The high growth of online digital payments in recent years combined with regulatory requirements of Payment Card Industry Data Security Standards (PCI DSS) has driven the adoption of payment method tokenization in a big way.

Tokenization provides merchants a one-to-one replacement for a card's Primary Account Number (PAN) information. This information can be stored and transacted with outside of a PCI DSS compliant environment, without risk of fraud or sensitive data loss.

As a merchant, tokenization enables me to collect payment information and process transactions efficiently without investing in expensive infrastructure.

Tokens At A High Level

Simply stated, a token is a fake value that replaces a real value and can be used in its (the real value’s) place. In the case of payment method tokenization, Spreedly captures and stores PAN information in a PCI DSS compliant vault. This happens without the payment information ever needing to touch a merchant’s servers.

Next, Spreedly returns a series of randomly generated numbers (a token) in place of the actual card information. This token can be passed across various networks and stored without danger of the actual PAN being exposed. When the merchant is ready to process a transaction, the token is passed back to Spreedly along with transaction information. Spreedly then passes the stored actual card data to the specified payment gateway.

How Tokenization Works

Why would a company want to do this? Well, tokenization is extremely valuable for various types of online transactions. An eCommerce merchant may want to offer returning customers an automated checkout experience -- in lieu of them entering payment details each time they land on the checkout page.

But what about experiences where payments need to happen even more quickly? Or in some cases, without the customer actually taking an action? Let’s explore a bit, shall we?

A ride-sharing platform needs to instantly authorize payment information to ensure a customer agrees to pay for a ride. This needs to happen prior to being picked up without delaying the ride request. This is critical for the end user experience. The last thing a user wants to do when hailing a ride from the airport is to have to enter their card information in the app again. Card tokenization to the rescue!

A payment token associated with the user’s account can be stored by the ride sharing platform in advance and then instantly passed to a payment gateway to authorize a ride request in real time. Thus ensuring riders get faster service and drivers get paid. Tokenization helps provide a better user experience on both ends of the platform.

For another example, we’ll examine what this looks like for a subscription business.

A content streaming service needs to process customer subscription payments on a monthly, recurring basis. Imagine this service had to email, call, or text their users each month for payment details. This would produce significant process overhead for the service as a full workforce might be needed to handle payment updates. The user experience would suffer as well, potentially resulting in higher churn as customers decide not to pay this month -- or worse, lose interest in the service entirely.

Good thing the service has tokenized each user’s payment details 🙂.

By storing their customers’ payment token on file, the streaming service can continuously deliver content to customers on demand. They have no worries about bothering their users for payment when the time for renewal arrives.

Tokenization and PCI compliance

Tokenizing payments isn’t just good for user experience at both ends of the transaction though. It’s also a huge contributor to PCI compliance. Payment tokenization helps save on the costs of meeting PCI DSS compliance regulations. Most estimates pin the cost of PCI Level 1 security compliance at greater than $50,000 per year.

Secure infrastructure, security audits, penetration testing, and internal training all create annual burden on merchants who decide to store card payment data. This type of capital investment would be cost prohibitive for most fast growing, enterprise commerce solutions. This is why Spreedly offers a PCI DSS compliant vault for storing payment method data in exchange for a token that can be stored and used by any merchant and processed with multiple gateways.

Tokenization and Data Portability

The benefits of storing card payment methods in Spreedly’s vault don’t end at compliance, though.

For example: if a company needs to optimize transaction success rates, or expand into new countries, they’ll need to adopt to new gateway providers. Typically, this company would be forced to export their data, or create new tokens in a gateway-specific vault. This process can be a burden for payments teams as it creates duplicate work.

Spreedly stores payment methods in a universal vault, enabling data portability for merchants pursuing a multi-provider strategy. A single token can be processed for transactions across hundreds of gateways and PCI DSS compliant endpoints.

We aim to make the process of implementing new gateways in a multi-provider strategy as painless and streamlined as possible. It’s as simple as this:

The Spreedly Tokenization Process

To learn even more about payment tokenization, check out our payments dialog with David Goodale.