Payment tokenization: what is it and how does it work?

Issue 4 | 31 October 2023

Multi-colored poker chips are synonymous with casinos, with various colors representing different monetary denominations. The interesting thing is that the poker chip itself doesn’t have any value independently (e.g., you can’t use a poker chip to buy items at a store), but it can be exchanged for something of real value (i.e., money). Since poker chips are representations of monetary values, they become worthless outside the context of a casino, unless you are a casino chip collector! So even if the poker chips are stolen, the money that the chips represent remains safe.

Examples of poker chips at a casino. Source: Unsplash

Poker chips do not immediately make you think about payments, so what do poker chips have to do with payments? Well, in the same way that the poker chips represent monetary value, card payment tokenization is used to represent sensitive card information. Let’s examine what card tokenization is, how it works and what are the benefits.

What is card payment tokenization?

Card payment tokenization is a data security feature that involves replacing sensitive cardholder details, like the Primary Account Number (PAN) (i.e., the 16-digit card number on the plastic card), with randomly generated numbers and characters. The randomly generated value, known as a token, makes it impossible to trace back to the original PAN. Unlike encryption which uses a secret key to decipher the original data, a token is a placeholder with essentially no value.

Source: Image by Freepik

For example, when a customer uses their credit or debit card to make a purchase, the tokenization process converts the cardholder’s PAN into a mathematically irreversible token. If the customer’s card needs to be charged again in the future (which is the case for recurring payments or subscriptions), the payment system will recognize the token associated with the card, instead of the cardholder’s PAN. Even if the token is intercepted or the system that the token resides on is compromised, the cardholder’s PAN is protected and cannot be retrieved as the token is not mathematically reversible unless you have the original mapping used to create the token.

Although tokenization had been around for a while, it wasn’t until the launch of Apple Pay in 2014, when tokenization took off. Apple Pay utilizes network payment tokenization for their digital wallet and in-app purchases. Eventually, tokenization has expanded to include e-commerce and recurring billing use cases, allowing for seamless checkout experiences and reducing the data breaches that occurred when merchant stored cards on file.

Who are the players in the card payment tokenization process?

Before we start looking at the card tokenization process, let’s understand the key players in the ecosystem:

👛 Token Requestors (TR): A Token Requestor (TR) is an entity that initiates the process of tokenization. A TR can be a merchant, a digital wallet operator or an ecommerce marketplace. TRs must register with the token service provider and obtain a Token Request ID (TRID).

🔐 Token Service Provider (TSP): A Token Service Provider (TSP) is an entity within the payments ecosystem that generates and manages token. The TSPs map the cardholder’s PAN to the payment token and store the token safely within a token vault. TSPs can be an issuer, a card network, acquirer or a merchant/ payment processor.

Although there are many different TSPs, the most commons TSPs are the card networks. The card networks (e.g., Visa, Mastercard) provide a service called network payment tokenization whereby the card network creates the token. With network tokenization, the card networks replace the cardholder’s PAN with a unique EMV¹ payment token that is tied to a specific device, merchant, transaction type or channel, which further limits the risk.

The advantage of card network tokenization is that the tokenization will flow through the end-to-end payment process, allowing for greater security compared to other TSP’s tokenization.

Note: The focus of this newsletter will be primarily on card network tokenization

The tokenization process flow for different TSPs that provide tokenization. Source: EMVCo Technical Specification

How does card payment tokenization work?

The card tokenization process can be broken down as follows:

1. Token assurance: In the first step of tokenization, token assurance is conducted to validate whether the person adding the PAN is the rightful owner of the PAN

   1. Customer enters the PAN details (e.g., the card number such as 1234 5678 9101 1121, security code, expiry date) or the customer scans the card

   2. The PAN details are passed to the TSP, and the TSP passes the details to the Issuer (customer’s bank) for validation

   3. The Issuer confirms the validation and passes the results to the TSP

   4. Depending on the TSP policies for additional authentication, additional authentication such as a one-time password (OTP) is used

2. Token generation: Once the PAN is validated, the TSP will generate a token (e.g., a random sequence of characters such as EN73AT312JD) for a given PAN

3. Token issuance & provisioning: The TSP will issue the token with the associated data and distribute the token data to location where the TR requested the token. Remember the TR could be a digital wallet operator (e.g., Apple Pay) or it could be an online merchant through their website or app

4. Token presentment: Once distributed, then token will be presented on a device or be made available to the merchant

5. Token processing: The TR will submit the payment token and associated data into the payment flow to obtain an authorization decision for the transaction. The token within the authorization request is sent to the TSP, where the token is verified and de-tokenized to the original PAN

6. Payment processing: The Issuers will receive the PAN and the de-tokenized callout for payment authorization.

Note: As an additional security measure, certain TSPs (e.g., card networks) will generate a token cryptogram for each specific transaction before the actual authorization for a token transaction. The token cryptogram is encrypted and contains attributes defined for the current transaction, such as an individual session ID or a specific validity duration. During payment processing, the merchant will send the payment token as well as the cryptogram for payment authorization through the card network to the issuer.

