Omni-Commerce Is Heating Up the Merchant Token Revolution
Merchants around the world have embraced the wisdom of keeping sensitive customer data (such as card numbers) out of their own environments, with tokens emerging as the tool of choice to bridge the gap. Merchant functions — including reservations, returns, reporting, rewards, research, reconciliation and more — have typically required access to sensitive data, but a series of high-profile breaches has highlighted the need to store card numbers in tightly secured safe harbors.
However, with multiple merchant functions requiring access to sensitive data, including card numbers, how can tokens stand in for the real deal?
Defining the token
Many of us remember receiving tokens from our parents at an arcade or amusement park to pay for games and rides or are familiar with chips used in the likes of casinos. These tokens are a representation of money or value only in their respective environments — hence my nephew’s utter disappointment when the Disney coins he had saved up were not accepted at Universal’s parks.
In the context of payments, a “token” typically implies a representation of an actual payment instrument within a defined environment. The PCI Security Standards Council defines tokenization as "a process by which the primary account number (PAN) is replaced with a surrogate value called a token. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value."
It is critical to note from the PCI council’s definition that a secure token is not an encrypted card number, and it should be impossible to derive, mathematically or otherwise, the actual card number.
Are all tokens equal?
In short, no. When it comes to payments, several distinct types of tokens exist, and it is important to understand the differences:
Acquirer tokens are generated by acquirers when they process cardholder transaction requests on behalf of merchants and they return the token in the transaction response. The downside is that acquirer tokens tend to require an unhealthy dependency on acquirers.
Merchant tokens are generated specifically for a merchant by a provider of its choice. They are generated after a cardholder tenders their card for transaction processing but are owned by the merchant, which provides the merchant with a strong degree of comfort in their independence.
Issuer tokens are generated by card issuers and schemes for specific use cases, including card-based applications like Apple Pay, Google Pay and Samsung Pay. These tokens are usually provided to a cardholder’s mobile app, card chip or wallet. An issuer token has significantly broader scope and can be used to initiate payment at multiple merchants during its life span.
Payment tokens are a relatively new variant of issuer tokens, generated on behalf of at least one card issuer in a framework known as a Token Program. The tokens are requested on behalf of merchants and cardholders based on specific use cases. Payment tokens are designed to enable end-to-end payments from merchant to issuer, without the need to translate the token to a card number. With payment tokens, the same token can also be used at multiple merchants.
How do merchants retain control and flexibility?
Merchant and acquirer tokens are the more pragmatic tokens for merchants looking to bridge the gap left by the elimination of card numbers from their retail environments. Merchant tokens are the logical choice for merchants seeking to seamlessly handle all their internal functions, as they can define the formats and the usage of their tokens, as well as migrate their tokens to another provider. This token independence fosters innovation and seamless integration of internal and external systems in the merchant environment. For example, merchants using tokens that preserve card number format will not need to alter existing internal or external interfaces because such tokens can be used as seamless replacements for card numbers.
The emergence of an omni-token approach
When utilizing merchant tokens, merchants are best served by engaging a payment platform that can provide the merchant with omni-tokens. When their payment provider is responsible for creating tokens, the merchant will receive tokens for internal use, while the provider will translate the same tokens to card numbers for external payment-related processes like authorization, fraud checks and settlement.
These omni-token can be used across the merchant’s entire payments ecosystem. This is particularly useful for merchants that interact with cardholders across different channels, including eCommerce, mobile apps, in-store lane, in-store kiosk, call centers, remote pop-up locations, etc.
For example, if a fashion retailer received an omni-token for a consumer’s card number when she paid for shoes at the merchant’s eCommerce site, that same token will be used to identify her when she makes another purchase in-store. The store clerk can be alerted to the eCommerce purchase, opening up new opportunities for customer engagement. Likewise, that same omni-token can be sent to the merchant’s loyalty provider and used to compute this consumer’s rewards points, so that a coupon for a free scarf could be sent to her mobile phone app. And, when she calls about returning the shoes, her payment can be easily and smoothly refunded. The accounting department can continue to reconcile and report on all payments in the same manner as it did when card numbers were used. This sort of secure, seamless integration is only possible when merchants partner with suitable payment providers for the provision of their merchant-owned omni-tokens.
The token revolution heats up, so merchants must stay well informed about the different types of tokens available. Selecting the right tokenization solution that aligns with their use cases will not only be critical to making the right token investment but building a customer-centric payments experience.
Make sure to sign up for our new video series that busts payment myths, with the third episode on tokenization released September 12.
