> Interested in exactly when it becomes impractical
A couple examples where the Stripe model and scale of tokenization breaks down today:
- You're an airline and you need to have a digital wallet that stores payment details so you can buy your ticket on web, upgrade your seat on mobile, and buy a drink in-flight using the flight attendant's POS device
- You sell a product at high-risk of chargebacks that is not permitted by the major tokenization providers' terms-of-service (there are some surprises here that rule out several Fortune 100 use cases!)
- You're a $10B+ retailer where the difference between a 2.9% payment processing cost and a 1.6% payment processing cost pays for an entire team of people to focus on minimize processing costs by routing different payments to different gateways depending on fees (eg American Express goes one place, Visa goes another)
Now: if you are a mom-and-pop scale DTC shop selling only via web, you should probably be taking advantage of tokenization instead of storing credit card data yourself!
The PCI-DSS council does give guidance on how you handle credit card information securely when you cannot use a tokenization approach, and a lot of it boils down to what we'd consider foundational software engineering practices. (Don't let engineers have access to production data! Rotate your credentials periodically! Log events and maintain those logs so they can be audited!) It does increase your costs, complexity, and talent needs but it's also not an antipattern and there is relatively straightforward guidance on how to do so securely.
A couple examples where the Stripe model and scale of tokenization breaks down today:
- You're an airline and you need to have a digital wallet that stores payment details so you can buy your ticket on web, upgrade your seat on mobile, and buy a drink in-flight using the flight attendant's POS device
- You sell a product at high-risk of chargebacks that is not permitted by the major tokenization providers' terms-of-service (there are some surprises here that rule out several Fortune 100 use cases!)
- You're a $10B+ retailer where the difference between a 2.9% payment processing cost and a 1.6% payment processing cost pays for an entire team of people to focus on minimize processing costs by routing different payments to different gateways depending on fees (eg American Express goes one place, Visa goes another)
Now: if you are a mom-and-pop scale DTC shop selling only via web, you should probably be taking advantage of tokenization instead of storing credit card data yourself!
The PCI-DSS council does give guidance on how you handle credit card information securely when you cannot use a tokenization approach, and a lot of it boils down to what we'd consider foundational software engineering practices. (Don't let engineers have access to production data! Rotate your credentials periodically! Log events and maintain those logs so they can be audited!) It does increase your costs, complexity, and talent needs but it's also not an antipattern and there is relatively straightforward guidance on how to do so securely.