Stay connected
Subscribe to our Inside WEX blog and follow us on social media for the insider view on everything WEX, from payments innovation to what it means to be a WEXer.
"*" indicates required fields
Inside WEX
A Brief Look at Tokenization in the Payments Industry
If you’ve ever been handed a casino chip, you’re already familiar with the concept of tokenization. That small disc of valueless plastic represents something of real value: your $50 winnings. Outside of the casino and into the world of plastic card, contactless, and web-based payments, tokenization is a security solution being adopted by industry stakeholders. But rest assured, they’re not taking their tokens to the poker table. When it comes to protecting customers’ sensitive financial information, they’re not interested in placing any bets.
The word “tokenization” has been passed around in countless industry articles and it represents—no pun intended—the future of payments security. Let’s take a high-level view of tokenization by covering the basics:
What is tokenization?
The term was coined by token service provider Shift4 to describe the concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data—that data being credit card payments information. Put simply, the process of tokenization removes a person’s actual credit card data from a company’s internal networks and replaces it with an organically random, alphanumeric, globally unique ID called a token that passes seamlessly through the payments system.
What types of payments are protected by tokenization?
Tokens can be used for transactions involving:
- Plastic payment cards—debit and credit cards, loyalty cards, gift cards
- Mobile NFC payments—e.g. Apple Pay and cloud-based payments
- E-commerce and m-commerce payments—card-on-file data
What makes tokenization a hot topic today?
With the global use of NFC payments, the growing adoption of mobile payments, and the ubiquity of e-commerce, consumers demand security. Merchants need to ensure their customers’ data and internal processes are safeguarded, especially as fraud rates climb and news of data breaches fill the headlines.
How does tokenization address a merchant’s payments security concerns?
Tokenization removes the risk inherent in storing, processing, or transmitting confidential customer credit card data via internal computers and networks—while retaining that information’s value. Because tokens are not mathematically derived, predictable, sequential, or have a 1-to-1 relationship with the actual card number, they’re virtually meaningless to anyone (i.e. criminals) outside of the tokenization system seeking access to the underlying data. What’s more, tokens are domain-specific, so if an EMVCo token is designated for a contactless NFC card payment transaction it cannot be used in place of card-on-file data that’s stored on acquirers’ systems—or vice versa.
What about industry compliance?
Tokenization actually simplifies the merchant’s compliance with industry standards and government regulations (e.g. PCI DSS requirements). Since their systems don’t store or process “real” data, they no longer need to provide the same level of security protection.
How does tokenization differ from encryption?
In short, there’s no way for someone to reverse engineer a token. Encryption uses a mathematical process, or algorithm, to make cardholder data unusable. It results in a direct relationship between the original data and the encrypted data, making it decryptable.
Does using a token change a merchant’s payment process?
No. A customer’s real card data is stored with their token service provider at a highly secure, centralized location called a token vault. Merchants use only the token during customer payments transactions, which may include sales, refunds, voids, and credits. And since tokens are formatted to look like the card’s (typically 16-digit) primary account number, they pass all standard checks used for routing and validation.
Tokens travel through the payment’s infrastructure: for example, from the e-commerce “shopping cart” to the merchant’s system to the payment network to the token service provider’s token vault. The token service provider holds the “key” and is therefore the only entity involved in authorizing a transaction. This process is called de-tokenization, and it occurs in a secure environment, allowing for processing and reconciliation using the tokenized card’s actual number.
What is a durable token?
A durable token is one that is assigned to a specific credit card for a life-long association. Every time the cardholder wants to make a payment to a certain merchant using that card, the exact same token is invoked. Merchants with online retail or wholesale stores appreciate this durable relationship between the card number and the token because they can offer their customers the ability to save cards to their account, thus making the checkout process a breeze, reducing the likelihood of the customer abandoning their shopping cart and increasing the chances that they will come back to make a future purchase. Merchants that accept credit cards for invoice payments or phone orders also appreciate that they can quickly process a transaction using the “card-on-file” upon customer instruction, allowing them to get paid faster and with minimal customer action. Durable tokens enable long term storage as well as various back-end business processes without exposing sensitive data.
What is a transaction-based token?
A transaction-based token is generated and used for one specific transaction. If a customer initiates multiple transactions with a merchant using the same credit card each time, there is a new token issued for each transaction. This works just fine for small merchants that don’t typically need to associate the token number back to a specific customer again and again. For example, consider a merchant selling T-shirts in a booth at a concert venue. The merchant doesn’t really care about tracking the customers’ historical buying patterns or initiating multiple sales over time to the same customer. At the same time, the merchant doesn’t want to store real PANs in its sales system. In this case, transaction-based tokens fit the need nicely.
Sources:
Credit Card Tokenization 101 — And Why it’s Better than Encryption from 3 Delta Systems
PCI DSS Tokenization Guidelines from PCI Security Standards Council