Global digitalization is not a new trend, yet it’s happening a lot faster as a result of the COVID-19 pandemic. As online payments grow in number, the need for better protection of sensitive data increases. But can payment tokenization handle the serious challenge ahead?
In simple terms, tokenization means turning data or an asset into something equivalent to them. The concept of tokenization was developed by TrustCommerce in 2001 as a way to protect sensitive transactional data. Before that, merchants stored credit card information on their servers, so potentially anyone with access to the system could view it. The only guarantee of security was the hope that the employee would not use the data for their own purposes.
The system developed by TrustCommerce replaced the primary account number (PAN) with a random number – a token. Consequently, merchants no longer needed to store credit card data themselves, which greatly improved data security.
The fact that tokenization is a hot topic today is also evidenced by the numbers: the tokenization market was valued at $1.2 billion in 2020, with a CAGR of 22.4% predicted for the period 2021–2026.
Let’s dive deeper into tokenization in payments, analyze how it differs from encryption, and find out how it affects eCommerce businesses and their customers.
What is payment tokenization?
Payment tokenization is the process of replacing sensitive data such as credit card number, account number, and address with a series of randomly generated numbers that become a token. The token contains between thirteen and nineteen alphanumeric characters, which do not include the PAN or any details that reveal the user’s identity.
Essentially, tokens stand guard over valuable information and sensitive data. They can be used in a database or in internal systems while the original information is safely stored in a token vault.
Another important point is that tokens are unique and irreversible. This means that an individual token can only be used once, for one purchase. As there is no mathematical relationship between a token and its original number, tokens cannot be reverted to their original form.
Tokenization vs encryption: what’s the difference?
Data encryption is probably the most popular and common method for protecting sensitive information. Encryption secures information such as cardholder data, payment card information, financial account numbers, and other types of confidential data by turning it all into code.
Although the tokenization and encryption concepts may seem similar at first glance, there are crucial differences between the two.
Firstly, tokenization and encryption involve different methods of security. In the case of tokenization, it is a token (thanks, Captain Obvious). In encryption, however, it’s a key that provides security.
Secondly, tokenization replaces sensitive data with an irreversible token and stores the original data outside the original environment. In the encryption process, information is encoded and then, when it needs to be decrypted, a key or password is used.
Since tokens cannot be returned to their initial shape – that is, traced back to the original credit card number, and because PAN data is never displayed, this method of protecting information is more secure than encryption. The latter uses a reconstructed mathematical formula. As the encrypted data can be decrypted, there is a significant risk of confidential information being disclosed.
According to MarketsandMarkets’ research on tokenization, there is still a lack of knowledge and understanding of encryption and tokenization among end-users. Many users continue to stick with the old payment security system, even though encryption is more vulnerable to cyber attacks than tokenization.
Payment tokenization and PCI compliance
Many companies that deal with credit card information and accept and store confidential data on their networks will often experience difficulties with Payment Card Industry Data Security Standard (PCI DSS) compliance. Failure to comply with the standard can lead to fines, reputation damage, and loss of brand credibility.
Those who choose encryption over tokenization face an obstacle related to encryption’s reversibility. PCI Security Standards Council treats encrypted data as sensitive. Therefore, in line with PCI DSS, additional measures should be taken to enhance the security of confidential information. Meanwhile, the PCI and other security standards do not require organizations to provide additional protection for tokenized data.
Indeed, tokenization works in such a way that the payer’s credit card information is removed, and thus the risk of data leakage is greatly minimized. A reduced amount of sensitive data means there are fewer requirements to be followed, leading to faster audits.
By applying tokenization, it is also easier for businesses to comply with the standard and, at the same time, to enjoy lower security costs and minimal liabilities.
Credit card data portability and tokenization
First, we need to understand what data portability is and why it is important. Suppose you are a customer of an online store where on a previous visit you entered your credit card details. Since then, because the company has decided to optimize transaction processes or start operating in new countries, it has had to change payment gateways and adapt to new gateway providers. Thanks to credit card data portability, you will not notice this and won’t need to re-enter your billing information.
Thus, credit card data portability lies in the ability to transfer a customer’s credit card information from one payment gateway to another.
Another question concerns the connection between data portability and tokenization. If we combine these two elements, how will they meet PCI DSS?
In this case, merchants have two options. They can use a dedicated payment solution that will collect and store PAN data in a separate vault, or they can export their data and create new tokens in storage for a specific gateway. The second option is a little lengthy and complicated, but the first one tends to be quite painless and efficient.
Spreedly is an example of a platform that offers this kind of payment orchestration solution. As for its payment tokenization method, Spreedly provides a PCI DSS compliant vault where it stores captured PAN information; the payment data doesn’t even touch the merchant’s servers. The generated token can be transferred over various networks and stored without the danger of disclosing the actual PAN.
Here’s how it works. When the merchant is ready to process the transaction, the token is transferred to Spreedly along with the transaction information. The platform then transfers the stored card details to the designated payment gateway. One token can be processed for transactions through hundreds of PCI DSS-compliant gateways and endpoints. This enables Spreedly to provide data portability for merchants pursuing a multi-provider strategy.
