Credit Card Tokenization: What Merchants Need to Know
In today’s world of electronic transactions and online gateways, customer payment information security is paramount. Fines are steep, and a lot is at risk — especially for businesses with thousands of customers.
The last thing you want to do is be responsible for a payment information breach. It has the potential to cripple your business — either through fines, ruining of public reputation, or both.
Many vulnerabilities exist in the transmission stage of payment processing. This is when the data is being exchanged between the banks and involved credit card networks.
There are two main ways to prevent breaches during this process: payment encryption & payment tokenization.
Apart from the obvious social and consumer downsides, the credit card networks founded the Payment Card Industry Data Security Standard (a.k.a. PCI Compliance) in 2006, and if you aren’t using encryption or tokenization to pass sensitive payment information, then you’re at risk of being fined or banned from accepting credit cards.
Tokenization is kind of trendy at the moment, and for good reason. It has recently come much more into the spotlight due to mobile payment systems like Android Pay and Apple Pay being normalized, and it’s just a better way to transfer payment information securely.
Encryption vs. tokenization
What is encryption?
Encryption is a blanket term for any technique that scrambles data and then allows it to be decoded when needed. Think of it as an advanced secret language, where only the right people with the right key can unlock the original information.
A few other things to note about encryption:
- Businesses need to rotate their keys to maintain security.
- A consumer’s permanent account number (PAN) is displayed in certain points in the payment process.
What is credit card tokenization?
In order to provide additional layers of protection against cyber hackers stealing sensitive personal information, and to prevent credit card fraud, the payment card industry created tokenization. Tokenization is a process that substitutes the consumer’s sensitive cardholder account number with a number randomly generated by an algorithm or created by a non-reversible cryptograph. This substituted number is known as the “token”.
Retailers can disseminate tokens over the internet or wireless networks to process credit card payments, all done without transmitting the cardholders actual banking account number. The bank or network stores the actual banking account information in a safe place called a vault. Cyber hackers are unable to find and breach the vault through the retailer’s site, so the information stays secure.
Tokens developed as a way to prevent online or digital breaches. The token is similar to the new “chip” that credit card issuers use to prevent credit card theft for payments made in brick-and-mortar stores.
Credit card tokenization step by step:
- A token is created from the personal account number for a one-time use for a specific website or channel.
- The created token(s) is sent to a secure token vault. This can be built in-house or easily outsourced (must be PCI Compliant).
- Tokens are loaded on the mobile device as part of the virtual card profile.
- The NFC device or relevant channel initiates a transaction at a merchant’s point-of-sale (POS) terminal. The POS uses the token as the card number instead of the customer’s PAN.
- The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network.
- The issuer de-tokenizes the token and checks it against the real PAN. If there’s a match, then it approves (or authorizes) the transaction.
- Response from the card issuer is returned to the POS terminal using the token as the card reference. The response from the card issuer’s check is delivered to the POS terminal and has the attached token acting as the unique transaction identifier.
- The transaction is completed!
And here are some other useful facts about credit card tokenization:
- Tokens cannot be reverse-engineered. They are randomly generated and thus there is no associated algorithm (unlike encryption).
- Your audit items could be reduced by half after switching to tokenization.
- It’s cheaper to implement than encryption.
- A customer’s PAN is never revealed.
- Your ability to quickly and securely handle refunds, chargebacks, etc. is increased.
- The original card numbers stays in control of the participating bank.
Credit card tokenization examples
You come across credit card tokenization more often than you might imagine because tokens are quite popular in the e-commerce arena.
Recurring Payments and Subscription Billing
Whenever a website “keeps your card on file” for recurring payments or subscription billing, the site is using tokens. Think any SaaS businesses (Netflix, Squarespace, etc.)
Another popular example is the “one-click” option. The most obvious example being Amazon. They don’t just have your information sitting openly — it’s all handled through tokens.
Apple Pay and Android Pay
Near-field communication (NFC) payments like Apple Pay and Android Pay rely on tokens as well.
These mobile wallets transfer your payment information from your smartphone to a nearby vendor’s terminal. The process uses radio waves that allow smartphones and other devices to exchange information. The token is one of those pieces of exchanged information.
Once you load your credit card information into the mobile wallet app, the information transfers to your bank. The bank replaces the account information with a randomly selected token and then transmits that token to the retailer. The retailer never stores your actual account information.
If you purchase something in an app, let’s say UberEats, Lyft, Amazon (again), you’re dealing with tokens again. Those apps don’t have free reign to your credit card information.
Instead, your information is just that randomized token & protected from fraud.