Tokens are unique, randomly generated strings of characters or symbols used to represent sensitive data, such as primary account numbers (PANs). Since tokens are nonconvertible — that is, they can’t be reverse-engineered to reveal a customer’s original PAN — they’re an effective tool to protect sensitive data during storage, transmission and retrieval.
If you’ve ever been to a casino or an arcade, you’re already familiar with the concept of payments tokenization. In a casino, chips are tokens with different colors to represent different dollar amounts. In an arcade, quarters are converted into tokens that can then be used to play games. In each instance, these tokens only hold value at a specific establishment, meaning you could not walk down the street to a different casino or arcade and use these tokens.
In both of these examples, tokens are used to centralize the exchange of cash, to reduce the risk of theft and to lock the customer into an establishment. For retail merchants, tokens also represent something of value, typically a PAN. Merchants can then use this information to authorize payments — an invaluable piece of the revenue puzzle. But unlike traditional tokens, the payment tokens that retail merchants use are unique. And if they’re lost or stolen, merchants do not lose the value they represent.
How did payments tokenization come to be?
Although the general concept of tokenization has existed for quite some time — again, we’re reminded of the examples of casinos and arcades — digital tokens are a more recent innovation, dating back to the early 2000s. TrustCommerce, a software company, is often credited for inventing payments tokenization as we now know it, having conceived of the idea in 2001 as a way to protect a client’s sensitive payments information.
Today, payments tokenization is way for merchants to not only secure cardholder data but also to comply with the Payment Card Industry Data Security Standard (PCI DSS). Enforced by the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS is a set of security standards designed to protect payments card data, thereby ensuring the secure handling, storage and transmission of cardholder data by organizations that accept card payments.
To be PCI DSS compliant, merchants must meet 12 requirements, which include securely storing and restricting access to cardholder data.
By replacing PANs with unique tokens, payments tokenization reduces the scope of systems that merchants need to secure cardholder data in accordance with PCI DSS and minimizes the risk of data breaches.
How does payments tokenization work?
Now that we understand the basics of what tokens are, it’s important to understand how they’re created. Payment tokenization is the process by which sensitive personal information is replaced with a surrogate value — a token. That replaced value is stored in a PCI-compliant token vault owned by the token creator, which can be an entity such as an acquirer, issuer, network or payment processor.
To discover the PAN a token represents, a merchant would need to present that token to its creator; the creator would then look up the PAN within their highly secure token vault. When using payment tokens, the creator does not return the PAN to the merchant, but instead uses it to authorize a transaction. This way, the merchant is able to keep sensitive data out of their systems, so that hackers cannot gain access to it.
How are tokens generated?
When a customer initiates a transaction with a merchant, their payment credentials are changed using a strong cryptographic algorithm, which replaces the existing numerals with randomly generated characters and symbols. That algorithm then generates a unique token to represent the encrypted information. The token, along with a reference to the original data, is securely stored in the creator’s vault.
Are payment tokens reversible?
No, payment tokens are not reversible. The payments tokenization process uses encryption to convert PANs into a sequence of randomized characters, which cannot be converted back into their original format. Once tokenized, the original data is not stored or retrievable from the token, even by the merchants that generate or use the tokens.
What is the difference between single and multi-use tokens?
Single-use tokens are used for a single transaction and expire after the transaction is complete. Multi-use tokens can be used for years to represent the same account across multiple transactions.
What formats can tokens take?
Tokens can be non-format preserving or format preserving.
Non-format preserving:
With non-format preserving tokens, the token takes a different format than the sensitive information it’s replacing. For example, the token replacing a nine-digit Social Security Number (SSN) could be six digits in length and used a random combination of both numerical and non-numerical characters, such as “T@%3N5.”
Format preserving:
Here, the token maintains the same format as the original bit of sensitive information, but the values are randomly changed. For example, a credit card number of “1234 5678 9012 3456” could have a token value of “9687 4595 3211 7312.”
Partial replacement:
Partial replacement tokens are a type of form preserving token in which some values are left unchanged. This is known as selective masking and is common practice for payment tokens. For example, a credit card number of “1234 5678 9012 3456” might become “1234 5698 3211 3456,” or “1234 XYZ# ABC& 3456.” Partial replacement tokens can be helpful in situations where a merchant might need to verify a cardholder by asking them for the last four digits of their SSN or PAN.
What makes a token safe?
The security of a token is primarily based on how difficult it is to figure out the information it’s replacing, especially when all you have is the token itself. It’s impossible to mathematically determine the original value of a token, and the information that a token replaces is stored in a PCI-compliant token vault. That way, in the event of a data breach, bad actors will only have access to tokens, which are useless to them.
Even if a hacker knew where the token vault was, they would need to find a way in — and, since token vaults leverage advanced security, getting in isn’t as simple as guessing a password or using social engineering to gain access.
Payments tokenization is so secure that it’s specifically listed as a requirement for protecting payments data in transit and at rest by the PCI SSC.
What is the difference between tokenization and encryption?
