The world of payments is complicated (and most payments pros would say this is an understatement). The payments world changes daily with new regulations, new fraud to fight, and new expectations for performance and customer experience.
Payments is a very serious business centered around sensitive payment data which includes a customer's account number, primary account number, and credit card information. This also includes things like payment security and meeting PCI DSS requirements and maintaining compliance.
One thing that remains constant is the need for card vaulting (or credit card tokenization if you're being more specific). Vaulting credit card data is an important part of any payments strategy, and it also comes with a unique set of challenges.
Have you thought about the way you handle cardholder data recently? If not, let's explore some reasons why you should take a second look at how your business is vaulting card data. If you're wondering what credit card tokenization is, you're in the right place too. We'll cover the basic explanation here. (Note: This article does assume you know some core concepts about the payments industry like credit card processing, what a payment processor is, and you know that cardholder data needs to be kept secure.)
Let’s get right into the concept of a vault and what makes credit card tokenization important.
In this blog we'll cover:
- How Tokenization Works
- Tokenization of Yesterday
- Tokenization Today
- Challenges with Today’s Tokenization
- Who's in control of your sensitive data?
- Going beyond a single payment processor
- Benefits of Payments Orchestration
- Future Proofing Your Data
- Learn More About Tokenized Payments
Credit card tokenization allows a business to store a customer's card data in a secure, managed vault. It uses randomly generated tokens as a substitute for sensitive data, and then using those tokens to process a payment transaction. This can happen in a single instance, or for all future transactions with a customer's credit card.
This means that the customer information is safe from bad actors who might seek to steal sensitive card data.
In fact, it has to function this way as a result of PCI DSS standards. These randomly generated tokens are an extra layer that help protect sensitive information like the original credit card number, the personal account number, and other information.
Credit card tokenization is about making cardholder data more secure for both the merchant who would like to continue to accept payments, and also for the data protection of the customer.
Tokenization of Yesterday
Obviously, credit card data is important to merchants, and having payment methods on file for future charges makes good business sense. This is particularly true if you have a subscription business. Let's explore how companies historically would have made this part of their credit card processing strategy.
If merchants wanted to do this themselves, in most cases, they had to build it internally. This meant taking on the full responsibility to maintain PCI DSS compliance. It is a monumental effort for small internal teams to pull off this feat. Usually the types of companies that could afford a large payments team to deal with this were internet household names — like eBay or Uber.
The good news is this process works in a very different way now than it did when people first attempted to take payments online.
Today, it is incredibly easy to get started with a single payment processor or payment service provider (PSP). Many PSPs have made it so easy you can get started in just a few minutes. This makes sense for most online businesses that need to accept a low volume of payments.
These processors almost always have a built-in tokenization process that you don't need to think much about. They've done all the hard work in that area, reducing the friction on your end to protect card data. This ease of use also comes with an excellent bonus for you — most of the PCI compliance burden is handled by the processor.
A single processor or PSP handles all of the PCI compliance-related requirements so you don't have to worry about this aspect in your day-to-day business operations. Besides being really expensive, it is quite labor intensive to maintain PCI compliance.
Plus, you get to skip all the fun of voluntary audits. :)
We all knew it couldn’t be all good news.
A single processor or PSP does not give you full control over your customer payment details (aka tokens). What do we mean by full control? In this case we mean the portability of your vault and tokenized payment data.
If you're ever unhappy with your PSP and want to change who processes your business' transactions, there's a bit of bad news. The existing tokens are directly tied to your existing PSP and may not be accessible to you, the merchant.
It’s a common scenario to request an export of your customer credit card data from your processor. This request is often met with a large fee or long delays.
To make matters worse, there's usually good reason you're requesting payment data and likely a tight timeline. The data being locked away is likely to cause a headache for the project at hand.
Once you have a high customer count and process large amounts of transactions you're likely to begin shopping for the best rates. All of these tokenized cards are critical to your business — exponentially so if you have recurring subscriptions.
For these reasons, it's important you are in full control of where payment tokens are vaulted.
According to 451 Research, almost 70% of merchants want a multi-provider approach to payments. This is because it allows them to get into new markets faster, optimize for higher transaction authorization rates, and avoid lock-in and outages.
Agnostic or impartial providers allow you to store tokenized payments in a universal vault, and use the payment processor of your choice. This opens up a world of possibilities for business operations because not only can you switch PSPs when you want — you can also transact with any mix of them that makes sense for your business needs.
This can be a critical advantage if you take payments (or plan to) in more than one region as not all PSPs are the best option for every customer or region. If you're looking for a flexible payment vault that allows you to move your customers' data from one system to the next without having to worry about PCI compliance, then you should explore agnostic providers.
This is typically called Payments Orchestration, and offered under the umbrella of a Payments Orchestration layer (which also allows you to do many other things).
Beyond future proofing and providing options for sensitive credit card data, what are other benefits of using an agnostic payment tokenization?
Your business can switch or add PSPs when and where you want. With the traditional approach, your data becomes their responsibility (and not yours). This could be a very big deal if the relationship with your PSP changes or they go out of business. Your customer information could be lost forever. Or worse, you're on your own to get the tokens from their vault to a new one (hope you're an expert at encryption).
Speaking of encryption, with card tokenization from an agnostic provider, you never have to give up any control. You can keep your payment data in a universal vault. In this model, the agnostic card vault provider handles the encryption/decryption of payment cards. When it's time for a change in PSPs or gateways, there is a secure “handshake” or integration required and all the data is now available to your new PSP partner.
Everything is portable, and you're still using the same aggregator layer. You're in control of your tokenization strategy, and you don't have to rely on your processing partners.
Beyond the flexibility at the gateway level, you also get lots of bonus benefits if you choose a Payments Orchestration layer to handle your vaulting. Not only do you get the flexibility of taking and storing payments, you can send them to any number of endpoints after that.
Does that include fraud and risk tools? You bet.
Payments Orchestration includes all kinds of things that might be useful to you and your business. In addition to flexibility, you also get the ability to optimize your payments further and do cool things like routing payments.
An agnostic card vault tokenizes your customers' payment details and then you can decide which gateway or PSP to send them to. For the most flexibility, you should have a card vault that allows you to keep control over all aspects of your data.
The best time to think about the future of your tokenization needs is yesterday. The second best time is today. Hopefully this post has made you examine your current setup, or provided your team more info while you plan out the next steps of your company's payments strategy.
The fun part of payments? There's always more to learn!
Check out the related posts below. We also covered making your vault portable on this episode of Payments Dialog.
If you're exploring your own payment tokenization setup and have questions, our team is ready to help. Reach out today and start a conversation.