Successful online transactions are always a tension between convenience and security for the purchaser. Merchants want to deliver an efficient sale, but not at the expense of card data being misused. That's why card tokenization is so vital. It provides a way to securely store and transact with payment methods, while minimizing security concerns and PCI compliance risks.
The inaugural episode of Payments Dialog explores a critical topic for payments:
.
David is an expert on payments and has written an
that is absolutely worth your time.
This transcript is lightly edited for readability. It is not a definitive transcript.
: Thanks everybody for coming or hanging out with us on the first "Payments Dialog". This is a new little thing that we're doing at Spreedly just to go and cover some different topics. Some more on the business side some more on the technical side. We've spent so much time here at Spreedly learning a bunch of things the hard way about payments. We've spent a lot of time meeting other people who know all kinds of interesting things about payments trying to figure out how to share different things.
And so we want to welcome you here. I've got David Goodale here with me and he's going to be talking with us about tokenization.
But first just a quick intro myself my name is Nathaniel Talbott and in addition to being your host here on the Payments Dialog I'm the CTO here at Spreedly. It's really fun to get on and talk about payment stuff and service some different things.
So I've got again David Goodale here with me today to talk about tokenization and David I'll give you a chance to introduce yourself and kind of where you're coming from.
Perfect, thanks Nathaniel for having me. My name is David Goodale, I'm the CEO of Merchant Accounts CA. It's a payment company that I launched about 18 years ago in Canada. Which in e-commerce years is a pretty long time. My expertise really falling into that very early days of e-commerce is specifically in online payments and even with a lot of international and multi-currency. Which means I run into a lot of different use cases for a lot of different merchants and tokenization is obviously one of those.
I've been doing it for quite a long time and I'm kind of excited to talk through this with you today.
What I'm particularly excited about today we talk about tokenization is you know at Spreedly obviously tokenization being so central to what we do I've been buried in it now for seven plus years and I'm really excited to get your take on a lot of these topics and how you describe it and hear how you talk about some of these different things.
So I just want to kind of jump right in here and first of all David what is a card token? When we talk about tokenization we talk about card tokenization. What is that? How does it work? What's your take and how do you explain that to folks, tokenization?
David: Tokenization is really it's all about not having something in a way, right? A token is not a credit card number. So it's all about if you're a business owner and you want to process a payment or you're interacting with the customer in some sort of way. Let's just to start with our example let's talk about recurring payments it's not the limit of tokenization but it's a great starting point for the discussion.
So, if you're a business and your billing someone every month. You don't want to store the credit card number because as soon as you touch credit card numbers they get into your system it expands your PCI compliance scope. Which we'll probably get into later on the discussion. So at a high level, a token is simply a reference number back to a credit card where someone else is dealing with the headache. It's your service provider that's holding on to the card number and you just reference that card number by referring to the token.
Nathaniel: So you talked about the recurring case which is really interesting because Spreedly actually started out as a recurring payments company and kind of shifted over to building payments infrastructure. What other use cases do you find commonly come up for tokenization?
Well everyone automatically thinks about recurring billing. Acquiring a customer in many industries is super expensive. So once you acquire a customer hopefully they're a recurring source of revenue. It may not be a recurring payment, it may not be a gym membership every month but it could be something where you're interacting with them quite frequently.
You know the easiest example that I could probably give that everyone's going to know is Amazon. You know everyone has an Amazon account and you don't type the credit card number in every time. You run that sale and most likely Amazon's tokenizing that data. So it's not sitting on their public server right.
So that's it but let me take it way down from the huge example and give you more good example of one that you might not think of.
It's a garbage company that's and about as low tech as you're going to go. Each company you might have a route and you're picking up garbage for local restaurants in a city area. Every month there's more or less tonnage so you have to change the amount. It's not a recurring payment but when you want to get paid a lot of businesses in you know like more traditional businesses cash flow is an issue so when you invoice out you got to wait for them to get motivated to write a check and put it in an envelope and mail it to you.
So it's better if you can store that card on file via a token you can go back and bill that token automatically and you just arranged it with the customer that you're allowed to bill their credit card every month so that's a great traditional use of tokenization.
You touched on PCI is the one that particularly comes into play is the PCI DSS that term data security standard so tell it like talk a little bit more about how tokenization and PCI DSS interact and why those two things are so closely linked.
David: So as a business the first thing we can make as a starting point is PCI is hard. It's actually really pretty hard to get through. There's different tiers of PCI compliance. If you go back to the Amazon example. Amazon does a lot of transactions; so, their level of compliance is going to be hard but even as a small business. Let's say you're processing fifty thousand dollars a month in credit card sales. If those credit card numbers are sticking around on your system basically touching your systems in any way you get pulled into scope ran it's hard to deal with.
Nathaniel: To dive in a little bit more what do you mean by scope so talk a little bit more about what we mean we say scope expands?
