What Is Tokenization?
Tokenization replaces confidential customer credit card information with a string of random numbers so that no one, neither businesses nor criminals, get access to it. A token represents the customer's card in a transaction and is only translated back to real data once it reaches the safe confines of the payment processor. At the checkout, rather than collect and store a customer's confidential data, such as a PAN (Primary Account Number - credit card number) or bank account details, the card reader instead issues a token which looks like a string of random digits. This string of digits means the customer's confidential information is never seen by the business. The algorithms that convert a PAN into a token are virtually impossible to decrypt, making the tokens worthless to a hacker or thief in the event of a breach. The customer's real account information is held by the payment processor in a secure token vault for decryption at the end of transit. This is important because everywhere you look, in brick-and-mortar stores as well as online, customers are demanding faster methods of payment. Their use of mobile wallets as a replacement for traditional cards and cash is increasing as well. It is up to businesses to provide checkout options that are contactless, fast, accurate and secure while minimizing their exposure and risk that comes with accepting private customer data. Above all, businesses must ensure they have a way that proves that the customer is who they say they are. Tokenization offers a convenient and secure way for businesses to do all these things.
With traditional credit cards, a customer's data (card number, CVV, expiration date, billing address, PIN) pass through three points of contact. The business collects it in the card reader, where it is encrypted and sent to the business's payment processor (the acquirer), who then forwards an authorization request to the customer's bank (the "issuer"). The more points of contact there are along a data stream, the higher the chances of a data breach. Tokenization keeps vital data away from the data stream, thus reducing the potential sources of a breach.
History of Tokenization
Tokens and other forms of substitution have been used in database management and security since the 1970s. Its application to payment systems started around 2001, as online commerce started to grow in popularity, and took hold in 2005 when it finally became available for use with personal credit cards.
How Does It Work? How are Tokens Generated?
Tokens are generated by the processor using algorithms or random number generators. A token is then matched to a customer's PAN or other data and is then made available for a customer to use with a retailer. When the token data returns to the processor, the token is translated back to the original PAN information and the full transaction can be processed. Tokens come in a range of styles:
A single-use token is typically used in a single transaction and is also referred to as a transactional token. After having been used one time (a single transaction), it becomes void. This helps keep it secure but at the same time makes it problematic to process recurring transactions, refunds and returns processing. Single-use tokens are useful for businesses that do not have repeat customers, such as retail stores in tourist-heavy areas.
Multi-use tokens, as their name suggests, can be used multiple times for online and in-person shopping. This makes it possible for "card-on-file" and membership renewals to happen. These repeatable and simplified transactions stay associated with a credit card for life and help speed up the checkout process and reduce shopping cart abandonment.
Reversible or Irreversible
Another form of token, called reversible, allows a business to reverse a token, retrieving original information such as the PAN, to submit to a third-party payment handler. Being able to extract the PAN may prove useful for fraud recovery efforts, but leaves open a core of potential liability, which is why most businesses opt for the irreversible version.
The option also exists to preserve parts of the customer's confidential data, such as the last four digits of a credit card number that will appear on the receipt as proof of reference to the actual credit card used. The other twelve characters will appear on the receipt as asterisks and the business still only retains the token. No full credit card number is kept.
What's the Difference Between Encryption and Tokenization?
Encrypted data can be thought of as being disguised. Before leaving one computer or card reader and embarking on a trip across a network, data is obscured using a coding system that replaces one number or letter for a different one using a sophisticated encryption algorithm. This new encoded version of the data must be decrypted at the other end of its journey using the key or password. One of the key drawbacks of encryption is that it is mathematically reversible - since the original card data stays intact behind the disguise, it is at risk of being decoded, at least in theory. Tokenization, by contrast, is a replacement technique. A customer's account number is replaced by a completely different number string that can only be exchanged for the real one once it reaches the token vault that holds it. A real-world example would be a personalized bus or transit pass that stands in for a cash fare and is useless to any other person because of its unique features, such as an embedded photo ID. A transit pass is a token representing the money already held in the transit company's vault. With tokens, thieves cannot reverse-engineer the PAN or credit card number no matter where along the pathway, from business to bank, that they obtained it. Learn more about tokenization versus encryption here.
Some Examples of Tokens Currently in Operation
When businesses keep a customer's card on file for recurring payments, either in-store or through one-click online checkouts, PAN data is never transferred. Similarly, newer payment techniques such as Apple Pay and Google Pay use tokens. To date, Apple Pay is one of the most popular tokenization brand technologies available. In addition to the outright security of its Apple Pay tokens, the tokens can also only be used once the app and the phone are unlocked, ideally by fingerprint or face recognition. The token only "reconnects" with the confidential credit card information once it reaches the customer's bank or processor.
Tokenization and Payments
Retail payments are more secure through tokenization, but customers must still do some setup first. They must provide their real payment information (their PAN or a photo of their credit card) to the issuing bank or processor, who then replies by sending back a token - a string of digits - that is then saved into the phone/digital wallet/app. Even if this digit string were made visible, it could not be used to copy onto another card or app. Tokens can also be used for refunds, voids and credits.
Tokenization and Breaches
Another benefit of tokenization is the potential to reduce the damage caused by hacking and data breaches. If a retailer that uses tokens were to be hacked, there would be no usable credit card numbers or other vital customer data to steal.
Tokenization and Value for Cardholders
A further benefit for customers is that they no longer have to deal with the hassle of a lost or stolen credit card. Currently, when a physical card is lost or stolen, a customer must call their bank, cancel the card and then alert all of the businesses who use the card to process recurring transactions. However, if a phone or device containing the token is stolen or lost, the customer need only request the token be canceled. A new token can be issued without requiring the creation of a brand-new credit card number.
Where are Tokens Stored?
Tokens are stored in a bank or processor's token vault. A token vault is where the issuing bank keeps confidential customer information like PANs. A token is generated from this information. A hacker or thief would need to be able to access the bank's token vault to gain any value from the tokens.
Tokenization and PCI
Tokenization does not reduce PCI scope for a business, but it does eliminate PCI PA DSS scope for a software vendor because it allows them to only store non-sensitive card data.
Multi-Business Tokenization: Sharing Tokens Between Multi-Location Businesses
Tokenization can be made even better when a payment processor allows a group of separate businesses to store a customer's token information to share among their locations for added convenience. Franchises or any group of legally separate businesses could participate, such as a dry cleaner, hairstylist or fast-food outlet, all of whom could pool loyalty points and rewards to encourage and expand customer participation.
Oversight and guidelines for tokenization are managed by The Payment Card Industry Security Standards Council (PCI SSC).