Payment Tokenization Process

Credit Card Tokenization: What Merchants Need to Know

In today’s world of electronic transactions and online gateways, customer payment information security is paramount. Fines are steep, and a lot is at risk — especially for businesses with thousands of customers.

The last thing you want to do is be responsible for a payment information breach. It has the potential to cripple your business — either through fines, ruining of public reputation, or both.

Many vulnerabilities exist in the transmission stage of payment processing. This is when the data is being exchanged between the banks and involved credit card networks.

There are two main ways to prevent breaches during this process: payment encryption & payment tokenization.

Apart from the obvious social and consumer downsides, the credit card networks founded the Payment Card Industry Data Security Standard (a.k.a. PCI Compliance) in 2006, and if you aren’t using encryption or tokenization to pass sensitive payment information, then you’re at risk of being fined or banned from accepting credit cards.

Tokenization is kind of trendy at the moment, and for good reason. It has recently come much more into the spotlight due to mobile payment systems like Android Pay and Apple Pay being normalized, and it’s just a better way to transfer payment information securely.

Encryption vs. tokenization 

What is encryption?

Encryption is a blanket term for any technique that scrambles data and then allows it to be decoded when needed. Think of it as an advanced secret language, where only the right people with the right key can unlock the original information.

A few other things to note about encryption:

  • Businesses need to rotate their keys to maintain security.
  • A consumer’s permanent account number (PAN) is displayed in certain points in the payment process.

What is credit card tokenization?

In order to provide additional layers of protection against cyber hackers stealing sensitive personal information, and to prevent credit card fraud, the payment card industry created tokenization. Tokenization is a process that substitutes the consumer’s sensitive cardholder account number with a number randomly generated by an algorithm or created by a non-reversible cryptograph. This substituted number is known as the “token”.

Retailers can disseminate tokens over the internet or wireless networks to process credit card payments, all done without transmitting the cardholders actual banking account number. The bank or network stores the actual banking account information in a safe place called a vault. Cyber hackers are unable to find and breach the vault through the retailer’s site, so the information stays secure.

Tokens developed as a way to prevent online or digital breaches. The token is similar to the new “chip” that credit card issuers use to prevent credit card theft for payments made in brick-and-mortar stores.

Credit card tokenization step by step:

  • A token is created from the personal account number for a one-time use for a specific website or channel.
  • The created token(s) is sent to a secure token vault. This can be built in-house or easily outsourced (must be PCI Compliant).
  • Tokens are loaded on the mobile device as part of the virtual card profile.
  • The NFC device or relevant channel initiates a transaction at a merchant’s point-of-sale (POS) terminal. The POS uses the token as the card number instead of the customer’s PAN.
  • The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network.
  • The issuer de-tokenizes the token and checks it against the real PAN. If there’s a match, then it approves (or authorizes) the transaction.
  • Response from the card issuer is returned to the POS terminal using the token as the card reference. The response from the card issuer’s check is delivered to the POS terminal and has the attached token acting as the unique transaction identifier.
  • The transaction is completed!

And here are some other useful facts about credit card tokenization:

  • Tokens cannot be reverse-engineered. They are randomly generated and thus there is no associated algorithm (unlike encryption).
  • Your audit items could be reduced by half after switching to tokenization.
  • It’s cheaper to implement than encryption.
  • A customer’s PAN is never revealed.
  • Your ability to quickly and securely handle refunds, chargebacks, etc. is increased.
  • The original card numbers stays in control of the participating bank.

Credit card tokenization examples

You come across credit card tokenization more often than you might imagine because tokens are quite popular in the e-commerce arena.

Recurring Payments and Subscription Billing

Whenever a website “keeps your card on file” for recurring payments or subscription billing, the site is using tokens. Think any SaaS businesses (Netflix, Squarespace, etc.)

One-click Options

Another popular example is the “one-click” option. The most obvious example being Amazon. They don’t just have your information sitting openly — it’s all handled through tokens.

Apple Pay and Android Pay

Near-field communication (NFC) payments like Apple Pay and Android Pay rely on tokens as well.

These mobile wallets transfer your payment information from your smartphone to a nearby vendor’s terminal. The process uses radio waves that allow smartphones and other devices to exchange information. The token is one of those pieces of exchanged information.

Once you load your credit card information into the mobile wallet app, the information transfers to your bank. The bank replaces the account information with a randomly selected token and then transmits that token to the retailer. The retailer never stores your actual account information.

App Purchases

If you purchase something in an app, let’s say UberEats, Lyft, Amazon (again), you’re dealing with tokens again. Those apps don’t have free reign to your credit card information.

Instead, your information is just that randomized token & protected from fraud.

How does payment tokenization work to increase sensitive credit card security?

Simply put, tokenization just adds an extra layer of security to the storage and transmission of sensitive cardholder information. It’s just a better way to do business — especially when mobile payments are involved.

But remember that this doesn’t mean you’re PCI compliant. Tokenization isn’t just a one-and-done solution for being compliant. PCI Compliant is just as much about the systems and processes you have in place as it is the software you use.

For more on PCI Compliance, go here.

Why is payment tokenization often preferable to encryption?

Companies have used encryption for decades when they want to deliver private messages or when they have to transmit sensitive information in an insecure environment.

Tokenization is a popular process today because it is a less expensive — and safer — way to secure sensitive information. Encryption is mathematically reversible, uses an encryption key, and the process requires businesses to rotate the keys.

We refer to encryption as an end-to-end process. That means that we must encrypt the data on the origination side and decrypt it on the delivery side.

On the other hand, tokens have a format that fits traditional credit card fields, are centrally managed, and offer flexibility so payment companies can use tokens for returns, chargebacks, recurring payments, and more. Tokens are not mathematically reversible if created by non-reversible cryptography, have no encryption keys, never display the personal account number of the consumer, and is meaningless if stolen by a cyber hacker.

In other words, tokenization is the best method for reducing your exposure to PCI issues.

Why tokenization is good for your customers

Easier fraud prevention

One of the major consumer benefits in case of a breach is the individualization of the payment tokenization across payment devices. There’s no “one-size-fits-all” token per credit card. In other words, if someone manages to steal your cell phone and you were using a mobile wallet, you’d only have to cancel the token associated with your phone. You wouldn’t have to cancel the crazy amounts of subscriptions you have auto-drafting or anything like that. This is an awesome benefit for today’s consumers.

Faster Checkouts

Some programs that use tokens also have the user’s shipping information sent along with the token, saving consumer’s time when inputting their information.

At Tidal Commerce, we like to work with smart, driven business owners looking to grow. If that’s you, and you’re curious about the positive effects payment tokenization can have on your business, then let’s talk!

See what Tidal is all about

Unlimited Access to our Guides!

Get access to the latest payment processing and business news delivered directly to your inbox.