The Ultimate Guide to Credit Cards
Tuesday, July 23, 2024

Vaultless Tokenization Streamlines Payment Security by Putting Merchants in the Driver’s Seat

How Vaultless Tokenization Streamlines Payment Security
Mike Senecal

Written by: Mike Senecal

Mike Senecal
Mike Senecal

Mike Senecal draws on more than 20 years of editorial experience to update CardRates.com readers on industry trends, business news, and best practices in budgeting and credit use. Mike has worked for decades in academic and trade publishing, including roles as managing editor and technical editor at the University of Florida and as contributor to finance industry publications, including Surety Bond Quarterly and Independent Agent, among others. Mike holds bachelor’s and master’s degrees from the University of South Carolina, and he enjoys bringing his years of academic and industry expertise online to help consumers of diverse financial backgrounds.

See full bio »

Edited by: Lillian Guevara-Castro

Lillian Guevara-Castro
Lillian Guevara-Castro

Lillian Guevara-Castro brings more than 30 years of editing and journalism experience to the CardRates team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct journalism instructor at the University of Florida. Today, Lillian edits all CardRates content for clarity, accuracy, and reader engagement.

See full bio »

Our experts and industry insiders blog the latest news, studies and current events from inside the credit card industry. Our articles follow strict editorial guidelines.

In a Nutshell: Merchants of all sizes face many options in today’s payment processing industry. But some choices are more future-focused than others. As a payment security provider with a decades-long legacy, Bluefin helps merchants avoid processor lock-in and preserve optionality through its innovative ShieldConex Tokenization Platform. ShieldConex encrypts data for local storage to lower costs, provides fast PCI compliance, and links merchants, software providers, and payment processors in a seamless web through the ShieldConex Proxy Service. Bluefin protects payment data for more than 35,000 connected companies in 59 countries worldwide.

Today’s internet is very different from what it was in 2002 when Ruston Miles founded Bluefin, a payment gateway based in Tulsa, Oklahoma.

In the wake of the dot.com boom and bust of the late 1990s, Bluefin arose as stakeholders sought to understand the new medium’s strengths and weaknesses and rectify its shortcomings.

Those were many, but Bluefin was among the companies that demonstrated a positive case for online payment processing.

Miles and his colleagues had observed contact and fulfillment centers in the Midwest taking hundreds of thousands of credit card orders by phone and processing them nightly.

Declines of 20% to 30% forced the companies to play cat and mouse with customers and cancel orders. Using the internet to facilitate real-time authorizations through Bluefin was an example of innovation for the greater good.

Bluefin logo

“Instead of being a payment-driven process, it was an order-driven process,” Miles said. “That was where I got into it — using eCommerce to help real businesses.”

As merchants evolved away from client/server eCommerce models into the cloud, Bluefin built relationships with independent software vendors and others interested in integrating payment services on a robust platform.

Direct merchant outreach and partnerships led to niches in point-of-sale and practice, legal, and case management. Bluefin continued to grow organically and through the M&A process.

Miles sensed an inflection point for payment security as acceptance of digital payments grew more widespread in the 2010s. The famous Target breach of 2013 underscored his concerns as if on cue.

Bluefin then became the first payment gateway in North America to introduce a point-to-point encryption (P2PE) solution. Since 2014, Bluefin’s ShieldConex Tokenization Platform has provided advanced security for payment data through an innovative vaultless gateway methodology and its ability to integrate with all payment processors through the ShieldConex Proxy Service.

“ShieldConex brought us upmarket to some of the largest brands in the country,” Miles said.

ShieldConex Works With All Processors

Vaultless tokenization gives Bluefin its staying power. The name is a response to the vaults that were the centerpiece of the industry’s first tokenization solutions.

The need arose when consumers entered payment data, Personally Identifiable Information (PII), Protected Health Information (PHI), and ACH account data.

Storing it unencrypted was an invitation to hacking (as the Target breach attested) and even internal security threats stemming from too-broad access.

The first vaults encrypted and centrally stored the data, returning a token to provide later access to the merchant or other data holder.

The problem is that the vault model is costly and impractical. Merchants pay an entry fee every time they put a new piece of information in the vault, but they also pay a rental fee for the aggregate.

Ruston Miles
Ruston Miles is the Founder of Bluefin.

Data unused for weeks, months, years, and even decades contributes to the rental fee cost.

