Tokenization uncovered: understanding what it is and how it works
With online payments and transactions expanding so rapidly in the last few years, the importance of safeguarding financial transactions has ushered in the era of payment tokenization. This eBook delves into the workings of network tokenization, distinguishing the nuances between PCI and network approaches, and shedding light on the profound advantages they bring to merchants and platforms alike.
Tokenization is the increasingly favored data protection method within financial and payment systems, with a projected volume of 1 trillion transactions in 2026according to Juniper Research. Payment tokenization substitutes sensitive data with non-sensitive 'tokens' that have no intrinsic value. The original sensitive data is securely stored in a separate database, often referred to as a token vault, while the tokens are used throughout different systems and applications.
The process of tokenization involves the following steps:
Underpinned by standards like the Payment Card Industry Data Security Standard(PCI DSS), tokenization has become a trusted method for data protection. It enhances security by mitigating the need for key management and reducing the risk of data breaches.
While both tokenization and encryption aim to protect data, the distinct advantages of tokenization often give it an edge.Understanding these differences is crucial when deciding which method to employ.
Unlike encryption, which yields identical output when the same data is encrypted with the same key, tokenization creates a unique token for each instance of data, even if the data is identical. This feature reduces the risk of pattern recognition in the data, providing an additional layer of security.
Tokenization can preserve the format of the original data. For example, a 16-digit credit card number can be replaced with a16-digit token, allowing easy integration into existing payment systems. Encrypted data, on the other hand, often varies substantially from the original data format, requiring complex system modifications to accommodate the encrypted format.
Tokenization's effectiveness doesn't rely on key management.Since tokens can't be reverse-engineered to reveal sensitive data, there's no need for key management, removing a potential point of vulnerability inherent in encryption.
The choice between encryption and tokenization depends largely on the specific requirements of your application. However, due to its robustness and fewer points of vulnerability, tokenization often stands out as the superior choice. Here are some considerations:\
Remember, the decision is not about which method is better in general, but which is better for your specific application. In many cases, tokenization takes the lead.
At everyday terms, to tokenize means substituting one thing for another. For example in places like casinos, you buy tokens for playing slot machines. The plastic tokens have zero value outside the casino.The same concept applies in the world of payments. Tokenization isn't a recent payment technology, but it has evolved over the years. We'll cover what tokenization is and how it works through the lens of payments.First, let's tackle the most important question.
Payment tokenization at a high level is replacing sensitive credit cardholder data with a randomly generated payment "token" (usually comprised of a string of randomized alphanumeric characters), and then using that payment token to process a current transaction -- as well as future transactions. This is a common practice for merchants and platforms with recurring transactions and helps protect sensitive customer data for repeat customers.
In online payments, merchants create tokens to protect their customers' data, such as account and credit card numbers, addresses, etc. This is frequently referred to as PAN (Primary Account Number) information. They replace this data with algorithmically generated letters and numbers. By using credit card tokenization, merchants can store and transact with the data without exposing sensitive data and risking fraud or loss.
Most people have turned to online shopping in recent years, leading to digital payments. This rise, plus regulations and requirements in the Payment Card Industry Data Security Standard (PCI DSS), has led to the growth of finding ways to protect sensitive credit card data. Tokenization enables merchants to process transactions and collect customer payment information without using other expensive data collection means.
As we have seen, a token is a fake value representing an actual value. You can use the token in place of the real value. Tokenization involves substituting sensitive customer information with a one-time ID that has no connection or value to the account owner. The randomly generated tokens can safely access, transmit or retrieve the customers' primary account number. In essence, you're replacing sensitive data with tokenized data.
The tokens do not actually carry any sensitive data. Instead, the tokens act like guiding maps that explain where the customer's bank stores the sensitive data within their system. Mathematical algorithms generate the tokens, which are irreversible, meaning the token is only usable once.
The only time you can open the tokens is after a complete transaction. Just like the casino tokens we mentioned earlier, these tokens have zero value or meaning outside your system. If a hacker comes across your customers' data during processing, it's useless to them.
PCI compliance is a required industry standard that keeps sensitive payment data secure. A business that handles debit or credit card holders' data must have PCI compliance. A council made up of major credit card providers created the PCI Security Standards Council (PSI SSC).
