How payment tokenization works and why it's important

What is payment tokenization?

Tokenization is the process of replacing sensitive data with a nonsensitive equivalent, known as a token. For example, bank transactions and medical records substitute personally identifiable information (PII), such as account numbers or health data, for tokens to keep them safe.

In payments, tokenization involves substituting cardholder data (CHD), such as a primary account number (PAN), with a unique string of characters or numbers known only to the tokenization system. This means no sensitive information about the card or the customer is used or stored by the merchant. If anyone -- maliciously or otherwise -- accesses the token, they would not be able to ascertain any user or payment data from it. The merchant and the tokenization service provider cannot even access this sensitive data.

Token information -- whether from a POS terminal, website or mobile payment system -- is used and stored in a token vault, usually owned by the tokenization provider.

Tokens are either single-use or multi-use. Single-use tokens can be used once and expire after the transaction, while multi-use tokens can be used for multiple transactions -- for example, for a subscription service or delivery. Multi-use tokens create a good UX, enabling customers to check out without reentering card information to create a new token.

Tokens are generated using the following three methods:

• Mathematically reversible cryptographic function.
• Nonreversible cryptographic function -- such as a hash.
• Randomly generated character string.

How payment tokenization works

The tokenization process has five main steps:

1. Data collection. A customer starts a transaction and provides their payment data during checkout.
2. Token request. The vendor's system initiates token creation. This can be done using a third-party tokenization provider or in-house using tokenization hardware and software technology.
3. Token creation. Once a request is submitted, token generation begins. This involves creating a token of the PAN. For example, credit card number 1234 5678 9123 4567 might turn into a token that looks like 1!g@3#z$5%K^7&8*9(R)--++==.
4. Token verification. The token provider sends the token to the PAN issuer, usually a bank or credit card provider, to validate the transaction. The payment processor retrieves the CHD and permits or declines the transaction.
5. Payment and storage. Once approved, the payment transaction occurs, with the merchant only seeing the token. Single-use tokens are then discarded or multiuse tokens are stored for future use.

Benefits and challenges of payment tokenization

Benefits of tokenization include the following:

• Enhances security. Tokenization boosts payment security because confidential CDH, such as the PAN, is never transmitted or stored and therefore never exposed.
• Simplifies PCI DSS compliance. While PCI DSS does not require tokenization, it can help organizations prevent risks related to PCI data. For example, tokenization reduces the scope of PCI DSS compliance because merchants process and store less payment data.
• Prevents fraud. Even if malicious actors get a customer's token, they cannot use it to conduct fraudulent transactions.
• Reduces the scope of a data breach. Even if attackers successfully breach a merchant that has tokenized CHD stored, the stolen data is worthless.
• Makes it easier for merchants to accept multiple payment options. Tokenization enables vendors to accept additional payment methods, including mobile payments from Google Pay, Apple Pay and other digital wallets.
• Improves customer experience. Customers can be confident that their CHD and PII remain secure and out of the hands of malicious actors with tokenization. This boosts customer experience and brand reputation.

Challenges for tokenization include the following:

• Lack of regulation. No federal regulatory agency is overseeing tokenization, making it difficult to create and enforce best practices and standards between payment processors.
• Increased data storage complexity. Tokenization can complicate the returns process because vendors must decide how to save payment details and CHD during return or chargeback periods. Maintaining the same transaction identifiers during the chargeback period can alleviate this issue.
• Vendor lock-in. Not all payment processors support tokenization. This could limit merchants' options and make it difficult to swap processors in the future.

Ravi Das is a technical engineering writer for an IT services provider. He is also a cybersecurity consultant at his private practice, ML Tech, Inc., and has the Certified in Cybersecurity (CC) certification from ISC2.