Contact us
June 24th 2021

What is Tokenization? A CMSPI Insights Guide

Tokenization is the process wherein sensitive data is converted into non-sensitive data called "tokens". Common sensitive data types that merchants may see are Payment Card Information (PCI) and Personally Identifiable Information (PII).

  • PCI: PCI refers to sensitive payment information which is regulated by the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC has enacted the PCI Data Security Standard (PCI DSS) which outlines 12 measures merchants and organizations should take in order to protect card holder information, including primary account numbers (PANs), card verification values (CVVs) and other authentication and customer-specific data
  • PII: This information can be used to identify or trace the identify of a specific individual. This information includes name, address, social security number or other identifying number or code, telephone number, email address, etc.

During the tokenization process, the sensitive data, whether customer payment or personal information, remains tokenized until reaching the token vault, where the token data is replaced with the actual data and sent to the issuer for authorization.

Terminal/Point of Tokenization Diagram

Payment Card Industry Security Standards Council (PCI SSC): PCI SSC is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. The Council was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. Founding members share equally in ownership, governance, and execution of the organization’s work. China’s UnionPay is considered a Strategic Member and sits on the Council’s Executive Committee.

Primary Account Number (PAN): Primary account number, also known as the payment card number, are found on debit and credit cards. These are typically 14-, 15-, 16- or even 19-digit numbers used to uniquely identify different payment cards.

Card Verification Values (CVV): Card verification values is a series of numbers embossed or printed on the cards, typically used for card not present transactions where a PIN cannot be manually entered.

What are Tokens?

In payments, tokenization most commonly refers to the conversion of a customer’s PAN data into tokens. There are typically two forms of PAN tokens: “network tokens” and “merchant/acquirer/gateway” tokens (merchant tokens for short). Merchant tokens are typically used for security purposes, such as storing data in an analyzable form without storing PII data.

Network tokens are defined by EMV co. as “a surrogate value that preplaces a primary account number (PAN) in the payment ecosystem.” While merchant tokens typically only replace a PAN at one point in the payments supply chain, network tokens are encrypted end-to-end. As a result, network tokens are encrypted and interoperable across the entire payments supply chain. It’s important to note one exception: networks that exist outside of EMV co. may not be able to receive or process network tokens, which could be a potential concern for debit routing capabilities.

Currently, network tokens are typically used with digital wallets, such as Apple Pay, where a network token is created during the card provision process. Some acquirers offer merchants network tokenization solutions, which can be used to facilitate agreements with EMV co. card networks, and there are EMV co. solutions like Click to Pay that leverage network tokens as well. Outside of accepting digital wallet solutions, however, merchant uptake among of solutions offering network tokens has remained low, according to CMSPI insights.

Types of Tokenization

As discussed above, there are generally four stakeholders that can generate tokens:

  • Merchants
  • Acquirers/Gateways
  • Third Parties
  • Networks

The graphic below illustrates the different points in the supply chain wherein tokenization may occur:

Figure 1: Tokenization in the Payment Supply Chain

The process of determining the approach to tokenization can be challenging for a merchant as each method of tokenization comes with its own considerations. Merchants should consider their unique needs and the various features of different tokenization methods. The table below briefly describes these considerations for the various forms of tokenization.

Figure 2: Sources of Tokenization