The credit card industry dropped a bomb on the retail world at the start of 2017 that says that all companies, large and small, will store only tokens for their credit card numbers by the end of 2017. That creates a number of interesting questions. If you can’t store credit card numbers, then just moving the card numbers to another location and storing a token in your operational database only moves the problem from one location to another.

The issue is that encryption, no matter how strong, is only as good as the people who keep the user names and passwords. Encryption has a secondary problem in that if you encrypt the database, even with super-kryptonite proof encryption, once a lost user name and password are used to decrypt it, all the credit card numbers are open to the world.

While working at a client last year I researched the issue heavily. Eventually I found some recommendations by one of the major credit card vendors and created a few open source prototypes in Golang, Spring Boot and OSGi.