What is tokenization in payments?

Tokenization dates back to the early 2000s and still plays an integral role in payments processing today. In this post, we explain what tokens are and their application to secure payment data.

Payment tokenization is a security process used in electronic payments to protect sensitive card information by replacing it with a unique identifier, known as a token. This ensures that actual card details are not exposed during transactions, reducing the risk of data breaches and fraud.

As randomly generated strings of characters, tokens serve as a substitute for the actual card details. These tokens have no exploitable value and cannot be reversed-engineered to retrieve the original card information. They are used to process payments without exposing sensitive card data.

In the context of payments, ‘tokenization’ refers to the method of converting sensitive card information, such as a primary account number (PAN), into a unique identifier or token, which is then used in place of the actual card details during the transaction process.

The tokenization system ensures that the token can be mapped back to the original card details only by the authorised token service provider, enhancing the security of electronic transactions. This minimises the exposure of sensitive information and helps protect any personal data or sensitive information from being stolen or manipulated by criminals.

Payment tokenization involves replacing sensitive information with a secure, non-sensitive token. In terms of payment processing, tokenization works in the following way:

When initiating a transaction, the customer provides their payment information (for example, their credit card details) to the provider.

The original payment details then need to be tokenized. This may happen automatically if specialist tokenization software is already in place. Otherwise, any sensitive information and data is sent to a secure tokenization service, usually provided by either a payment processor or a third-party vendor.

Token generation A unique token is created in place of the original data via algorithms, encryption methods and secure storage. The result is a token comprising a random thread of letters and numbers that now represents the original payment data. This alphanumeric string is meaningless and has no value in the real world.

Once generated, the token then replaces the original payment data within the business’s system. The tokenization service provider ensures this data is securely locked inside a special vault, suitably protected from unauthorised access or outside interference.

When the time comes to process a transaction, the business can send the token to either the tokenization service or payment processor. The token is then securely ‘mapped’ back to its original payment data, enabling the transaction to occur without disclosing any financial details.

In terms of memberships, subscriptions, or other recurring transactions, the same token can be reused without having to reobtain the original payment data. Doing so streamlines the payment process without compromising security.

An acquirer is a financial institution that acts as an intermediary between merchants and card payment networks. Acquirer tokens are generated by these acquirers when they process cardholder transaction requests on behalf of merchants, allowing for the secure transmission of payment data.
As this data is tokenized, it streamlines the payment process, while using an acquirer ensures there is a trusted connection between all parties involved in the transaction. However, as these tokens are specific to acquirers, only they can generate and use them.

Issuer tokens are generated and managed by the card issuer (usually a bank or financial institution) that issued the customer's payment (credit or debit) card. These tokens are typically used in card-on-file transactions and mobile wallets. When a cardholder adds their card to a digital wallet (such as Apple Pay or Google Pay), the issuer generates a token that replaces the actual card number.

The issuer links the token to the cardholder’s account. It can be used for payments, while the issuer can control and manage its lifecycle, including updating it should the card be reissued or replaced. Issuer tokens enhance security by ensuring the actual card details are not stored on the device or transmitted during transactions.

Network tokens are generated and managed by the payment networks (such as Visa or Mastercard) rather than the issuer. Each card network has its own scheme token service. These tokens are used across the payment network, providing a consistent tokenization framework that different issuers and acquirers can utilise.

Capable of being used across multiple merchants and payment scenarios, network tokens ensure interoperability and can help streamline processes, including card updates across different merchants and platforms. As with issuer tokens, network tokens protect the card details by substituting them with a token, providing security against cyber threats. The network manages the issuance of the tokens, as well as updates and mapping to the actual card.

Merchant tokens are generated and managed by merchants or their payment processors, and are specific to individual businesses. These tokens are typically used for recurring billing and subscriptions or to streamline the checkout process by allowing merchants to store payment details securely.

Each token is specific to the merchant and cannot be used outside the merchant’s ecosystem. This lets merchants handle payments without storing customers’ sensitive card information directly. As a result, transactions are secure, as even if the token is intercepted, it can’t be used elsewhere.

Payment tokenization offers a variety of benefits, primarily centred around enhancing security, reducing risks, and streamlining compliance and data management.

Payment tokenizations replace sensitive information (such as credit card details) with a non-sensitive token, ensuring the actual data is never exposed during transactions.

The risk of data breaches is significantly reduced because the real payment information is stored in a secure token vault. Even if tokens are intercepted, they can’t be used to access any actual payment information.

Tokenization also limits the value of the intercepted data. As tokens are unique to specific transactions or merchants, they cannot be used or repurposed - rendering them useless if intercepted by criminals.