Understanding Tokenization

11 min

overview tokenization is a security technology that protects sensitive data by replacing it with non sensitive placeholders called " tokens " this approach allows businesses to handle sensitive information securely while maintaining functionality how tokenization works when a customer enters their payment credentials during checkout, instead of storing that sensitive data, your systems send the payment data to a tokenization provider receive back a token that represents those credentials store this token within the customer's account for future transactions the token may maintain the format of the original data but has no mathematical relationship to it this means tokens cannot be reversed back to the original card numbers benefits of tokenization improved security removes sensitive data from your systems reduces impact of potential breaches cannot be reversed to original data faster checkout with minimal friction better customer experience streamlines recurring payments faster checkout process supports subscription models simplified compliance reduces/removes pci dss scope minimizes compliance costs simplifies security audits tokenization vs encryption unlike encryption which uses mathematical algorithms that can be reversed with the right key(s), tokenization completely removes sensitive data from your systems the tokens have no mathematical relationship to the original data and can only be exchanged for the real data by the tokenization provider while encrypted data remains vulnerable if encryption keys are compromised, tokenized data provides no value to attackers even in the event of a breach network tokens what are network tokens? card networks (visa, mastercard, amex, and discover) offer their own tokens, which can be utilized in processing transactions instead of a pan network tokens are maintained by the networks so they always stay current, even if the underlying card data changes for example, if a customer loses their card or if the card expires, the network updates the token directly, ensuring it continues to work without the customer needing to update their payment information this helps reduce customer friction in the checkout flow and avoids stale payment credentials in recurring charges why use network tokens? lifecycle management ensures tokens remain updated indefinitely enhances security tokens are merchant specific & cryptogram personalized experience using card art increased authorization rates approximately 3% reported by visa lower interchange fees processor flexibility network tokens vs pci tokens network tokens pci tokens based on emvco payment tokenization specification not based on an industry standard for format (e g can be created in different ways) generated by the card schemes mastercard, visa, american express, discover generated by a payment gateway, psp, or agnostic token provider can be passed through the payment ecosystem before being detokenized by the card schemes must be detokenized by the gateway, psp, or agnostic token provider before being passed into the payment ecosystem account updater what is account updater? the account updater service, offered by the card networks, facilitates pan lifecycle management by retrieving the new pan information in case of an expired, lost, or stolen card ensuring accurate and up to date credentials are available at the time of purchase provides updated pan (primary account number) to the token provider to ensure the credential is always accurate and up to date builds on top of the merchant’s payment card vault account updater can be leveraged to improve life cycle management when network tokens are not possible, due to partial issuer support, and performance on alternative rails benefits of account updater real time agnostic solution save lost revenue recover failed payments from invalid/expired cards minimize duplicative costs by only updating cards when there is likely buying intent processor flexibility leverage updated cards across multiple processors why use account updater if already using network tokens? network tokenization has a few gaps in support and experience that account updater mitigates, including partial issuer support underperforms on alternative rails; e g pinless (us), cartes bancaires (fr), eftpos (au)