Listen on the go!
A token is a value that goes securely through the network to process payments without exposing actual card data. Tokenization aims to replace or represent specific sensitive information without compromising its security.
The 16-digit payment card account number is replaced with a unique digital identifier, or the “token,” for mobile and online transactions. The tokens are randomly assigned, so it’s near impossible to reverse-engineer or compromise a token.
Physical tokenization has existed since the invention of currency. Token coins replaced actual coins or banknotes in physical tokenization. These token coins have a real identity and value but limited usage. For example, casino tokens can only be used inside casinos.
The concept of digital tokenization came from the idea of physical tokenization. In 2001, Trust Commerce created the concept of tokenization to protect sensitive payment data for a client. After that, tokenization has gained acceptance worldwide with the involvement of card networks like VISA, Mastercard, American Express, Discover, and JCB, and payment platforms like Apple Pay, Samsung Pay, and Google Pay, facilitating tokenization in retail payments through mobile devices.
Tokenization benefits the payments industry in the following ways:
- Data Protection and Security – Security breaches are expensive, and many retailers and banks have experienced huge losses due to data theft. Tokenization helps merchants and banks secure data at rest, in motion, and during processing.
Merchants store tokens instead of credit card numbers in their POS machines, mobile wallets, and eCommerce platforms, so actual card data is protected from security breaches.
A new token is sent over the internet, instead of sensitive data, during an online payment transaction, so the card data is not exposed to hacking.
- Regulatory Compliance – Any organization that stores, processes, or transmits user credit card data must follow the practices set out in the Payment Card Industry Data Security Standard (PCI DSS). Tokenization is a low-cost way of meeting regulatory practices. Tokenization removes four compliance clauses of PCI for merchants, thus reducing their cost of operation.
PCI Requirement 1 –Install and maintain a firewall configuration to protect cardholder data
PCI Requirement 3 –Protect stored cardholder data
PCI Requirement 4 –Encrypt transmission of cardholder data across open, public networks
PCI Requirement 9 –Restrict physical access to cardholder data
- Convenience – For recurring payments, customers do not need to enter sensitive information for every transaction manually. Consumers only have to input their details into an online platform once. Moreover, in place of the actual card number, a randomly generated dynamic token ID issued by the customer’s bank will be utilized, which is almost impossible to reverse-engineer or compromise.
- Reduction in fraud, hence chargeback – Multiple tokens can be created for the same card when the card is used in different channels, so if a token is specific to a mobile application, it cannot be used in any other digital environment if it is stolen. Tokenization helps to avoid the expensive processes of notification, loss reimbursement, and legal action due to chargebacks.
There is the different basis of classifications of tokens. It can be based on usage, formats, value and so on.
- Based on the format, tokens can be classified into two types:
- Format-preserving tokens in which the appearance of the 16-digit credit card number is maintained
- Non-format-preserving tokens do not resemble the original credit card number and can include alpha and numeric characters.
Specific format-preserving tokenization schemes maintain the IIN (first six digits) and the last four digits of the card number.
- Tokens can be classified into
- single-use, which can be transaction-specific
- multiuse tokens, which can be used for a variety of purposes
- The other classifications of tokens are reversible or non-reversible, verifiable or non-verifiable, high value or low value, card-based or transaction based and so on.
How does tokenization work for card payment transactions?
Let us assume that a merchant has implemented tokenization. The card network that will process the payment transaction is the Token Service Provider.
- When a customer makes an online purchase through the merchants’ e-commerce website or offline through the merchant’s POS and enters the card number, a token request transaction is sent to the Token Service Provider, the card network.
- The card data collected is stored on the tokenization server, Token vault, rather than the merchants’ e-commerce website server. The tokenization server processes the card data and generates a token of the same length from a random alphanumeric string. Vaultless tokenization is also available where secure cryptographic devices are used instead of a token vault or database, and algorithms convert sensitive data to tokens.
The above two processes, token request and issuance, are part of Token Provisioning.
- The token is then returned to the merchant acquiring bank, who then uses this token in the payment transaction, which is sent to the card network: Card Network detokenizes and shares card details with the issuing bank for payment authentication. De-tokenization returns the original data element for a provided token. Payment is completed when the issuing bank responds to the card network.
- Applications may require original data, or an element of the original data, for analysis or personalized messaging. To meet these needs, tokens retain attributes such as length, character set, and character position of the original data to enable processing and analysis.
- A Token has its lifecycle and can be in different states like created, activated, suspended, deleted
An organization might self-manage tokenization or use tokenization as a Service (TaaS) offered by other third-party service providers.
- The advantages of self-managing the tokenization solution can direct and prioritize the work needed to implement and maintain the solution, customize the solution to the application’s exact needs, and build the subject matter expertise required.
- The primary advantage of a TaaS solution is that it is already complete, and the security of both tokenization and access controls is well tested. The tokenization provider owns access to the tokenization environment and its maintenance.
Various credit card providers have tokenization mechanisms. Two of the most well-known are the Visa Token Service (VTS) and Mastercard’s Digital Enablement Service (MDES).
Some of the other tokenization providers in the market are Fiserv, American Express, TokenEx, 3D Delta Systems, Meawallet and BellID.
Each payment industry stakeholder benefits from implementing tokenization by gaining customer trust and preventing cost penalties and revenue loss. Stakeholders must determine the best tokenization solution for their organization and implement it accordingly.
To know more about tokenization and determine the path to implement tokenization in the organization, please reach out to Test Advisory Services | Software Testing Consulting Services (cigniti.com), who will help you achieve strategic business growth, committed ROI, and quicker time-to-market with Tokenization solution that will best serve your business need.