uncover the most lucrative opportunities to maximize revenue growth and contain costs. Our clients range from the world’s largest payment issuers, acquirers, processors, and associations to leading technology providers.