What Is Credit Card Tokenization and How Does It Work?
30 March, 2021
The rapid growth in digital payments presents an array of challenges for eCommerce merchants and other retailers when it comes to safeguarding the credit card data they store. Credit card tokenization is the way ahead, making the storage of payment information easier and more secure.
Digital transactions are ubiquitous these days. Everywhere you look, consumers are opting for payment via debit/credit card, and businesses are supporting a variety of digital payment methods. But what seems easy and fast to consumers requires a lot of data storage and processing in the backend. To achieve the necessary security, many companies turn to credit card tokenization.
This relatively new phenomenon is gaining wider traction among payment processing companies, merchants, and online retailers. In this article we will define payment tokenization and give you the lowdown on how it works, as well as looking at the different payment tokenization methods that can help your business from both a cost and operational perspective.
According to the statistics, the tokenization market is expected to be worth $4.8 billion by 2025.
Tokenization is a term that came into use in the 1990s to define the process of replacing sensitive data with non-sensitive data. The concept quickly found a key role in the financial services industry, where payment providers started using it to safeguard a card’s PAN (number) by replacing it with a unique string of numbers.
The payment token is the result of this string, generating a secure identifier from a PAN. Because payment tokens are automatically issued in real-time, they are convenient for use in predefined domains and/or payment environments. They are widely used in eCommerce, because they can be merchant-specific, as well as in third party payment processes and other applications.
For all tokenized payments, the PAN is substituted by a token while a payment transaction is being performed. Because the PAN itself is not transmitted during the transaction, the payment is more secure. It’s primarily as a security measure that payment tokenization demonstrates its value to businesses. The PAN is never compromised, leaving little possibility that the token can be used for fraudulent activity. Even if in the event of a data breach the payment tokens are accessed, they are inherently worthless, and deciphering them would be nearly impossible.
How does credit card tokenization work?
Credit card tokenization begins as a regular credit card transaction. The process is the same up to the moment of submitting the credit card information at checkout.
Sometimes, at the time of transaction, users want to store the card for future use, which can be achieved via tokenization. In addition to processing a credit card upfront, it’s also possible to tokenize a card for other purposes. This is commonly done when someone signs up for an online service with a free trial period. In these cases the customer fills in their credit card number at sign-up and creates a token that can be billed later. Thus a $0 transaction is initially processed as a “verify request”. Behind the scenes, the payment processor will contact the issuing bank to ensure the card is valid, without charging the card itself.
Only after a card is confirmed to be valid, can it be tokenized. The token that is created is a number linked to that specific credit card. It is not the credit card number itself but rather an unrelated reference number for that credit card. The company that is tokenizing the credit cards knows which token number refers to which card.
Any time the card is billed in the future, it is the token number that is referenced. The merchant is therefore storing credit card numbers without retaining the sensitive information on their system.
Steps to credit card tokenization
Here is what happens when a card is tokenized in the course of a transaction.
- 1. The customer signs up for a service or a product on a website and fills in their personal information, including their credit card number, expiry date, and CVV number.
- 2. The card details pass through a verification process to ensure they are valid. A payment processor authorizes an initial transaction from the card to confirm its validity.
- 3. The customer receives confirmation and authorization from the merchant.
- 4. A token for the credit card number is created and stored in the merchant’s database.
- 5. The token is used in all future transactions when that credit card is presented.
Is tokenization the same as EMV technology?
There are some similarities between, on the one hand, the way EMV chips embedded in modern credit cards operate, and on the other how a credit card is tokenized. EMV chips generate a unique, one-time-use code for each purchase. However, EMV chips work only with physical, card-present transactions. When an online merchant is using tokenization, the general principle is the same as your card data generally has protection similar to that offered by an EMV chip.
The majority of online wallets — including Apple Pay and Google Pay — operate on a tokenization system. Your credit cards aren’t really “stored” in the digital wallet. Instead, there are tokens that link to your card information.