“What that means is you’re constantly trying to work out what to keep and discard because your vault costs just go up and up,” Miles said. “If you’ve been in business for ten years, you’re paying hundreds of thousands monthly for vault data you don’t need as often.”

Bluefin’s vaultless solution dispenses with that. Instead of storing encrypted data centrally, Bluefin encrypts it and sends it back to the merchant or provider.

The key stays with Bluefin with an agreement to decrypt it on demand. It works with any processor — and Bluefin works with all of them.

It may seem a relatively insignificant detail to a nonexpert, but vaultless tokenization makes all the difference. It solves the same technical problem without the commercial rental issue impacting costs. It’s highly efficient, and de-encryption is speedy.

Meanwhile, ShieldConex tokenization addresses the PCI DSS requirement to protect cardholder data “at rest.” Bluefin’s encryption keys reside safely in robust hardware security modules. Format-preserving tokenization preserves the structure of the data to ensure it remains compatible with legacy management platforms.

“And that’s the future of tokens,” Miles said.

Managing Data Storage for Merchants and Providers

Bluefin doesn’t store data; merchants hold it. Its core business is a service that pledges to send unencrypted data back to merchants on request.

The model is appealing to merchants not just because of cost savings but because it prevents processor lock-in. Enterprise and SMB merchants alike appreciate that Bluefin allows this freedom.

The problem has arisen because the role overlap and business model convergence prevalent in the modern payment industry means providers often hold merchants’ tokens in proprietary walled gardens.

They may provide tokenization and encryption for free, but they require fees and a time-consuming export process to make the data available should the merchant decide to switch processors. Whenever there’s lock-in, switching costs go up.

ShieldConex Proxy Service
The ShieldConex Proxy Service bridges the gap between merchants and providers.

“You think it’s time to leave for technology or pricing or service reasons, and they’re like, well, you don’t get your tokens back,” Miles said. “Bluefin protects merchants from processor overactivism and lock-in strategies.”

The ShieldConex Proxy Service delivers the antidote. The service positions Bluefin between merchants and processors and allows merchants the freedom to switch or add new payment partners at will.

In many lock-in scenarios, processors insert subtle fee-increase provisions in contracts to extract progressively more revenue from the deal until the merchant can get out of it.

Processors that do this are typically optimizing for margin. The merchant service experience declines with optionality. Merchants are stuck with a potentially harmful deal.

Some may resort to legal action, but many merchants suffering from processor lock-in choose to live with the problem because it costs more to leave than to endure it. Negotiating may result in some relief, but not enough to justify the onerous deal.

Merchants and providers never see the detokenized, unsecured data with the ShieldConex Proxy Service — Bluefin pulls the token out of the communication stream and replaces it with sound data. Merchants can deploy multiple processors with the same tokenization solution.

“We’re one of only a couple companies in the world that I’ve seen do this,” Miles said.

Broad-Based Protection, Optionality, and Flexibility

In a 2024 article, “Don’t Lose the Key to Your Data Vault,” Miles explained the value of processor optionality for enterprise merchants and SMBs, emphasizing the security and company valuation benefits of payment data ownership.

The benefits are clear for enterprise merchants. Working with a third-party gateway with a vaultless tokenization model lets companies choose between processors in a dynamic marketplace.

Enterprise merchants have the resources and scale to work with Bluefin directly. Firms with global reach may need multiple processors. Bluefin makes switching easy.

However, much of Bluefin’s outreach to SMB merchants happens through third-party software providers that may not appreciate the advantages of the Bluefin model. Miles argues that providers with an open model are more appealing to investors and potential M&A partners.

“The data at stake is too important to let go so freely,” Miles stated in the article. “SaaS companies should . . . migrate to a third-party tokenization provider when the opportunity allows, which secures stronger investment options and less potential valuation reductions.”

Therefore, Miles calls on small merchants to seek enterprise-level protection, optionality, and flexibility by choosing software platforms that use vaultless platform technology.

In essence, software companies connecting to Bluefin provide an enterprise-level solution to small merchants. Those merchants receive the benefits without building and managing a proprietary infrastructure.

Bluefin provides extensive support resources to ensure all customers get the tools they need to operate optimally. A resource center provides a blog, whitepapers, webinars, case studies, and videos to explain the model’s value.

“Enterprise merchants view us as an obvious choice, and that’s why they like us,” Miles said. “Software guys, it’s in your best interest to do it this way — that’s how you can help small merchants succeed.”