There were originally four tiers of PCI compliance tier one two three and four. What the PCI council addressed the fact that you know this is really hard for people to get through and sometimes people don't touch cards themselves for example it should reasonably be easier for them to certify compliance.
So when we talk about reducing the scope there is what's called a simplified version of the PCI compliance questionnaire. It has a self-assessment questionnaire, the questions are shorter and easier. They basically summarized in English they're like don't look at me I don't touch card numbers. That's basically what they say. And if you can't do that as a small business, sometimes it's just not achievable you know.
If you did have a shared web host and you don't have control over the server environment and there's some sort, of and I'm just making something up, there but maybe there's like a patch update that has a vulnerability attached to it. It means well you're filling your PCI scan you need to get it patched and you can't because it's not your services sharing environment.
PCI is two things the first part is a questionnaire. It's a list of best practices that merchants have to certify "yes I do this and this and this and this and this" you basically have to answer every question 'yes I do this'. And if you don't you fail.
The second part once you deal with the questionnaire is the technical part of it which is where you use an approved scanning vendor. This is a company that basically tries to hack your web server in a very friendly and cooperative way because they search the vulnerabilities so that nobody else can take advantage of. That's another issue for tokenization. Again if the credit card numbers aren't on your server you get to skip the PCI scan as well.
So you can have shared web hosting if you don't have any card data on your system. Which means there's you know a lower cost for small businesses.
Then I'll also highlight because at Spreedly of course we do a lot of credit card volume and if you start doing enough you get to have an audit like you get to pay auditors to come in and basically go over everything with a fine-tooth comb.
What do you find with your clients as you're talking them about scoping or going through these assessments? Give me like a few examples of challenging things that they run into if they are dealing with credit cards like what are some requirements and PCI DSS that they often trip over.
I could answer it with a funny example from memory. I had a nice lady that would have a challenge you know installing Outlook on her computer. I think she logged into the Trustwave questionnaire because she was using Trustwave.
She called me and she's like "David it's asking me questions like is my system using industry standard port hardening techniques across all public facing ports on the server infrastructure?" You know if I had to ask her to format her computer she wouldn't being able to do it you know and that's part of the issue with PCI is in a lot of ways for a lot of regular folks it's an unachievable standard.
You have to get out of scope or you have to go all-in and it means you're bringing an expertise and resource that's beyond the scale of a small business.
Absolutely let's see what else I got here. So like tokenization we've tokenized a payment method. Let's talk a little bit through the flow of using a token like how does how does how would a typical business go and make use of tokenization. I mean they're out of scope but they still need to transact so how does it work?
David: Well let's go up the web host. The easy example for them okay so there's two ways to tokenize you can either tokenize old data. Like if you were a customer of mine and you had bought something six months ago.
It depends on the payment processor or maybe you could do this with Spreedly too you can go back to a previous transaction and turn it into a token.
I'll give you an example. Let's say that you're just buying a pair of shoes online this is a one-time sale nothing to do with recurring tokens at this point but at the point of sale you're buying the shoes off the merchant's website's payment gateway. I have $100 sale here the guy's name is Nathaniel here's this credit card number is he good for the hundred bucks the gateway will approve it, the merchant gets the response back -- we haven't talked tokens yet.
Six months goes by that merchant could, depending on the system they're using, they could say "hey, payment gateway, wake up. Do you remember authorization code two three four five six?"
Every kind of approval happens there's an authorization message right. "Hey, get your authorization two three four five six I'm going to tokenize that now. We're gonna call that token fifty and any time in the future ever talked about token fifty I'm talking about the card associated with that transaction." So that's one way of retrieving old data and building a token out of it.
Okay there's a second option. A second option would be something more like a web host or Netflix or something like that where they know right away it's going to be a recurring billing situation. Or it doesn't even have to be recurring billing they just know that there are going to be subsequent transactions and they want to create a token.
So then you would do what's called a zero dollar verify request. Just for the sake of explaining it to folks that may not know what a pre-authorization is.
It's like when you go to a hotel and you give them your credit card and put like a temporary hold on the funds. That's just a temporary hold on your card you can't go and spend that money until the hotel releases it or until an amount of time passes where the card issuer requires it to be released. Now what ends up happening in in this situation is because you're creating a token you don't want to bill you don't hold $500. You just want to hold zero you really just want to make sure it's a valid card right. So that's what a verify request is.
I think this was changed relatively recently by memory you can't hold me to this but I'm pretty sure that the card schemes changed it so that people stop doing like $1 pre authorizations or full value pre authorizations where they where it was really just being some purpose of creating a token.
Nathaniel: They introduced some penalties. Basically, to try to incent the downstream payment gateways and such to support what what's called a zero dollar authorization for verifying these cards. So now they have to basically charge you or eat the cost if they don't allow you to do a zero dollar authorization but we still find at Spreedly that a bunch of them still require you to do a one dollar authorization and we try to smooth all that out.
