What Is Credit Card Tokenization?
While tokenization in the payment security space may be relatively new, evolving, and even somewhat complicated, the concept of substituting one bit of information for another to protect something is anything but new. Tokenizing protects sensitive or personal data by replacing it with a “token” — a code word, essentially, though that might be oversimplifying the matter. Because the token is a substitute for the actual data, it holds no value if intercepted by fraudsters. You would need a way to decode the token in order for it to have any value.
In this post, we are going to focus on credit card tokenization, but you should also know that tokenizing other types of highly sensitive data like social security numbers and personal records may become commonplace across markets — and very soon.
But back to the payment industry. As of late, the idea of tokenization is typically linked to digital wallets like Apple Pay and Android Pay, and for good reason. But there are many implementations of tokenization technology including:
- Card-on-file subscription billing
- One-click checkouts on eCommerce sites
- In-app payments
- All NFC mobile wallets (contactless payments)
Whether you are a brick-and-mortar shop wanting to implement contactless payment options for your customers, you have an online shop, you use an app to support your business, or you have regulars you know and love, you could start taking advantage of credit card tokenization.
And if you’ve bought anything via those methods listed above (who hasn’t?) in the last couple of years, the chances pretty good that your data was tokenized. So what is tokenization?
Table of Contents
When we define tokenization, it’s worth mentioning that while the main crux of the matter is consistent, no one-size-fits-all definition is universally accepted among the big payment security organizations like PCI and EMV. However, here is a simplified version, as given by the PCI Council, that gets to the heart of the matter:
Tokenization is a process by which the Primary Account Number (PAN) is replaced with a surrogate value called a token.
When we look at the PAN, which is the actual account number on your credit card, remember that other sensitive pieces of data connect to it — including your personal information and expiration date of the card. When we tokenize, we place all of that information farther from merchants, cashiers, and other players in the payment process. And because the data is no longer recognizable in its token form, we protect it across the payment process. A token’s life can be for just one interaction to get coffee, or a store could tokenize payment data for a specific customer for a limited amount of time.
Also, notice in the definition I shared in bold above, that there is no defined “how,” because it depends on how you implement the tokenization process and what application your business needs. Here are a few examples to help shed some light on how sensitive data gets tokenized.
How The Account Number Gets Tokenized
There are two ways to tokenize data: partial or total. They each have their advantages but may not be right for all situations.
First up, let’s talk about partial tokenization. In some cases, the middle six digits of a customer’s credit card get replaced with a token. The first group of numbers doesn’t get tokenized so that the processor knows what type of card they are dealing with (Visa and Mastercard have unique identifying numbers). Additionally, the last four digits of the PAN also remain intact for customer reference. This type of partialized tokenization is also backward compatible, meaning the token has the same amount of numbers as the real PAN. It “looks like a real card and acts like a real card” when a merchant enters it into their own POS system. If a merchant wants to tokenize data and keep their legacy system, this is one way to do it.
The other way to tokenize the PAN is to completely randomize all of the numbers. All of this is done by a third-party, and may include vault storage to keep the payment card data. In either case, the same general thing happens in a sale; the tokenized number is de-tokenized and matched with the real card data. More on that below.
What Happens During A Tokenized Sale?
When it comes time to process a payment, whether that is through an eCommerce site, an app, or a mobile wallet, the payment processing steps are generally similar. Here is a simplified process for your perusal below.
- The customer initiates payment for a product or service.
- Next, the merchant sends the token to the acquirer.
- Acquirer routes the token to Visa’s network.
- Visa sends a token to the card issuer.
- Issuer returns token and authorization.
- Viola! A sale is complete.
Check out the screenshot below for a visual example of tokenization, courtesy of Visa’s Infographic, How Tokens Are Used.
As we’ve discussed, tokenization relies on a completely random, traceless value as the surrogate. This process is unlike encryption which relies on a mathematical algorithm. Let’s take a look at how tokenization and encryption compare.
Tokenization vs. Encryption
Tokenization and encryption are similar in that the data is “hidden” from would-be interceptors, but the process of each is totally different. In tokenization, the customer data gets replaced with a token — a completely random number. In tokenization, typically a vault stores all of the actual data on a “table.” After de-tokenization, this random string of digits (sometimes alphanumeric) are matched up with the real account. The main takeaway here is that the token gets passed to the merchant and eventually back to the table, without exposing the real payment card information to the merchant.
With encryption, the payment card information runs through an algorithm, a mathematical process, to transform the original data into something indecipherable until unlocked with the “key” during processing. Since the process isn’t randomized, the algorithm is somewhat vulnerable to hackers trying to crack the code.
