Skip to content

The peaks and pitfalls of payments tokenization

The peaks and pitfalls of payments tokenization

High profile data breaches, mounting fraud losses, regulatory demands and rising consumer concerns have driven retailers and banks to increase their efforts to improve standards of payment security. 

It is no surprise, then, that the use of tokenization is starting to gain significant ground, with a recent survey by Forrester Consulting for ACI indicating that 34% of retailers are already using the technology and a further 36% are conducting pilot programs.

Tokenization, which replaces the Primary Account Number with a unique value or numeric sequence, renders transaction data useless to thieves because they are unable to reverse the process to uncover the original data. As well as deterring hackers and helping to protect sensitive information, the use of tokenization outwardly demonstrates a strong proactive measure in the fight against fraud - helping to boost consumer confidence and brand reputation.

Recently, tokenization has become particularly popular with card-not-present channels, especially in the mobile payments space where some of the mainstream players have pinned their security strategies around the approach. The ability for tokenization to simultaneously enhance the security of digital payments and simplify the customer buying experience has made it an appealing and logical option.

Tokenization also delivers some great benefits around regulatory challenges – by reducing their storage of sensitive data, merchants can reduce the scope and costs of PCI DSS compliance.

Despite its undeniable advantages, however, tokenization and how it is implemented can have critical implications for payments risk management and fraud prevention. To ensure that tokenization delivers effectively alongside other operational solutions, merchants need to scope and assess a variety of challenges including:

  • Dealing with legacy data or data at rest – to what degree will tokenization be introduced in these areas?
  • How will reconciliations, returns, refunds and chargebacks be handled during the implementation period?
  • What are the benefits of single vs multi-use tokens, and how do they impact on velocity rules and link analysis?
  • Token format – what ‘identifiers’ might need to be retained in the transaction information to support effective order reconciliation and fraud detection?
  • Are there limitations in deploying an in-house tokenization solution?
  • What is the place of tokenization in the broader payments security and fraud prevention strategy?

Failing to thoroughly understand these and other areas can have a far-reaching and costly impact on the effectiveness of fraud management strategies and on brand loyalty, bringing the risk of missed fraud and disruption to the customer experience.