Payment Tokenization Explained
“Tokenization” is a key buzz word in the world of payments at the moment, especially as the number of businesses accepting mobile payments apps like Apple Pay is on the rise. Basically, tokenization is a security measure that adds an extra level of safety to sensitive credit card data.
In this article:
- What is tokenization?
- History of credit card tokenization
- Tokenization vs. encryption
- Payment tokenization
- Tokenization FAQs
What is tokenization?
Tokenization is the process of protecting sensitive data by replacing it with an algorithmically generated number called a token. Tokenization is commonly used to protect sensitive information and prevent credit card fraud. In credit card tokenization, the customer’s primary account number (PAN) is replaced with a series of randomly-generated numbers, which is called the “token.” These tokens can then be passed through the internet or the various wireless networks needed to process the payment without actual bank details being exposed. The real bank account number is held safe in a secure token vault.
Just like the use of chip and PIN cards, tokenization’s end game is to prevent the bad guys from duplicating your bank information onto another card. But while chip and PIN cards protect against fraud that occurs when someone pays at a physical store, tokenization is primarily designed to fight online or digital breaches.
Accept Apple Pay and contactless cards everywhere.
The chip and PIN and contactless reader built for every business.Order your reader now
Credit Card Tokenization - a History
Substitution techniques like tokenization have been in practice for decades as a way to isolate data in ecosystems like databases. Historically, encryption with reversible cryptographic ‘keys’ was the preferred method of protecting sensitive data. In the words of techUK’s deputy CEO, encryption is viewed as ‘the best defence’ available for keeping sensitive information safe, be it that of a multinational company or the confidential files of the country’s government. Its widespread use is also thanks to its wide variety of applications, from cloaking private messages in P2P apps to transferring sensitive information in a vulnerable environment.
However more recently, payment experts are seeing more and more organisations moving from encryption to tokenization as a more cost-effective (and secure) way to protect and safeguard sensitive information. The expert verdict being that tokenization is the best choice for keeping small businesses as secure as possible.
One of the most widespread uses of tokenization today is in the payments processing industry. Tokenization allows users to store credit card information securely in mobile wallets, ecommerce solutions and POS terminals to allow the card to be charged without exposing the original card information.
Tokenization vs. Encryption
|PAN data displayed||X|
|Reduces PCI scope||X|
|Payment flexibility: refunds, chargebacks, recurring payments etc.||x|
|Rotation of keys required||X|
|Low-cost per transaction||X|
|Format fits with legacy credit card fields||X|
Tokenization replaces sensitive cardholder details with a stand-in token. This helps secure the customer’s bank account details in credit card and eCommerce transactions.
End to end encryption (aka “data field encryption”) on the other hand, encrypts cardholder data at the origin, and then decrypts it at the end destination. Some examples of end-to-end encryption are VPNs, Apple’s iMessage feature and other messaging apps like WhatsApp.
Both tokenization and encryption are used to reduce the scope of PCI Compliance by reducing the number of systems that have access to customers’ credit card information. (For a primer on PCI compliance, check out our PCI Compliance Guide.) While both have their places in payment technology, tokenization is fast emerging as a more cost-effective and secure solution to protecting customer card information and reducing the scope of PCI compliance. Unlike data that is encrypted, tokens are not mathematically reversible with a decryption key and PAN data is never displayed.
How is tokenization put to use in the payments industry? Three ways. The first is when businesses keep your “card on file” for subscription billing and recurring payments. The second is on eCommerce sites that offer frequent, returning customers “one-click” checkouts. And the third use (and perhaps the buzziest, as of late) is with mobile wallets like Apple Pay and Android Pay.
Payment Tokenization - An Explainer
Here’s how tokenization helps protect you in the following payment scenarios:
Apple Pay tokenization. After you take a picture of your credit card and load it into your iPhone, Apple sends the details to the card’s issuing bank or network, which replaces your card details with a series of randomly generated numbers (the token). That random number is sent back to Apple, which programs it into the phone. This means that the number stored on the phone can’t be extracted into anything valuable to fraudsters.
Android Pay tokenization. Tokenization in Android Pay works similarly. When you upload your card information into the app, Google creates a stand-in “token” to represent your account number. This makes it near impossible for someone to get at your actual credit card information.
Tokenization within apps. Say you want to buy something straight from an app on your phone — concert tickets, clothes, books, whatever. If your phone contains a token, none of these apps have access to your credit card details. That means your bank information is locked down and meaningless to fraudsters. Using a tokenized account also can make it easier to check out, as many apps will link directly to your stored delivery information.
Tokenization in eCommerce. Tokenization also helps protect your online shopping activities. You buy a coffee table on argos.co.uk, for example. If Argos has tokenized the card numbers that it keeps on file, your information is safe even if it gets hacked. The retailer may never actually see or store the credit card number, so if someone does gain illegal access to the system (like in the Wonga UK breach, for example), all the criminal can see is the randomly generated tokens. And here’s something else that’s cool: a new token can be generated for each online retailer — so you’ll have a different code at all the places you’ve shopped. So if a retailer has a security breach, all tokens issued to that website can be disabled without you having to get a replacement card.
In short: Tokenization is a complicated topic, but it’s good to know the basics (and if you’re more visually inclined, we made a simple graphic illustrating how it works below). It’s an exciting evolution in keeping every kind of payment more secure.
FAQ about Tokenization
Is tokenized data reversible?
Tokenized data is not mathematically reversible unless you have the original key used to create the token.
How are tokens generated?
Tokens can be generated through mathematically reversible algorithms, one-way non-reversible cryptographic functions or static tables mapped to randomly generated token values
Does using tokenization make me PCI compliant?
Employing tokenization won’t in and of itself make you PCI compliant, but it’s considered a “best practice” and can help to reduce PCI DSS scope. You can see the PCI Security Standards Council best practices on choosing tokenization providers here. But not to worry, Square provides affordable, PCI-compliant hardware and software.