There are many online and mobile services using tokenization payment cards for easier billing and verification purposes. The payment tokenization systems generally share the same logic, but there may be slight differences in the tokenization payment algorithm and the manner in which credit card tokenization across multiple payment gateways is achieved.
Different forms of credit card tokenization
When a credit card is tokenized, the original credit card data is removed from any database and safely stored outside it. Randomly generated data — a placeholder token — replaces the sensitive data of the credit card, thereby protecting the customer.
Swapping the credit card data, usually the primary account number (PAN), with a token removes the need to store customer credit cards in internal systems. From there, credit card data can be sent to any database securely.
There are several forms of tokenization, which will vary depending on the merchant and scenario. Let’s take a closer look.
eCommerce payment tokenization
Upon making a purchase online, the card number of the user is changed to a random sequence of characters (e.g. EUSH127ABD5562). The reference to the actual credit card number and its relation to the token is stored in a separate vault.
For recurring transactions, such as a monthly subscription, or for refunds, the merchant can use the token instead of storing the sensitive card data.
Mobile payment tokenization
For users of Apple Pay or Android Pay who add a credit card to their mobile device, their card numbers will be tokenized and stored on the phone. Every time the user makes a purchase, they will use the token instead of the payment card itself.
App payment tokenization
Mobile shopping is becoming ever more popular, with over 50% of consumers accessing eCommerce sites on mobile devices. If you store a token on your phone, the shopping apps you use cannot retrieve or access your credit card details. All bank details are therefore kept secure. Bad actors are unable to gain access to your personal data. Checkout is simple, and carried out on each site you access via app integration or by linking your accounts directly with your stored shipping and billing information.
The advantages of credit card tokenization
Credit card tokenization has several benefits, with increased payment security being the most important. Tokenization is by far the surest way to protect customer payment information from hackers and potential internal problems (such as human error and system failure). Randomly generated tokens can only be read by the payment processor. They cannot be monetized even if hackers steal them. Therefore, when a token is passing through the systems, anonymous thieves and hackers are blocked from committing a cybercrime or reselling stolen information.
Businesses that collect and store sensitive data on their networks often find it hard to comply with PCI DSS standards. In the event of a data breach, this lack of PCI compliance can result in large fines levied by the PCI Council. This is where tokenization shows its worth. It makes it possible for merchants to comply with PCI DSS with minimal security expenses. Removing customer card information from the merchant’s network dramatically minimizes the risks of data breach. Merchants don’t have to invest as much money and resources on data protection – this is covered by credit card tokenization. Other sensitive customer data like passwords, addresses, files, and accounts can also be protected using tokenization technology.
Most online merchants deal with a certain number of chargebacks and refund requests. Some of these occur as a result of fraudulent sales, which is a particular risk in the dropshipping business model. Other instances can occur following false declines, which frequently happen as a result of excessively stringent fraud filter rules. However, when merchants use tokenization credit card processing, they refer to the tokens instead of account numbers. With fraud filters having fewer elements to check, so the number of false declines will be reduced.
Card network token systems such as the Visa Token Service (VTS) and the Mastercard Digital Enablement Service (MDES) support simplified checkouts for regular customers. For merchants, this translates to fewer declines (including false ones) and improved cardholder loyalty.
Payment tokenization brings many gains to those merchants that adopt it. At a time when digital transactions are becoming the norm, it offers a way to secure, standardize, and streamline card transactions.
What are the risks of tokenization?
Tokenization does hold certain risks, depending on the type and format.
In cross-domain tokenization, businesses apply to tokenize data across all of their customers in a single data vault. A token for one merchant can then be used by every other in that vault. If the merchant uses format-preserving tokens, it is more likely that data will be deciphered in the aftermath of a data breach.