The council helps in the prevention of debit and credit card data theft. Payment Card Industry Data Security Standard (PCI DSS) is a set of obligations and controls that govern companies that handle credit card data and reduce chances of data breach. Failure to comply with the PSI DSS leads to stiff fines, loss of business credibility, and reputation damage.
Tokenizing payments is great for the user experience and greatly contributes to PCI compliance. Payment tokenization saves on PCI DSS compliance regulation costs. Most estimates place PCI Level 1 security compliance at over $50,000 annually.
Annual expenses such as security audits, secure infrastructure, internal training, and penetration training strain most merchants who store credit card payment data.
PCI DSS compliance is not a mandatory legal requirement, but it is necessary for businesses that work with major payment card companies like Mastercard or Visa. PSI DSS compliance need not burden you. If you choose the right solution, it's a great investment with several benefits for all ends of the transaction lifecycle.
Suppose you visit an online store. During your previous visit, you entered your credit card details. Since your last visit, the company has optimized its transaction process or expanded to other countries. These changes meant the company had to change its payment gateways and move to new ones. This is where data portability comes in.
You will not know about these new changes as a customer, and you do not need to re-enter your details. Data portability is the ability of a business to seamlessly transfer customer data to and from one gateway to another.
How is tokenization connected to data portability? A merchant can choose between two options:
When a merchant wants to process a transaction, they transfer the token and its data to their payment tokenization provider. The platform transfers the stored details to the payment gateway and can process one token via hundreds of compliant endpoints and gateways. This option enables the provider to provide merchants who use multi-provider plans with data portability.
Why do companies tokenize? Tokenization comes in very handy for different online transactions. An e-commerce merchant might want to give returning customers the luxury of an automated checkout. This automated option allows the customer to skip entering their payment details each time they check out.
While tokenization greatly benefits the customer and protects sensitive cardholder data, there are several benefits for companies as well.
Tokenization provides several benefits for developers
For merchants, credit card tokenization promises:
Credit Card Tokenization happens in multiple steps:
Network tokenization refers to payment card tokenization that payment networks like Mastercard, Visa, American Express, and Discover offer to replace primary account numbers, also called PANs and other details, with a token provided by the card brand.
Merchants benefit from dynamically updated network tokens through higher authorization rates, the simplification of fraud management, and an improved customer experience. With network tokenization, payment methods update in real-time, ensuring the card holder’s credentials are current even after a physical debit or credit card is locked due to fraud.
Lost, stolen, expired cards, or other failures become irrelevant because the network token is proactively updated. As a result, customers experience fewer false decline due to out of date information and have a better user experience for their subsequent and recurring transactions
Network tokenization varies from PCI tokenization. PCI tokenization replaces a PAN at a specific end point instead of across the entire payment ecosystem. PCI tokens are interoperable and meaningful across players in the payment ecosystem of a single payment.
Network tokens are specific to domains meaning they are limited to one device, merchant, channel or transaction type. Network tokenization was made popular by device-specific methods like mobile payment solutions such as Apple Pay and Google Pay and card chips.
Over the past few years, we have seen a dramatic shift in consumer spending habits. Studies show that one in five transactions today are digital, with eCommerce growing faster than in-store sales. However, this rapid growth and the evolution of technology also bring new challenges.
There has been an increasing rate of fraud, yet merchants are under intense pressure to deliver an effortless payment experience to accommodate the ever-rising consumer demand. Many merchants are turning to various technologies, including network tokenization, to strike a balance between a seamless purchasing experience and high security.
While it's easy to think of network tokenization as an optional addition, it's a transformative technology that facilitates simpler online commerce and secure payment details with network tokenization.
Since network tokens are different from PCI tokens, they are interoperable in the payment flow leading to a PAN that doesn't need to be transmitted or revealed to any party during a transaction. These tokens are given by a token service provider and are domain restricted to a single token requestor.
Since each network token-based transaction has to be authenticated using merchant-specific details, they generally fall outside of PCI token scope. When PCI scope is removed, there is no risk of a breach since a token alone is inoperable without its ability to perform merchant-specific authentication for every transaction.
