In today’s world of electronic transactions and online gateways, customer payment information security is paramount. Fines are steep, and a lot is at risk — especially for businesses with thousands of customers.
The last thing you want to do is be responsible for a payment information breach. It has the potential to cripple your business — either through fines, ruining of public reputation, or both.
There are two main ways to prevent breaches during this process: payment tokenization and payment encryption.
Apart from the obvious social and consumer downsides, the credit card networks founded the Payment Card Industry Data Security Standard (a.k.a. PCI Compliance) in 2006, and if you aren’t using encryption or tokenization to pass sensitive payment information, then you’re at risk of being fined or banned from accepting credit cards.
Tokenization is kind of trendy at the moment, and for good reason. It has recently come much more into the spotlight due to mobile payment systems like Android Pay and Apple Pay being normalized, and it’s just a better way to transfer payment information securely.
What is credit card tokenization?
Credit card tokenization is a process that substitutes a consumer’s sensitive cardholder account number with a number randomly generated by an algorithm or created by a non-reversible cryptograph. This substituted number is known as the "token".
Retailers can disseminate tokens over the internet or wireless networks to process credit card payments, all done without transmitting the cardholder's actual banking account number. The bank or network stores the actual banking account information in a safe place called a vault. Cyber hackers are unable to find and breach the vault through the retailer’s site, so the information stays secure.
The payment card industry created tokenization in order to provide additional layers of protection against cyber hackers stealing sensitive personal information and to prevent credit card fraud. The token is similar to the new(er) “chip” that credit card issuers use to prevent credit card theft for payments made in brick-and-mortar stores.
How does tokenization work?
- A token is created from the personal account number for a one-time use for a specific website or channel.
- The created token(s) is sent to a secure token vault. This can be built in-house or easily outsourced (must be PCI Compliant).
- Tokens are loaded on the mobile device as part of the virtual card profile.
- The NFC device or relevant channel initiates a transaction at a merchant’s point-of-sale (POS) terminal. The POS uses the token as the card number instead of the customer’s PAN.
- The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network.
- The issuer de-tokenizes the token and checks it against the real PAN. If there’s a match, then it approves (or authorizes) the transaction.
- Response from the card issuer is returned to the POS terminal using the token as the card reference. The response from the card issuer’s check is delivered to the POS terminal and has the attached token acting as the unique transaction identifier.
- The transaction is completed.
And here are some other useful facts about credit card tokenization:
- Tokens cannot be reverse-engineered. They are randomly generated and thus there is no associated algorithm (unlike encryption).
- Your audit items could be reduced by half after switching to tokenization.
- It’s cheaper to implement than encryption.
- A customer’s PAN is never revealed.
- Your ability to quickly and securely handle refunds, chargebacks, etc. is increased.
- The original card numbers stays in control of the participating bank.
Credit card tokenization examples
You come across credit card tokenization more often than you might imagine because tokens are quite popular in the e-commerce arena.
1. Recurring payments
Whenever a website “keeps your card on file” for recurring payments or subscription billing, the site is using tokens. Think any SaaS businesses (Netflix, Squarespace, etc.)
2. One-click options
Another popular example is the “one-click” option. The most obvious example being Amazon. They don’t just have your information sitting openly — it’s all handled through tokens.
3. NFC payments
Near-field communication (NFC) payments like Apple Pay and Android Pay rely on tokens as well.
These mobile wallets transfer your payment information from your smartphone to a nearby vendor’s terminal. The process uses radio waves that allow smartphones and other devices to exchange information. The token is one of those pieces of exchanged information.
Once you load your credit card information into the mobile wallet app, the information transfers to your bank. The bank replaces the account information with a randomly selected token and then transmits that token to the retailer. The retailer never stores your actual account information.
4. App purchases
If you purchase something in an app, let’s say UberEats, Lyft, Amazon (again), you’re dealing with tokens again. Those apps don’t have free reign to your credit card information.
Instead, your information is just that randomized token & protected from fraud.
Payment tokenization vs. encryption
What is encryption?
Encryption is a blanket term for any technique that scrambles data and then allows it to be decoded when needed. Think of it as an advanced secret language, where only the right people with the right key can unlock the original information.
A few other things to note about encryption:
- Businesses need to rotate their keys to maintain security.
- A consumer’s permanent account number (PAN) is displayed in certain points in the payment process.
Why is tokenization preferable to encryption?
Companies have used encryption for decades when they want to deliver private messages or when they have to transmit sensitive information in an insecure environment.
Tokenization is a popular process today because it is a less expensive — and safer — way to secure sensitive information. Encryption is mathematically reversible, uses an encryption key, and the process requires businesses to rotate the keys.
We refer to encryption as an end-to-end process. That means that we must encrypt the data on the origination side and decrypt it on the delivery side.
On the other hand, tokens have a format that fits traditional credit card fields, are centrally managed, and offer flexibility so payment companies can use tokens for returns, chargebacks, recurring payments, and more. Tokens are not mathematically reversible if created by non-reversible cryptography, have no encryption keys, never display the personal account number of the consumer, and is meaningless if stolen by a cyber hacker.
In other words, tokenization is the best method for reducing your exposure to PCI issues.
Why tokenization is good for customers
Easier fraud prevention
One of the major consumer benefits in case of a breach is the individualization of the payment tokenization across payment devices. There’s no "one-size-fits-all" token per credit card.
In other words, if someone manages to steal your cell phone and you were using a mobile wallet, you’d only have to cancel the token associated with your phone. You wouldn’t have to cancel the crazy amounts of subscriptions you have auto-drafting or anything like that. This is an awesome benefit for today’s consumers.
Additionally, some programs that use tokens also have the user’s shipping information sent along with the token, saving consumer’s time when inputting their information.
Payment tokenization with Tidal
At Tidal Commerce, we like to work with smart, driven business owners looking to grow. If that’s you, and you’re curious about the positive effects payment tokenization can have on your business, then let’s talk!