Related Blog Posts
Payments Modernization in the Cloud: An Inflection Point in the History of Payments
Public cloud is one of the big buzzwords in payments right now. While a few years ago financial institutions were reluctant to embrace the technology, they are now among the most likely to do so. ACI discussed the topic of Payments Modernization in the Cloud during a recent webinar, moderated by Finextra’s Head of Research Gary Wright. Katrin Boettger caught up with the panellists — Ciaran Chu, head of cloud at ACI; Peter Hazou, business strategy leader at Microsoft and Lu Zurawski, practice lead, retail banking at ACI — about why the COVID-19 pandemic might be a further catalyst for the worldwide adoption of cloud technology.
From "Access to Cash" to "Access to Digital" – How Innovative Thinking Is Keeping SMEs Trading
With millions of people in London and the wider U.K. having endured lockdowns and restrictions, the COVID-19 pandemic has had a massive impact on our shopping habits. While some supermarkets have struggled to keep up with customer demand and social distancing rules, many small, local business have adapted to the crisis quickly, efficiently and in innovative ways. While supermarkets have run out of delivery slots, smaller businesses are now offering local deliveries whilst providing safe digital payments options. They are also selling goods that the big supermarkets have run out of because traditional supply chains have been interrupted.
For LATAM’s Financial Institutions, Long-Term Success Runs Through the Public Cloud
In just a few short years, the public cloud has become an invaluable driver of innovation, cost savings and security for businesses throughout the world. For the LATAM region, which is already experiencing an acceleration of its modernization efforts due to the COVID-19 pandemic, the public cloud can serve as a gateway for transformation — helping to deliver long-term success, particularly as we enter the era of real-time payments.
No Margin for Error: Acquirers Must Now Master the Art of Reinvention [Q&A]
The digital transformation of banking and growing competition within the industry is rapidly changing the world of global acquirers. Long gone are the days when an acquirer’s primary role was simply to facilitate an acceptance ecosystem for credit card payments. As part of its new “Prime Time for Real-Time” report, ACI recently published No Margin for Error, an eBook looking at the changes — and challenges — facing acquirers. I spoke to Ruth Fornell, our executive vice president – consumer payments, about the key insights, why acquirers are being forced to rethink their business models and what the future may hold.
Digital Payments: A Creature Comfort in the Era of COVID-19
Humans have an impressive ability to adapt – and have quickly done so in terms of their spending behaviors and choice of payment methods in response to the COVID-19 pandemic. Lockdowns forced many to consider cash alternatives to make payments, driving a huge surge in demand for digital payment services. And in some European countries, demand has risen as much as 81 percent.
Why Human Nature Presents a Challenge for Acquirers
It’s one of the great paradoxes of human behavior: people are predictably unpredictable. We work in irrational ways, hearts win out over heads and the unexpected can rapidly become the norm. Try as we might, predicting the emergence of any new trend is difficult – particularly in unpredictable times – and this is just as true in the world of payments as it is elsewhere.
Taking a Holistic View of ISO 20022 Migration and Payments Modernization in the Pacific
Today’s payments modernization efforts, most notably real-time payments, not only work to satisfy changing consumer preferences and behaviors, they also serve to future-proof national economies throughout the world. But for real-time payments to deliver maximum value, consumers and financial institutions must be able to exchange meaningful and actionable information — hence the development of ISO 20022, a standard for electronic data interchange that facilitates the fast, standardized and secure exchange of financial messages across borders.
How India is Tackling the Challenges of Digital Payments Growth
India’s massive transformation from a cash-based society to a cashless society is underscored by the rise in fintech adoption and the growth of the Unified Payments Interface (UPI) platform, which is now processing more than one billion transactions each month.
Deep Dive: Latin American Fintech Market (Part 2)
To support fintechs’ development and create a more inclusive financial system, governments across the Latin American region should adopt different regulations. Some good practices implemented in other countries, like the U.K. or Singapore, could also be adopted in Latin America, such as temporary exemptions on fintech authorizations on behalf of regulating entities, or the creation of temporary regulation sandboxes in which fintechs can operate, evaluate their business models and offer their innovative products in supervised environments.
Deep Dive: Latin American Fintech Market (Part 1)
There is a gap between what financial institutions currently offer versus what today´s customers want in Latin America, and this is where fintechs are earning a reputation for customer-centricity, personalization, quick response and seamless delivery. The relationship between fintechs and traditional financial institutions in Latin America has evolved from competition to collaboration, with the aim of efficiently working together and effectively scaling innovation, while also driving financial inclusion for the underbanked.