By converting stored credit card data to secure network tokens, merchants get the benefit of higher security, better customer experience, and increased authorization success rates. By using an agnostic orchestration layer in conjunction with a network token strategy, an organization can leverage their choice of network token or a secure, vaulted PAN token. This provides the flexibility to use whichever method is accepted by a given payment processor.
There is also opportunity to tokenize at the time of retention as well as backfill previously captured card data giving merchants the full benefits of network tokens across all their payments.
Fast-growing businesses invest a lot of effort to improve authorization success rates by a few points. Studies show that transacting using network tokens offers an average of a 2.1% authorization lift over the usage of PAN for card-not-present transactions. This eliminates declines related to expiries, fraud or lost details and boosts issuer confidence.
In a traditional fraud scenario, one fraudulent action would result in the suspension of the cardholder's account entirely until they are issued with a new one. However, with network tokens, a card is neither suspended due to fraud nor does it require updates. With network tokens, fraud resulting from another merchant's frequently provided token does not affect other tokens in the ecosystem.
Every network token has a domain restriction tied to a single merchant. This enables card issuers and networks to confidently carry on with supporting transactions for cardholders whose PAN was suspended on fraud suspicion.
Additionally, dynamically updated network tokens don't expire. Declines resulting from expired account details are removed, and cardholders don't need to enter new credentials to maintain card-on-file accounts. This improves security and confidence in network tokens from issuers, leading to fewer false declines.
As eCommerce grows, so too does fraud. It's more important than ever that new security measures be put in place to mitigate fraudulent activity. Industry experts predict that US retailers will lose about $165.1 Billion in the next 10 years due to card fraud.
According to the LexisNexis Risk Solutions True Cost of Fraud Study: e-Commerce/Retail Edition, Every $1 of fraud now costs U.S. retail and ecommerce merchants $3.75 which is 19.8% higher than the pre-Covid study in 2019 which was at $3.13."
Still, the fraud rates keep increasing and in a very competitive industry such as this where every dollar counts, blindly throwing money isn't a sustainable solution. Network tokenization offers an end-to-end security proposition that significantly reduces the risk and alleviates the impact of malware, data breaches and phishing attacks. In simpler terms, if anyone steals tokenized data, they won't be able to use it.
The collective effect of reduced declines and enhanced security is an improved customer checkout experience for online transactions. Nearly 35% of cardholders stop shopping after their card declined once. Studies also indicate that more than $331 billion is lost due to false declines.
With more consumers online shopping in 2023, payment declines are expected to increase in value. At an average 15% decline rate that's $306,150,000 in the United States alone.
Removing expired card-on-file account details lead to customers never needing to log in to their accounts to update payment methods. When the merchant and not the cardholder is authenticated, the service will no longer require verifications such as CVV/CVC that one can easily forget or inaccurately enter, resulting in a false decline.
Accounts get verified during token provision, thus eliminating the need for merchants to perform authorizations that show up on the cardholder's statement.
Network tokenization, offered by payment networks, streamlines PCI compliance for businesses handling payment data. By replacing primary account numbers (PANs) and other sensitive details with non-sensitive tokens, network tokenization minimizes the scope of data subject to PCI DSS requirements. Since these tokens hold no intrinsic value, businesses can securely store, process, and analyze them without exposing sensitive data. The result is a simplified compliance process that enables organizations to reduce their security overhead, focus more on core operations, and protect their business and customers. Adopting network tokenization for payment security not only fosters customer trust but also makes navigating the compliance landscape simple.
In 2022 Visa started charging non-token transactions at a higher rate. Merchants can help mitigate these rate increases by adopting network tokens.
In certain instances interchange rates for non-token transactions will increase. By not taking advantage of the digital wallet incentives, merchants are leaving money on the table. As eCommerce transactions continue to increase what would normally be an unnoticeable fee per transaction now directly affects a merchant's bottom line. With interchange fees changing bi-annually merchants need to be prepared for cost increases.
As businesses are increasingly adopting subscription-based models, the importance of a secure, frictionless method for managing recurring transactions cannot be understated. Network tokenization is the key, as it replaces sensitive card data with unique tokens in coordination with the card networks and issuing banks, effectively creating better cohesion within the transaction chain. These token values keep cardholder details and retain the ability to transact even when the physical card is lost, locked, or expired, essentially imbedding card-updater functionality and protecting recurring payments - whether on-demand or in a subscription model.