In short, encryption is mathematically reversible, and tokenization is not. Additionally, encryption is not a complete, end-to-end security method, like tokenization. Payment processing costs can be a bit higher with encryption as it requires more computational power (e.g., rotation of “keys”) than tokenization throughout the payment processing cycle.
Considering The Pros & Cons
While tokenization can be cheaper to implement per transaction than encryption, and it isn’t mathematically reversible, there are some issues to consider. Because vaulted tokenization requires central management, there is a lot of pressure to maintain a wholly secured vault (however, sometimes the issuer (e.g., Visa) hosts the vault, too).
Additionally, tokenization does significantly reduce PCI scope for merchants, meaning there is less pressure on the merchant for payment security overall. That means less work for you to do in order to remain PCI compliant. While encryption is a generally accepted security measure, it does not do anything to reduce your PCI scope or lessen the work you must do to stay PCI compliant.
However, tokenization is still a relatively young whippersnapper in the world of payment security. Encryption has been around for a while, and consumers regard it well. But tokenization has become more attractive to those who understand that the payment security industry must stay a step ahead.
Tokenization’s Protective Role In Payment Processing
There are a few ways that tokenization protects information during payment processing. As mentioned before, customer data is made useless to a would-be interceptor because it’s no longer the actual information; it is a token that substitutes the actual data. The other way that tokenization protects data is that in the case of digital wallets, the credit card number isn’t stored on the customer’s device, either. That means thieves can’t retrieve credit card numbers from a phone, tablet, watch, or connected device when a customer and a merchant utilizes a digital wallet.
As the payment security industry evolves, we’ll continue to move further away from sharing a physical card and any identifying information that comes with it. Tokenization successfully separates our sensitive data from the transaction by taking the physical card out of the equation entirely, and it does this by tokenizing parts or all of the credit card number.
Because tokenization also removes the merchant from the equation when it comes to transmitting highly sensitive data, it also significantly reduces a merchant’s risk to fraud — from both internal and external threats. That being said, there are some things to consider depending on how you implement tokenization.
How Can Merchants Adopt Tokenization?
There are several ways that you can adopt tokenization into payment processing for your physical, eCommerce shop, or your mobile app! The simplest way for the brick-and-mortar shop to tokenize payments is to get a contactless, NFC-capable reader. Mobile wallets already tokenize the data so as long as you can accept payments from these mobile wallets without having to do anything yourself. As far as tokenizing other transactions, you can ask your existing payment processor about tokenization options for your POS. If you are an eCommerce shop or you have an app, Mastercard and Visa both offer solutions, too.
Mastercard offers a free, optional service called Digital Secure Remote Payment (DSRP), and all you need to do is contact your acquirer to see if they support DSRP, and then integrate the mobile app with the digital wallet partner. You can also look into the Visa Developer Platform — a program offered by Visa where their team works with you to create your mobile payment application with Visa Token Service SDK.
Sometimes, there is more to the whole tokenization shift than patch-on solutions, however. If your business has a tremendous legacy system with other data to consider, a more complex, third-party solution may be necessary. While we won’t get into all the nitty gritty in this post, here are a few things to consider below.
Companies Specializing In Tokenization
If you inherently deal with sensitive information as a part of your business model and you need to create a custom solution, you will need to find a PCI compliant company with a trustworthy, highly secure tokenization method and vault. Here are some things to ask:
- How are tokens randomized? How protected is the “key” that de-tokenizes?
- Is a reversible algorithm used? If so, how protected is that software?
- And ultimately, how protected is the table holding the data and the vault protecting it?
While it becomes a bit more tricky to ensure that all of the right security measures are in place, tokenization can still reduce your risk as a merchant and help protect data from a breach. However, you’ll need to ensure due diligence when it comes to new or legacy systems. The PCI Council says it best in the PCI DSS Tokenization Guidelines Document:
Tokenization solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes. Merchants considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their particular implementation, including all interactions with payment card data and the particular tokenization systems and processes.
Do You Need Tokenization To Process Credit Cards?
Keep in mind that at this point, there are no hard and fast rules as to exactly how to implement tokenization, so if you are a merchant, the ball is in your court to make the best decision for your business needs. That being said, tokenization can significantly reduce the merchant’s liability when it comes to payment security. And keep in mind: You don’t have to carry the burden of tokenization yourself. There are ways to utilize the expertise of other companies and hardware to get the job done. If your business is just looking to improve payment processing and you don’t need or want to store sensitive payment card or personal data, using the solutions discussed in this post provide a much simpler way to navigate tokenization.
While it’s not mandatory — and is undoubtedly flexible in implementation –, tokenization remains one of the fastest growing ways to keep data more secure and shift the risk of fraud away from the merchant while protecting the transaction from end to end.