Over the past decade, online payments have become increasingly popular, with more and more people choosing to pay online. Consumers typically use a website or mobile app to browse products, add items to their virtual shopping cart, and proceed to checkout, where they enter their payment and shipping information. The picture below illustrates how transactions are processed and how card details travel across the network.
Merchant databases typically stored the customer's card data in its original form, which included sensitive information such as the credit card number, expiration date, and cardholder name. This practice made the merchant databases an attractive target for hackers and fraudsters who intended to steal this information for fraudulent purposes.
Tokenization is a process that replaces sensitive customer data with a one-time alphanumeric ID, known as a "token". This randomly generated token is used to complete the transaction, and it is only readable by the payment processor. Even if a token is exposed, it cannot be monetized, making it a secure alternative to sensitive data.
Tokens serve as a stand-in for actual card details and are used to protect sensitive data by replacing it with a non-sensitive equivalent that can be securely stored and transmitted. The token is typically a random string of characters, making it difficult to decipher without the necessary decryption key.
Traditional payment methods such as credit card transactions involve the transfer of sensitive card details. This data is vulnerable to theft and fraud, which can result in financial losses for both customers and merchants.
Data breaches are a constant threat. Cybercriminals are likely to target merchant databases that have weak spots in their security. Tokenization reduces the damage of a cyberattack because the tokens do not have value by themselves. A successful attack will not release sensitive information.
1. In card processing, information can be tokenized when a card is swiped at the merchant’s point of sale (POS) system or when payment details are entered into a website.
2. Once a system has the cardholder data, it is passed to the card network for authorization.
3. After being authorized, card details are stored in token vault and a token is randomly generated.
4. Token is passed back to the merchant, and stored in place of the customers credit card numbers. Token is used for completing the transaction.
Merchant’s website now has no record of Customers card information but has tokens. This process increases a merchant’s base level of security, and can help them avoid costly data breaches.
Merchants hold sensitive data on their systems, like personal info, credit card info, etc. Tokenization saves merchants the hassle of dealing with the compliance requirements or risks that come with storing such sensitive data internally.
1. Increased Security :
Tokenization replaces sensitive payment data with a unique token, reducing the risk of data breaches and fraud.
2. Compliance :
Tokenization helps merchants comply with industry standards and regulations such as the Payment Card Industry Data Security Standard (PCI DSS).
3. Faster Checkout :
With tokenization, customers can save their payment information for future purchases, making the checkout process faster and more convenient.
4. Cost Savings :
Tokenization can reduce the costs associated with storing and protecting sensitive payment data.
1. Enhanced Security :
Tokenization protects customer payment information, reducing the risk of identity theft and fraud.
2. Convenience :
Customers can save their payment information for future purchases, making the checkout process faster and more convenient.
3. Privacy :
Tokenization helps protect customer privacy by limiting the amount of sensitive data that merchants store.
When customers know that their payment information is secure, they are more likely to trust merchants and continue to do business with them.
The key difference between the two is that, unlike encrypted data, tokenized data isn’t reversible nor decipherable. This is the difference that makes tokenized payments so secure – there is no logical relationship between the original data and the token that replaced it.
1. Format preserving tokens maintain the appearance of the 16-digit credit card number.
Card number: 1234 8612 5953 3391
Format preserving token: 4111 8765 2345 2222
2. Non-format preserving tokens do not resemble the original credit card number and can include both alpha and numeric characters.
Card number: 7777 8612 5953 4441
Non-format preserving token: 25c92e17-80f6-415f-9d65-7395a32u022
Simple tokens are generated by a payment processor and, therefore, are unique to the processor that generated the token.
Network tokens are generated by the issuing bank, network tokens can work with any payment processor.
Card networks and aggregators are allowed to be as Token Service Providers (TSPs) as mentioned in the new digital payment's guidelines.
TSPs must be compliant with industry standards and regulations related to payment card security, such as the Payment Card Industry Data Security Standard (PCI DSS).
Some TSPs in payment Industry include:
- Visa : Visa Token Service (VTS)
- MasterCard: MasterCard Digital Enablement Service (MDES).
- Razor pay :TokenHQ
- Pay Pal: BrainTree Vault
Payment tokenization is an essential technology that offers significant benefits to businesses and consumers.
The process provides undecipherable, unique tokens for each transaction. Merchants store the token, not the card number and the tokens can be used for future transactions as well as returns or refunds.
As the industry continues to evolve, we can expect to see further advancements in payment tokenization systems, which will help to enhance security, streamline transactions, and ensure the continued growth of the digital payments industry.