A streaming service could save significantly on transaction failures and customer service costs by employing network tokenization. Moreover, the higher payment authorization rates associated with this system lead to a reliable revenue stream for businesses, and a smoother, more satisfying experience for customers. A streaming service with one million subscribers paying $10 a month. Even if only 1% of payments fail each month due to outdated card information, this could result in a potential loss of $100,000 monthly. Implementing network tokenization will substantially mitigate these losses.
Transacting with network tokens is a distinct tool within the broader concept of payment method tokenization that specifically addresses the security of payment card information. Different ways to tokenize a card, whether through a network token, processor-specific token, or cloud token, provide optionality and overlap for stored payment methods. This redundancy and the ability to maintain several token-formats alongside the underlying PAN creates protective redundancies and imparts agility within a payment system.
Merchants can build network tokens into their routing or retry systems - if a preferred gateway declines a transaction using the PAN, the transaction can be resubmitted to a secondary provider with a network token. Understanding and utilizing all the tools available to your payments stack is crucial for businesses seeking to balance and optimize their payments.
As the payments space has increased in digital complexity, the need for more advanced payment storage and lifecycle management solutions has become apparent for merchants and merchant aggregators.
Advanced Vaulting is a new service offered by Spreedly that combines the advantages of many distinct and vital lifecycle features that modernize a merchant’s payment system. A key component of this product is the standard provisioning of network tokens for all eligible stored cards.
The Advanced Vault enables merchants to leverage network tokens to maximize the value of vaulted data, all while providing the necessary configuration capabilities to increase acceptance rates, improve the overall user experience, and reduce the costs of lifecycle management.
Network tokens and advanced vaulting can be advantageous for many merchant use cases, including:
To further increase the value of vaulting and network tokenization, Spreedly has partnered with Mastercard’s MDES for Merchants (M4M), enabling the storage of both network tokens and vaulted PAN tokens via the Spreedly payment orchestration solution.
In turn, merchants and merchant aggregators are provided with far greater flexibility when it comes to leveraging the right mix of network tokens and PAN tokens according to their specific payment needs.
Additionally, Spreedly’s agnostic approach to payment orchestration ensures that merchants gain access to network tokens that are compatible with a wide range of payment service providers (PSPs), including compatibility with multiple different payment gateways.
Network tokenization, like all tokenization, converts sensitive PAN data into an innocuous token tied to the merchant. Merchants can then leverage this token across the entire payment transaction. As an added layer of security, a single-use cryptogram is sent across the transacting parties at time of transaction.
From a PCI perspective in a non-network token transaction, raw PAN data may be exposed to different parties along the way. While this is revealed to secure, PCI-compliant providers, it still comes with exposing actual payment data belonging to a customer. Network tokens secure payment data at provisioning and it maintains that format as it passes through all participants in the payment process, including PSPs/acquirers, card networks, and issuers.
Optimizing the customer lifecycle is crucial for long-term success.
With an Advanced Vaulting solution, key features like network tokenization and account updating tools are combined to improve these lifecycles through enhanced and frictionless customer experiences.
Account Updater is one feature in Spreedly’s Advanced Vaulting solution that keeps stored customer payment data up to date. While network tokens have this update-functionality inherent in their design, Account Updater updates the stored PAN of stored cards as needed — such as changes to expiration dates — thus allowing the network tokens to receive proactive life cycle management updates.
When bundled together, Account Updater and network tokens work synergistically to improve the customer experience immensely and — thus — improve overall customer payment lifecycles. At Spreedly, we see value in storing PAN while also provisioning network tokens together to provider flexibility and optionality for transacting across endpoints.
Throughout our exploration of tokenization as it relates to payments, we've delved into its multiple layers, from the nuances of network tokenization to the distinctions between PCI and network tokens. Tokenization not only offers merchants heightened security and reduced fraud costs but also fosters an enhanced customer experience with fewer declines and streamlined recurring payments. As transaction complexities escalate, the significance of adopting advanced payment solutions becomes paramount. Spreedly enables businesses an opportunity to harness the power of tokenization effectively and securely. Armed with this knowledge, businesses are better positioned to navigate the evolving digital payment landscape, ensuring both security and customer satisfaction.