TokenizationMaximizing Data Security for Merchants & Cardholders

Tokenization: Why is This Now the Standard for Data Security?

Wouldn’t it be great if you had a decoy version of yourself that you could project online? Fraudsters that might be hunting for your personal information would pursue the decoy, while you go about your business unbothered. Well, in a sense, that’s the basic idea behind payment tokenization

With tokenized data, valuable transaction information stays protected. A one-time-use token, which will be totally useless to a scammer, is the only thing that is ever exposed. And, there is a practically infinite number of disposable tokens available.

That’s the simplified explanation, but what are tokens, exactly? Where do they come from? Are they really safe? In this post, we’ll cover how tokenization works, and why it’s one of the most secure data protection methods available.

What is Payment Card Tokenization?

Tokenization

[noun]/tō ● kən ● uh ● zey ● shuhn/

Tokenization refers to the process of protecting sensitive data by replacing it with a randomized placeholder number called a token.

Tokenization is the process of substituting a sensitive data element for a non-sensitive equivalent. An individual credit card token is an algorithmically generated alphanumeric code that serves as a proxy for real transaction data.

What’s that mean? Well, an easy way to explain this is to think back to when you were a kid.

You might’ve gotten a few bucks from your allowance, and so you decide to spend them at a video arcade. You walk into the arcade, insert a dollar into a machine, and in return, you receive a handful of arcade tokens. The little coins could be used in place of cash for games in the arcade, but they had no intrinsic value of their own.

Arcade tokens are just like the security tokens that stand in for your sensitive information in a card transaction. Payment tokens don’t hold any actual value, and can only be used to facilitate the transactions for which they are generated. In that way, they work like arcade tokens, which can only be used within the arcade.

Sure, it’s a silly metaphor… but it’s also an easy way to understand payment tokenization:

Tokenization cannot guarantee that transmissions won’t be hacked. If a hack occurs, however, the hacker would only score a random, valueless group of numbers, rather than one’s personal information.

How Does Payment Card Tokenization Work?

Sensitive consumer information like names and account numbers are replaced by a tokenized code. This allows data to move between networks without revealing customer details.

In a transaction involving payment card tokenization, for example, the cardholder’s primary account number (PAN) is exchanged for an algorithmically-generated token. A PAN of 1234 5678 9123 4567, for example, might end up with a completely random token like 3M747T4567.

The token is tied to the real account number, of course (the last four digits are usually the same). However, the customer’s actual data remains in a tokenization “vault;” a guarded database usually secured by a third-party vendor. Banks will know who the token represents, but merchants (and anyone else) looking at the data will see only the token.

Tokens are good for one use only. Once transmitted, the token is no longer valid. As this illustration shows, even if a customer uses the same card to make an identical purchase from the same merchant, the tokens connected to the transaction would be unique.

While specific details may vary, a typical tokenized credit card transaction might go through the following steps:

• The cardholder “dips” their payment card information to make a purchase.
• Cardholder data is substituted for a randomized, one-time-use token.
• The token is sent to the merchant’s acquiring bank in place of actual card information.
• The acquirer requests authorization based on the profile attached to the token.
• The customer’s issuing bank validates the token. If it matches, the purchase can be authorized.
• The issuer responds, using the token as a point of reference.
• The purchase is completed using the attached token as a unique transaction identifier.
• The token expires.

Tokenization Use Cases

Payment card tokenization can be deployed in a variety of situations:

Of course, the technology is not limited just to payment cards. There are other practical use cases for tokenization, including:

The Benefits of Tokenization

As we’ve pointed out, the primary benefit of tokenization is data security. But there are also a few more perks to consider, too:

Are There Downsides to Tokenization?

Tokenization is powerful, but it’s not a perfect solution. The technology adds a layer of complexity to a merchant’s IT structure, which may require additional expert technical support. 

Also, not all payment processors support tokenization yet. A merchant may have to change vendors or systems, and may get stuck with a less efficient solution than they would like.

All that said, the biggest disadvantage to tokenization is probably what it doesn’t offer: comprehensive fraud protection.

Merchants often believe that extra data security means decreased fraudulent activity. It doesn’t work that way, though; tokenization reduces overall data security risk, but not fraud risk. This is especially true in the card-not-present space, where tokenization may not be an option, and where sellers cannot validate buyers’ identities in person.

Bottom line: even when handling tokenized data, merchants are still vulnerable to unauthorized transactions and the accompanying chargebacks.

How to Implement Tokenization

On a high level, merchants that want to implement any kind of payment tokenization technology will need to follow a multi-step process:

#1  |  Identify a Payment Service Provider or a Third-Party Provider

You can either opt for a payment service provider (PSP) that already offers integrated tokenization technology, or select a third-party provider that can help implement the security practice.

Before settling on a provider, you should make sure the provider offers complimentary fraud prevention tools, adheres to PCI-DSS regulations, and can tokenize payment data across all your sales and checkout channels.

#2  |  Integrate the Tokenization System

Next, you need to integrate the third-party provider’s tokenization technology with your existing payment system. As part of this process, you need to verify that customers’ card details are correctly captured and routed to the provider for token generation.

You can go with a provider that offers a plug-and-play, “no-code” option, or one which requires more in-depth integration with the merchant’s existing payment technology. Of course, you can skip this step if you opt for PSPs that offer integrated tokenization technology.

#3  |  Submit Tokenized Payments For Processing

Once the technology is fully integrated, you can begin to submit tokenized transactions for processing. You’ll need to perform testing to ensure that everything is working properly before trying to route actual customer data, though.

For recurring payments, this also means securely storing tokenized details on your server instead of the cardholder’s actual card details.

Special Considerations When Implementing Tokenization

Tokenization generally makes transactions safer and less vulnerable to hacking. However, there are points that merchants will need to consider before implementing tokenization technology.

• Tokenization is an all-or-nothing security measure. It can’t be implemented piecemeal.
• There may be a lot more IT work involved, some of it specialized.
• Some internal procedures/scripts may need to be updated.
• The merchant must retain ownership of all tokenized data in case they change vendors or processors.
• Data security is only as good as one’s data storage partner.
• Tokenization may cause confusion for cardholders trying to identify transactions by account number.

By replacing sensitive debit card data with unique identifiers, tokenization is a powerful, cost-effective way to offer cardholders maximum transaction security. But, as we explained above, that still may not be enough.

Overall fraud protection requires an even broader strategy, one that addresses data security, fraud prevention, and post-transaction revenue recovery. That’s why the most effective method for keeping information safe is a combined approach that would include encryption, tokenization, and other secure practices.

If you’d like to learn more about keeping both your data and your revenue safe, let us know. Chargebacks911® offers turnkey services designed to produce long-term, sustainable growth.