What are the key benefits of payment tokenization?
It’s worth stressing again that payment card tokenization helps protect sensitive information and prevent data breaches. However, these are not the only advantages of this technology: tokenization also increases customer trust, reduces and prevents financial and reputational damage, and improves user experience.
Increased consumer trust
Customers will use credit cards and buy goods from stores whose information security they have confidence in. It is only logical that buyers will use the services of those sellers who have a good reputation and no history of information leaks. So by applying tokenization, merchants preserve their credibility and increase consumer trust.
Enhanced user experience
The buyer’s card information can be stored in the mobile wallet or when making online purchases. Thanks to tokenization, customers don’t need to disclose the original data about their bank card when replenishing their wallet or making the next payment. What’s more, customers don’t have to fill out payment details for every purchase.
Reduced financial and reputational damage
Data breaches are extremely costly to businesses. The Ponemon Institute independently conducted research that involved a quantitative analysis of 524 recent data breaches across 17 regions and 17 industries. Their findings were presented in the 2020 Cost of a Data Breach Report: on average, a data breach costs businesses $3.86 million, and it takes around 280 days to identify and contain a breach.
Although tokenization is not a panacea for all the troubles associated with data breaches, it significantly reduces the likelihood of these situations occurring. With tokenization, merchants no longer have to deal with sensitive payment information and, as we have seen, they don’t need to store any data.
On top of this, merchants don’t need to invest a lot of money and resources in data protection – because everything is covered by payment tokenization. Even if a fraudster manages to gain access to the tokenized data, they won’t be able to use it because they will only see a set of random characters which are in no way related to credit card information.
Tokenization in payments: examples
Now that we are living through a global pandemic, even the most avid fans of cash payments have been switching to online forms of payment. Statistics show that in January 2019 online platforms were visited 13.87 billion times, but in the same month in 2020, the numbers had risen to 16.07 billion visits worldwide. Five months later, in June, retail websites had received nearly 22 billion visits.
Online shopping platforms are experiencing an unprecedented increase in global traffic, which is why it’s more important than ever that retailers take care of payment security and customers’ data protection.
Now we’ll look at where tokenization can be put to use, and where it helps both merchants and shoppers.
- Digital wallet
Google Pay, Apple Pay, Samsung Pay, and many other digital wallet services use tokenization to ensure the safety of users’ data. Users can create a token on Google Pay, for instance, via their Android mobile phone. Every time they want to buy something, they can use their phone to make contactless payments through POS without even taking their credit card out of their pockets.
A user who has wristbands or smartwatches can create, say, an Apple Pay token, and then use it to pay for their purchases.
By the way, Mastercard recently partnered with MatchMove, which is a fintech company, and Tappy Technologies, a world-leading wearable payment integrator, to enable payment chip tokenization for custom wearables.
The result of this collaboration is that now Mastercard holders can safely add their payment cards to the chip and attach the chip to any battery-free wearable devices or accessories. Thus, the user can turn their favorite accessory into a contactless payment device protected by tokenization.
- In-app payments
If you use Android devices, then you can create a token using Google Pay. Similarly, you can create an Apple Pay token on your iPad using the same credit card. If you play games and want to buy upgrades, you don’t need to enter your credit card information or exit the app. You can conduct in-app payments and be sure that all your information is well protected.
- Billing and recurring payments
For any company working with recurring payments, tokenization can be a blessing to the business. With credit card payment tokenization, a company can store customers’ billing information for subsequent automatic payments. The company won’t even need to keep all customer data on a file: it can store customers’ tokens and use them for the next purchase.
What companies and industries are using tokenization?
Thanks to its effectiveness and a growing number of successful case studies, tokenization is being taken up by more and more companies and service providers. Let’s move on now from the theory and see how this type of data protection is actually working in practice.
Visa Token Service
Visa Inc., an American multinational financial services corporation, launched its Visa Token Service (VTS) back in 2014. Through this payment tokenization solution, the company aimed to reduce the incidence of credit card fraud and enable its cardholders and customers to enjoy more efficient and secure digital shopping and trading.
On June 23, 2020, Visa Inc. announced that the company had issued over 1 billion tokens worldwide via VTS. In 2021, the number of tokens issued has passed the 2 billion mark. In reaching this milestone, the corporation demonstrated that tokenization is an effective method of data protection for both credit card and mobile purchases.
Visa Token Service works by simply replacing a cardholder’s 16-digit account number with a secure token that protects the card number. A payment token can be limited to a specific eCommerce merchant, mobile device, or a certain number of purchases before expiration.
Google, a tech company that really needs no introduction, is also using tokenization in its online payment system to keep both merchants and their customers safe from data leaks and loss of funds.
To complete the mobile payment tokenization process, Google Pay (formerly Android Pay) works with card-issuing banks, token service providers (TSPs), mobile device manufacturers, payment terminal providers, and payment networks. Together, they create a tokenization infrastructure that enables payers to verify their identity when attaching a card to Google Pay (ID&V), and that will also securely store customer’s tokens in their mobile devices and transfer tokens to the payment terminal during in-store transactions that use the Google Pay application. The infrastructure also ensures that NFC hardware meets all the industry standards.