Card tokenization process steps. Note: The above process flow assumes that the TSP is the card network

The different tokenization use cases

Now that we understand the concept of tokenization, let’s look the different implementations or use cases of tokenization in the market today.

1. Digital wallet payment tokenization

Users of digital wallets, such as Apple Pay or Android Pay use tokenization when customers add their cards to the wallet.

1. The cardholder adds their card into a digital wallet on their mobile phone, and the card number (PAN) is replaced by a token that is stored on the smart phone

2. When the cardholder uses the digital wallet for tap-and-go payments at point-of-sale terminals, the token is used instead of the payment card itself, which adds an extra layer of protection for the transaction

2. In-app payment tokenization

As mobile device technology has improved, customers have begun using merchant’s mobile application to complete purchases. Merchants have implemented tokenization within their apps for card payment processing while protecting data security.

If the customer’s mobile phone contains a token, then the mobile apps can integrate with the tokenized account directly, so cardholders don’t have to input their card information. The app uses the tokenized account with biometric authentication to complete the transaction.

3. E-commerce payment tokenization

During the online checkout process, customers enter their card details. To make the checkout process seamless as well as secure, the merchant will request a token from the TSP and replace the customer’s PAN with the payment token.

The merchant will send the payment token and associated information into the payment ecosystem (e.g., send the information to the payment gateway, payment processors, PSPs and the card networks) for payment processing.

4. Card-on-file tokenization payments

To make the checkout process easier, merchants started keeping card information on file. However, there have been many data security issues surrounding card information on file. For example, in 2013, Target experienced one of the largest data breaches when 40M credit card and debit card details were stolen by hackers.

To combat data breach concerns, merchants can proactively enroll cards into a tokenization process and replace the card details with card-on-file tokens. Card-on-file tokenization is simply the process of tokenization applied to payment card information so that it can be securely stored in a company’s internal systems without adding a compliance burden.

Tokenization versus encryption

Tokenization may sound a lot like card encryption, but in fact there are key differences between the two concepts.

Card payment tokens are representation of the underlying card information, such as the customer’s PAN. The tokens by themselves are meaningless, and the card information associated with the token is stored in a separate vault.

Card encryption uses encryption keys to protect the sensitive card data. Instead of swapping out the card data for meaningless placeholder (e.g., token), encryption mathematically encodes the card data using an algorithmically. With the right encryption key or decryption solution, the encrypted card data can be returned to reveal the original PAN.

Comparison of tokenization versus encryption

Benefits of tokenization

1. Data security and fraud prevention

According to a Nilson report, there were nearly $12B in card fraud losses in the US in 2021, an increase of 18% from 2020 fraud losses. As a result, data security is of paramount importance as fraud losses continue to grow.

The data security proposition of tokenization significantly reduces the fraud risk and the impact of data breaches. Tokenized card data is useless if stolen, and Visa has reported a 28% reduction in average fraud rates as a result of tokenization.

2. Improved customer trust

59% of customers have said that data breaches have a negative impact on their trust in the affected company, according to a 2018 CA Technology and Frost & Sullivan study. For example, Target saw an impact to their credibility after the 2013 data breach with a 22% decrease in the customers that shopped at the retailer.

Customers don’t want their sensitive card data to end up in the wrong hands, and they appreciate companies that demonstrate a strong commitment to protecting data security. As tokenization offers enhanced data security, it improves merchant credibility and improves customer trust.

3. Merchant benefits

Merchants have also seen an increase in card authorization rates when using card tokenization with Visa reporting a 3% authorization rate lift due to tokenization. Authorization rates are the rates which the issuers approve or authorize a customer’s transaction.

When a customer’s card is not authorized, it results in a card decline and customers have to use a different payment method or may choose to abandon the online purchase. Card declines are costly for merchants and hurt their customers’ experience as the likelihood of purchase abandons increase. Transactions that use tokenization have higher authorization rates, creating more frictionless customer experiences and improving the merchants’ bottom line.

4. Maintenance of compliance requirements

Businesses that accept credit cards must meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Businesses need to achieve PCI compliance while offering card-on-file for recurring billing or subscription services can meet these requirements using tokenization.

Since the merchants don’t need to store actual card-specific information on their POS system, PCI compliance becomes easier for them to establish and maintain with a system of credit card tokenization.

1

EMV stands for Europay, Mastercard and Visa, which are the card networks that created the EMV global technical standards. EMV designs technical standards, including standards for tokenization, that any party can use to create payment products that work seamlessly with other products.