I can see where that came from the rise of debit cards because then you're not you're not pre-authorizing money, you just suck people's actual money out of their accounts. That's not authoritative but that's my theory.
So what ends up happening is it's kind of a similar process. "Hey Gateway, here's a customer and here's a zero dollar verify request is the card valid like did the issue or authorize it. If so let's call this one token sixty and then at that point it's the same thing going forward any time you want to bill that card it's the Gateway or course prepay system you know token 60 hit that thing up for five hundred dollars from me and how it happened tell me what happened.
Nathaniel: So beyond you know the obvious you know security and compliance and benefits of using tokenization like are there any other benefits that you see for customers you know financial or business benefits, revenue benefits etc. from using tokenization?
David: There's two that I can think of immediately and maybe I'll come up with more as we're chatting. But the first one we touched on a little bit is just the fact that you have to remember that as businesses chasing down money's a real problem. So tokenizing like everyone wants to store the cards because they want to be able to build a customer right away but that brings in the problem of PCI.
So, tokenization right away it eliminates PCI, get your money fast. Visa and MasterCard offer a lower interchange rate for recurring billing transactions.
In order for this to make sense to folks I should probably give a 30 second explanation of interchange. So when my credit card processor runs a transaction we don't get to keep the money that we process. And so the word interchange. It just means cost from Visa and MasterCard to the payment processor. It's set at a regional level so one region would be the United States. Canada would be a region. Asia Pacific is a region. The UK Europe as a region -- and at a country level.
The other thing that's interesting for merchants to know is it's the same for all processors in that region. So, I'm Canadian so if someone works with Merchant Accounts.ca the cost actually fluctuates depending on the type of card. So if you are in college and got your first credit card, well that's not going to be the same credit card that Richard Branson walks around with okay.
So those all those points cards, those fancy cards that have a lot of benefits, they cost more and the interchange cost goes up. And I'll just give one example just so the viewers have a point of reference in Canada.
A basic Visa is one point five two percent. An Infinite Visa which is one point seven one percent, a rewards cards cost zero point one nine percent. So anyways this is all framing up the point to make that there are costs when you process credit cards and there's different pricing models in the merchant industry.
But the best one is called interchange plus pricing and that's where the payment processor clearly discloses the margin that the merchant is going to pay. Now why does this matter with tokenization in the recurring billing? Well, see where I'm going? As soon as you tokenize you flag the transaction return properly the cost goes down and they go down actually really quite a bit.
I actually wrote down on my sheet here just for the viewers reference so in Canada on a debit card the interchange rate is reduced by 0.55 percent. On a classic card it's reduced by 0.15 percent on an Infinite card it's reduced by 0.15 and on an Infinite Privilege, the "Richard Branson" card, it's half a percent.
The cost savings is similar for MasterCard.
Merchants will go to war over five basis points and rightfully so. When there's like 80 on the table just by flagging a transaction properly that's worth doing.
One way I like to tell talk to people about these costs is that a lot of them are correlated to the risk that the card networks like Visa and MasterCard and that the issuing banks who issue the cards. That a lot of it is tied to what they perceive is their risk on the transaction. So if you tokenize the card and you've had previous you've done previous transactions with that customer the risk that it's fraudulent and that the customer is getting taken advantage of or they're going to charge back is it goes down.
So, tokenizing these things and maintaining just a lot of tokenization is about maintaining a good relationship with customers it's about providing a good experience to them and that that has lots of knock-on financial benefits from the interchange to just collecting money be able to get your money.
So to kind of wrap up let's just like talk me through from your perspective what are what are the alternatives? What should businesses be considering as they look at tokenization solutions. What are the alternatives like what should they be comparing it to and what types of different options do the folks that you interact with tend to be looking at?
I think the answer that comes to mind right away is scale. There's different considerations for big or small businesses one of the things that that comes to mind for me is data portability because you're getting see it's like I don't want credit cards anywhere near me get them away please. Which is great until what if you need them. So that's I know Spreedly has a good data portability clause because I've spoken about it in the past with other folks.
That's exactly the type of thing that people never care about until they need it it's like insurance until the house is on fire right and it's the same thing here.
So that's something that I would keep in mind if you do so these a great provider at tokenization. One of the things you know it's not really in the scope of this but because people use Spreedly for tokenization it gives them portability to other data platforms. So especially because I work with the merchants that process in Canada, the US, Europe and merchants want redundancies. Spreedly with one integration you get to integrated into like many many, many payment gateways.
It goes beyond just the immediate benefit of tokenization that should probably be a consideration for any business as well.
Nathaniel: Lock-in is definitely a big thing that we talk to and when prospects and customers are looking at us and interacting with us a lot of it is around lock-in because I mean when you create a token you're it's typically locked into whatever platform you're using. They're not portable. There is actually something called Network Tokenization -- that's a whole other interesting topic. But outside of that which is fairly difficult to get access to these tokens aren't portable so you really want to think through what platform you're locking yourself into.