Some organizations continue to store both card data and tokens on their servers. This is known as a phased approach to tokenizing data. In some instances this can pose a challenge, because it makes it hard to determine a token and a payment card number. And since the PCI DSS standard requires merchants to prove they do not have payment card data on their premises or servers, compliance is sometimes nearly impossible.
Other companies elect to use multiple tokenization solutions, which can be problematic for card processing. When there are tokens from multiple providers and no business logic regarding which tokens can be used with different service providers, the merchant could end up using the wrong token to process a transaction. This means that the merchant uses a token from one company to process a transaction through another company.
Despite the risks involved with payment tokenization, the situation is improving thanks to new credit card tokenization standards, tokenization payment algorithms, and payment tokenization methods.
Difference between tokenization and encryption
Tokenization may rely on the same general principle as encryption, but there are differences between the two. Encrypted data can be switched back to its original form (in other words, decrypted). Essentially, encryption is reversible while tokenization is irreversible.
Irreversible tokens have no relation to the original data point. It is impossible to mathematically reverse-engineer the token value to get the original data string. This is why many people would claim these are the only true types of tokens.
On the other hand, encryption such as P2PE — point-to-point encryption — always maintains a mathematical relationship to the original data point. It is for this reason that any encryption method is only as good as its algorithm strength. A hacker could theoretically crack the algorithm and then be able to decrypt all encrypted values. Encryption keys need to be stored somewhere: this makes them potentially vulnerable to exposure, especially in large systems with many participants.
In the digital domain, we see a vast range of applications for both tokenization and encryption. Encryption remains the preferred method for transmission of sensitive data. Tokenization, on the other hand, offers an additional layer of security because it can’t be exploited through computer algorithms or mathematical formulas. This is why organizations that deal with payment card data are favouring it. Tokenized payment card data remains safe even if stolen, so long as the data vault remains protected.
Examples of credit and debit card tokenization
Credit card tokenization has found its way into a number of sectors and industries. Call centers, eCommerce merchants, payment processors, and mobile applications developers are all using it. Nearly any modern acceptance channel can benefit from tokenization for credit card transactions.
We’ll now look at the most common use cases for payment tokenization.
Merchants and web store owners deal with a large number of payment transactions each day. This makes them prime users of credit card tokenization. From minimizing “PCI Scope” (the combination of factors that could affect data security) to increasing security of customer data, using tokenization alongside credit card processing looks sure to be the future for online shopping and transactions.
Mobile applications and mobile operators can use tokenization to avoid storing cardholder data captured from mobile applications on Android or iOS devices. Credit card tokenization works with both native and web-based applications, which means less risk and better industry-wide compliance. Regardless of the acceptance channel, you can tokenize credit card data from eCommerce entry points by capturing credit card information from browsers using a method such as browser-based encryption.
For native mobile applications, tokenization of credit card data can be done in a number of ways. Once the user sends credit card and other sensitive data captured from the device using their mobile applications, it can be tokenized and safely stored.
Call centers often store and access large volumes of customers’ sensitive data. Those that accept payments over the phone rely on technology such as P2PE, interactive voice response (IVR), and dual-tone multifrequency (DTMF) for processing payment card information. Tokenizing sensitive payment data will remove the credit card information from the systems downstream from the call center environment. This not only relieves the organization from the burden of storing sensitive credit card data in its internal systems, but also reduces the chances that they will fail to comply with PCI requirements.
We are going to see credit card tokenization take center stage in the years ahead, as tokenized payments become the new standard for merchants and customers. Creating a secure environment in an increasingly digitized world starts with transforming online payment methods so that the preferred option is also the safest.
Now that we have shown you the benefits of tokenization and why tokens are an integral part of the payment process, it’s time for your business to take the next step.
At PixelPlex we are passionate about helping businesses leverage new technology to ramp up their efficiency and improve their bottom line. Get in touch to see how payment tokenization can take your online enterprise to the next level and give you an edge in the digital domain.
Get front-row industry insights with our monthly newsletter
Get front-row industry insights with our monthly newsletter