What is Payment Tokenization and How Does It Secure Cardholder Data?

To us, it’s clear why everyone needs to know what payment tokenization is, but you might need some convincing. So, we put together four reasons for your consideration. Read on for a few answers to questions you may have on this topic.

Can you give a few examples of tokens in use today?

Absolutely. You come across them more often than you might imagine because tokens are becoming quite popular in the e-commerce arena.

  • Whenever a website “keeps your card on file” for recurring payments or subscription billing, the site uses tokens.
  • Another example is the “one-click” express checkout (think Amazon) process for customers.
  • Another common use in recent years has been in near-field communication (NFC) mobile wallets, like Apple Pay and Android Pay. These mobile wallets transfer your payment information from your smartphone to a nearby vendor’s terminal. The process uses radio waves that allow smartphones and other devices to exchange information. The token is one of those pieces of exchanged information. Once you load your credit card information into the mobile wallet app, the information transfers to your bank. The bank replaces the account information with a randomly selected token and then transmits that token to the retailer. The retailer never stores your actual account information.

The other neat feature of tokens is that you can have a unique token for each retailer where you shop. In that way, if one retailer gets hacked, the bank can cancel that token without having to issue you a new credit card.

How Does Payment Tokenization Increase Sensitive Credit Card Security?

Tokenization adds an extra layer of security to the storage and transmission of sensitive cardholder information. Tokenization is a popular concept now given consumers’ focus on credit card payments through mobile devices and mobile apps.

So, Exactly What Does Tokenization Do?

In order to provide additional layers of protection against cyber hackers stealing sensitive personal information, and to prevent credit card fraud, the payment card industry created tokenization. Tokenization is a process that substitutes the consumer’s sensitive cardholder account number with a number randomly generated by an algorithm or created by a non-reversible cryptograph. This substituted number is known as the “token”.

Retailers can disseminate tokens over the internet or wireless networks to process credit card payments, all done without transmitting the cardholders actual banking account number. The bank or network stores the actual banking account information in a safe place called a vault. Cyber hackers are unable to find and breach the vault through the retailer’s site, so the information stays secure.

Tokens developed as a way to prevent online or digital breaches. The token is similar to the new “chip” that credit card issuers use to prevent credit card theft for payments made in brick-and-mortar stores.

But Encryption’s Certainly Not New?

You’re right. Companies have used encryption for decades where they want to deliver private messages or where they have to transmit sensitive information in an insecure environment. What’s different today is that payment card companies use payment tokens instead of encryption keys.

Tokenization is a popular process today because it is a less expensive — and safer — way to secure sensitive information. Encryption is mathematically reversible, uses an encryption key, and the process requires keys to rotate. We refer to encryption as an end-to-end process. That means that we must encrypt the data on the origination side and decrypt it on the delivery side.

On the other hand, tokens have a format that fits traditional credit card fields, are centrally managed, and offer flexibility so payment companies can use tokens for returns, chargebacks, recurring payments, and more. Tokens are not mathematically reversible if created by non-reversible cryptography, have no encryption keys, and never display the personal account number of the consumer.  The token is meaningless to the cyber hacker. Tokens are a best practice that reduces your exposure to PCI issues.