Although they’re closely related concepts and achieve a similar goal — that is, PCI DSS compliance — payments tokenization and encryption are separate. Tokenization replaces sensitive data with unique tokens that have no intrinsic value, while encryption transforms data into an unreadable format that can be reversed with a decryption key. In other words, tokenization focuses on data substitution, while encryption focuses on data transformation.
How does tokenization relate to compliance?
Tokenization helps merchants maintain compliance with industry regulations such as PCI DSS by reducing the scope of systems that store cardholder data. When PANs are tokenized, the actual information is replaced with unique tokens, which have no intrinsic value and cannot be reversed to obtain the original data.
This means that merchants don’t need to store or transmit sensitive data themselves, significantly reducing the risk of data breaches and the complexity of compliance audits. By storing the original data in a secure token vault, merchants reduce both their risk exposure and their compliance scope.
What types of tokens are there?
There are several distinct types of payment tokens in payments:
Acquirer tokens are generated by acquirers when they process cardholder transaction requests on behalf of merchants. Acquirers typically return these tokens to merchants in their transaction response. Acquirer tokens are specific to acquirers — that means they generate them, own them and are the only ones who can use them.
Issuer tokens are generated by card issuers for specific use cases, including card-based applications such as Apple Pay, Google Pay and Samsung Pay. These tokens are usually provided to a cardholder’s mobile app, card chip or wallet applications. Issuer tokens belong to the issuer, instead of the merchant, and so may not be as useful for facilitating customer journeys within a merchant’s environment.
Network or scheme tokens are generated by the Visa, Mastercard, American Express, Discover, JCB and China UnionPay credit card networks. Each card network operates its own scheme token service. As a result, network or scheme tokens are similar to issuer tokens, with the key distinction that they’re generated by card networks, not issuing banks.
Payment tokens are a relatively new variant of issuer tokens, generated on behalf of at least one card issuer in a framework known as a token program. Merchants and cardholders can request these tokens for specific use cases. For example, a cardholder may request a device-specific token if they initiate a transaction through a mobile application.
Merchant tokens are generated specifically for a merchant by a provider of its choosing. The provider generates a merchant token after a cardholder tenders their card for transaction processing.
Even though they’re created by a third-party provider, merchants own these tokens. This means merchants can incorporate these tokens into customer journeys and business processes within their environment, as well as use them in conjunction with other tokens. For example, a merchant token can be linked to multiple acquirer and issuer tokens, which enables the merchant to support multiple acquirers. Merchant tokens tend to be multi-use, format-preserving tokens.
What are some real-world examples of tokenization?
Payments tokenization has become incredibly commonplace in the world of retail — here are just a few examples:
Point-of-sale systems in brick-and-mortar stores can tokenize customers’ PANs after they present their credit or debit card for payment. Rather than store actual card numbers, merchants use tokens for payment processing.
Mobile wallets such as Apple Pay, Google Pay and Samsung Pay use tokenization to secure smartphone transactions, replacing credit and debit card numbers with randomly generated tokens.
eCommerce companies often tokenize customer payment information for recurring payments to facilitate one-click transactions, streamlining the online purchasing experience.
Subscription services commonly tokenize the card credentials they keep on file for processing recurring payments.
What are the benefits of payments tokenization?
By implementing payments tokenization, merchants can:
Ensure PCI DSS compliance. By replacing PANs with randomly generated characters and symbols, tokenization dramatically reduces merchants’ exposure to risk, enabling them to secure payments and meet PCI DSS compliance obligations.
Control costs. Tokenization simplifies payments security, which means merchants spend less trying to meet PCI DSS’s compliance requirements. Additionally, by securing payments, tokenization reduces the risk of data breaches and their associated costs, such as fines, legal fees, damage to their reputation and loss of business.
Increase payments efficiency. Tokenization enables merchants to keep customers’ tokens, rather than their PANs, on file, which streamlines the payments process. Rather than manually enter their information every time they initiate a transaction, customers can easily and securely set up recurring or one-click payments.
Reduce the risk of data breaches. With tokenization, merchants can only store tokens, not customers’ PANs. This way, should a bad actor hack into a merchant’s systems, they’ll only be able to access tokens, which are useless to them, rather than actual cardholder data.
Improve the customer experience. From a faster, more seamless checkout process to the peace of mind of knowing that their payments information is kept safe, tokenization enhances the customer experience and improves long-term satisfaction and loyalty.
How can I implement payments tokenization?
Getting started with payments tokenization is as easy as investing in the right solution. ACI Worldwide offers omni-tokens — payment tokens that can be used across channels and with a wide variety of payment methods — as part of our ACI Payments Orchestration Platform.
Unlike comparable solutions, ACI gives merchants complete ownership over their tokens, which they can use freely across their environment and across all channels. And our highly secured, PCI-compliant token vault ensures that your customers’ card details are kept safe, no matter what.
Terry is a seasoned marketing professional with over 30 years of experience. While he has worked in payments for only five years, he has experience with both eCommerce and omnichannel merchants as well as with payment intermediaries. He enjoys building and repairing things with his hands and coming up with innovative ideas to solve complex problems.