Here’s a step-by-step explanation of how Google Pay tokenization works.
- 1. A user attaches their card to the Google Pay app.
- 2. Google Pay requests a token representing the card the user is trying to add from the bank that issued the card.
- 3. After token issuance, the card becomes tokenized: it receives a unique identification number associated with it.
- 4. Google Pay encrypts the new tokenized card so it is ready for payments.
When the customer is ready to make a purchase, they tap their mobile phone on the terminal as usual or select Google Pay as their payment method in the application.
Google Pay responds with a tokenized customer card and a cryptogram, the latter acting as a one-time password. Next, the cryptogram is verified and the token is matched with the buyer’s card number. Lastly, the acquiring bank and the customer’s card-issuing bank use the existing customer information and decrypted customer billing information to complete the transaction.
As stated on Google’s support page, tokenization allows their customers to enjoy protection against the loss and theft of money and personal information. For merchants, meanwhile, tokenization means they needn’t keep so much sensitive customer information, and so data breaches become less of a worry.
Apple, as a company that definitely won’t compromise its users’ data, uses tokenization to securely transfer money from a customer to a merchant.
When making a payment via Apple Pay, the app generates a token and a one-time security key. Next, the data is transferred to the payment terminal and the token is sent to the so-called token storage, a secure database that links tokens with real accounts. If everything is acceptable with the security key, the token store transfers the payment and then awaits confirmation for debiting funds to be returned to the payment terminal. The POS doesn’t see any information about your card as the token storage is located in the payment system.
With Apple Pay tokenization, customer information is only visible to the payment processor and the financial institution that issued the card. This ensures high security and confidentiality for your data.
Samsung Pay claims to be a super-secure mobile payment service: Samsung uses tokenization to protect its users’ personal and financial information.
When a user adds their payment card to the app, the information is encrypted and sent to Samsung’s servers and, at the same time, to the card issuer’s payment network for approval. The card issuer often requests a one-time password to verify the identity of the cardholder.
Each time the user adds a payment card, a new token is generated. This happens even when the user is trying to attach a recently removed card.
It’s also worth mentioning that Samsung does not store or even have access to payment information added to Samsung Pay.
Credit card fraud is still an Achilles heel for many businesses, especially in eCommerce. According to AtlasVPN, the number of fraudulent activity reports in the United States alone rose from 17,236 in the first quarter of 2015 to 45,120 in the first quarter of 2019. In 2020 Q1, the number of reports jumped even higher — to 92,367.
Tokenization is one of the ways to protect credit card information and prevent the loss of customer data and funds. At the same time, tokenization is a very reliable technology for protecting online businesses from costly data breaches and thereby saving their money and safeguarding their reputation.
IKEA, a brand whose furniture can be found in almost every kitchen in the world, is a prime example of a company that utilizes tokenization in its online store. When a customer buys furniture from IKEA’s website, the retailer tokenizes their card number. This means that IKEA customers can pay for their online purchases knowing that tokens always guard their payment details. In addition to tokenization, IKEA’s checkout security is also enhanced by the 3D Secure service.
Payment tokenization process: a step-by-step guide
In the process of credit card tokenization, the user’s confidential information is replaced with a token, which is a one-time alphanumeric identifier that has no value or connection to the account’s owner. Below we describe how a tokenized transaction works.
Step 1. A customer decides to make a purchase. They initiate a transaction and enter their credit card information.
Step 2. The token requestor, which can be an online store or an issuer application, sends a cardholder’s PAN to the separate token vault.
Step 3. The issuer performs identification and verification (ID&V) and submits these results to the token vault. This process is called “binding” and it completes the token registration.
Step 4. The token vault transfers the registered payment token to the requestor and thereby completes the token request process.
Step 5. The acquirer transfers the token to the credit card network for further authorization. The customer’s primary account number and token are sent to the issuer who makes an authorization decision.
Step 6. After authorization, the customer’s data is stored in the bank’s secure virtual vaults, and the token is matched with the customer’s account number.
Step 7. The bank checks the availability of funds and approves or rejects the transaction.
It’s worth mentioning that when a card number and all the related information go to the merchant acquiring bank, it goes only in the form of a token.
Generally speaking, the whole payment tokenization process is hidden from customers’ eyes, so when making electronic payments, they don’t need to do anything differently. When it comes to merchants, for refund and recurring transactions they can also use the token, and not the actual bank card information.
Tokenization in payments brings definite benefits to both customers and merchants, as it provides robust security for sensitive information. Tokenization anonymizes customer’s actual credit card data and reduces the seller’s responsibility for storing and handling confidential payment information.
Since the generated token looks like a set of random characters and is irreversible, the chances of fraudsters gaining access to your credit card number data are extremely low. Another argument in favor of tokenization is that tokens are different at every online shop and even if a security breach occurs, all tokens will be disabled and customer information will not be available.
If you’re pretty much ready for digital transformation, eager to enhance online payment security, or looking to create a new website and mobile application, make sure you turn to a trusted web and mobile development company. Professional developers will comprehensively analyze your business case, advise you on existing technologies, and offer the solution that best fits your aims.