How Does Payment Tokenization Work? (Updated for 2022)

Tokenization for the payments industry

At everyday terms, to tokenize means substituting one thing for another. For example in places like casinos, you buy tokens for playing slot machines. The plastic tokens have zero value outside the casino.

The same concept applies in the world of payments. Tokenization isn't a recent payment technology, but it has evolved over the years. We'll cover what tokenization is and how it works through the lens of payments.

First, let's tackle the most important question.

What is Payment Tokenization?

Payment tokenization at a high level is replacing sensitive credit cardholder data with a randomly generated payment "token" (usually comprised of a string of randomized alphanumeric characters), and then using that payment token to process a current transaction -- as well as future transactions. This is a common practice for merchants and platforms with recurring transactions and helps protect sensitive customer data for repeat customers.

In online payments, merchants create tokens to protect their customers' data, such as account and credit card numbers, addresses, etc. This is frequently referred to as PAN (Primary Account Number) information. They replace this data with algorithmically generated letters and numbers. By using credit card tokenization, merchants can store and transact with the data without exposing sensitive data and risking fraud or loss.

Most people have turned to online shopping in recent years, leading to digital payments. This rise, plus regulations and requirements in the Payment Card Industry Data Security Standard (PCI DSS), has led to the growth of finding ways to protect sensitive credit card data. Tokenization enables merchants to process transactions and collect customer payment information without using other expensive data collection means.

What is a Payment Token?

As we have seen, a token is a fake value representing an actual value. You can use the token in place of the real value. Tokenization involves substituting sensitive customer information with a one-time ID that has no connection or value to the account owner. The randomly generated tokens can safely access, transmit or retrieve the customers' primary account number. In essence, you're replacing sensitive data with tokenized data.

The tokens do not actually carry any sensitive data. Instead, the tokens act like guiding maps that explain where the customer's bank stores the sensitive data within their system. Mathematical algorithms generate the tokens, which are irreversible, meaning the token is only usable once.

The only time you can open the tokens is after a complete transaction. Just like the casino tokens we mentioned earlier, these tokens have zero value or meaning outside your system. If a hacker comes across your customers' data during processing, it's useless to them.

Tokenization and PCI Compliance

PCI compliance is a required industry standard that keeps sensitive payment data secure. A business that handles debit or credit card holders' data must have PCI compliance. A council made up of major credit card providers created the PCI Security Standards Council (PSI SSC).

The council helps in the prevention of debit and credit card data theft. Payment Card Industry Data Security Standard (PCI DSS) is a set of obligations and controls that govern companies that handle credit card data and reduce chances of data breach. Failure to comply with the PSI DSS leads to stiff fines, loss of business credibility, and reputation damage.

Tokenizing payments is great for the user experience and greatly contributes to PCI compliance. Payment tokenization saves on PCI DSS compliance regulation costs. Most estimates place PCI Level 1 security compliance at over $50,000 annually.

Annual expenses such as security audits, secure infrastructure, internal training, and penetration training strain most merchants who store credit card payment data.

PCI DSS compliance is not a mandatory legal requirement, but it is necessary for businesses that work with major payment card companies like Mastercard or Visa. PSI DSS compliance need not burden you. If you choose the right solution, it's a great investment with several benefits for all ends of the transaction lifecycle.

Sensitive data

Suppose you visit an online store. During your previous visit, you entered your credit card details. Since your last visit, the company has optimized its transaction process or expanded to other countries. These changes meant the company had to change its payment gateways and move to new ones. This is where data portability comes in.

You will not know about these new changes as a customer, and you do not need to re-enter your details. Data portability is the ability of a business to seamlessly transfer customer data to and from one gateway to another.

How is tokenization connected to data portability? A merchant can choose between two options:

• Using a dedicated solution that collects and stores PAN information in a separate vault
• Export the data and create brand new tokens for specific gateways

When a merchant wants to process a transaction, they transfer the token and its data to their payment tokenization provider. The platform transfers the stored details to the payment gateway and can process one token via hundreds of compliant endpoints and gateways. This option enables the provider to provide merchants who use multi-provider plans with data portability.

Benefits of Credit Card Tokenization In Payments

Why do companies tokenize? Tokenization comes in very handy for different online transactions. An e-commerce merchant might want to give returning customers the luxury of an automated checkout. This automated option allows the customer to skip entering their payment details each time they check out.

While tokenization greatly benefits the customer and protects sensitive cardholder data, there are several benefits for companies as well.

Benefits for Developers

Tokenization provides several benefits for developers

• A foundation for future security development
• Improves security measures

Benefits for Merchants

For merchants, credit card tokenization promises:

• Data security
• Better Compliance
• Improves Customer Trust
• Customer Site Experience Improvement

Benefits for Merchant Aggregators

• Faster payment approval
• Faster payment processing
• Peace of mind for meeting compliance obligations
• Payments flexibility

Benefits for Fintech Companies

• Increased data security
• Increases customer trust
• Tokenization encourages payment innovations

How Does Credit Card Tokenization Work?

Tokenization happens in multiple steps:

1. The card owner initiates the payment and enters their card details.
2. The PAN goes to the merchant's bank as a token.
3. The receiver sends the token for authorization via the credit card network.
4. After authorization, the bank stores the customer data in secure virtual vaults and matches the token to the customer account number.
5. The bank confirms fund availability and declines or allows the transaction accordingly.
6. After the authorization succeeds, the token goes back to the merchant for transactions now and in the future.

These steps are more directly explained in this illustration:

How is Payment Tokenization Different From Encryption?

Both tokenization and encryption methods combat credit card fraud. Some people use the two terms interchangeably.

Encryption is a type of cryptography that protects information by changing it into indecipherable code. An algorithm chooses a different number that disguises each credit card's letter, space, and number. The decryption of this data is only by a password or key.

The difference between tokenization and encryption is that the latter is reversible. You can return encrypted data to its original form when you choose to, as long as you know its algorithm.

The PCI Council regards encrypted data as breakable and thus sensitive. Encryption is robust protection if the card is physically available. However, tokenization has better protection for card not present payments, offers better payment flexibility, and most importantly: fully obscures credit card information.

Specialists recommend using tokenization and encryption to comply with PCI DSS and secure sensitive information in transit.