CMSPI’s Quick & Easy Guide to Tokenization
For merchants, tokenization is the key to improved customer experience, data protection, online transaction security, compliance, and overall business growth.
If your field of work involves handling personal payment information, you’ve probably heard of the phrase “tokenization.” But, what is tokenization? Can it actually solve data security issues? Is it really a more reliable solution?
As the world continues to evolve to one that is increasingly digital, data security is more important than ever before. Both traditional and ecommerce customers want to know that their cardholder data is safe during a transaction, and it is the responsibility of merchants, payment processors, and banks to ensure that their information remains secure.
So, how can this level of assurance be accomplished? That’s where tokenization comes in.
What is Tokenization?
Tokenization, sometimes referred to as payment tokenization, is the process where sensitive data is converted into non-sensitive data called “tokens.” Common sensitive data types that merchants may see are Payment Card Information (PCI) and Personally Identifiable Information (PII).
Payment Card Information (PCI)+
PCI refers to sensitive payment information, which is regulated by the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC has enacted the PCI Data Security Standard (PCI DSS), which outlines 12 measures that merchants and organizations should take in order to protect cardholder information, including:
Primary account numbers (PANs)
Card verification values (CVVs)
Other authentication and customer-specific data
PCI SSC: A Brief History+
PCI SSC is a global forum that brings payments industry stakeholders together to develop and drive adoption of data security standards and resources for safe payments worldwide.
The Council was founded in 2006 by American Express, Discover, JCB International, Mastercard, and Visa Inc. Founding members share equally in ownership, governance, and execution of the organization’s work.
China’s UnionPay is considered a Strategic Member and sits on the Council’s Executive Committee.
Personally Identifiable Information (PII)+
This information can be used to identify or trace the identify of a specific individual and includes:
Social Security Number, or other identifying number or code
How Does Tokenization Work?
During the tokenization process, the sensitive data (customer payment or personal information) remains “tokenized” until reaching the token vault. Once in the token vault, the token data is replaced with the actual data and sent to the issuer for authorization.
To fully understand the network tokenization process, it’s important to first define the following:
Primary Account Number (PAN)
Primary Account Numbers, also known as payment card numbers, are found on debit and credit cards. These are typically 14, 15, 16, or even 19-digit numbers used to uniquely identify different payment cards.
During the digital tokenization process, algorithms are used to convert PANs into a string of random digits, which provides security in the event of a data breach.
Card Verification Values (CVV)
Card Verification Values are a series of numbers embossed or printed on payment cards, and are typically used for “card not present” transactions where a PIN cannot be manually entered.
What are Tokens?
In payment network tokenization, tokenization most commonly refers to the conversion of a customer’s PAN data into tokens. There are typically two forms of PAN tokens: “network tokens” and “merchant/acquirer/gateway” tokens (merchant tokens for short).
Merchant tokens are typically used for security purposes, such as storing data in an analyzable form without storing PII data.
Network tokens are defined by EMVCo as “a surrogate value that replaces a primary account number (PAN) in the payment ecosystem.”
While merchant tokens typically only replace a PAN at one point in the payments supply chain, network tokens are encrypted end-to-end. As a result, network tokens are encrypted and interoperable across the entire payments supply chain.
There is, however, one exception. Networks that exist outside of EMVCo may not be able to receive or process network tokens, which could be a potential concern for debit routing capabilities.
Currently, network tokens are typically used with digital wallets, such as Apple Pay, where a network token is created during the card provision process. Some acquirers offer merchants network tokenization solutions, which can be used to facilitate agreements with EMVCo card networks. There are EMVCo solutions like Click to Pay that leverage network tokens as well.
Outside of accepting digital wallet solutions, however, merchant uptake among solutions offering network tokens has remained low, according to CMSPI insights.
Why Tokenization is Important for Merchants
Tokenization provides merchants with an array of benefits, including:
If you take payments, establishing PCI DSS compliance is crucial, as failure to do so could result in fines or serious security breaches. PCI DSS tokenization ensures that any organization accepting, transmitting, or storing payment card information is minimizing their footprint of sensitive data, as they are simply handling tokens instead. Not only does PCI tokenization/PII tokenization help guarantee that you meet compliance requirements, but it can also result in faster audits.
Tokenization improves the customer experience and merchant service perception by adding the element of convenience.
Given that a token is associated with a customer’s mobile wallet, additional details are automatically (and safely) added upon checkout of a pinless transaction online.
Because tokenization is an automated process that happens instantaneously, it eliminates the need for outdated, drawn-out security measures for transaction confirmation.
Tokenization solutions provide an added layer of security to both online and offline transactions by removing the need for businesses to capture and store sensitive information, making it an essential component of an effective merchant fraud strategy.
Tokenization vs. Encryption
Tokenization and encryption are simply two different types of cryptographic methods that have the same goal: data security.
That said, there are some notable differences between the two safeguards:
- Changes length and data type of protected information
- Decryptable with a key (reversible)
- Algorithm protecting encrypted data is breakable
- Does not change length or data type of protected information
- Undecryptable information (non-reversible)
- Tokenization systems generate random replacements that hold no value, rendering them worthless to hackers
It’s important to note that tokenized data can be returned to its original value through a process known as detokenization.
As the name suggests, detokenization is the reverse process of tokenization, and can typically only be performed by the same data tokenization system that the token originated from.
Types of Tokenization
As discussed above, there are generally four stakeholders that can generate tokens:
- Third Parties
The graphic below illustrates the different points in the supply chain wherein tokenization may occur:
Tokenization Method Pros & Cons for Merchants
The process of determining the approach to tokenization can be challenging for a merchant, as each method of tokenization comes with its own considerations. Merchants should consider their unique needs and the various features of different tokenization methods. The table below briefly describes these considerations for the various tokenization types.
So, what have we learned? What is tokenization in payments? What is tokenization of data? In summary, data tokenization solutions ensure the security of traditional and digital payments.
Businesses that prioritize tokenization reduce their risk of data theft, build trust with their customers, improve compliance, and open doors to payment innovation.
In a world where everything is getting more digital, tokenization future-proofs companies and safeguards the financial interests of customers.