Tokenization is the process of taking important information and turning it into a randomly generated “token” which is a string of characters.
Tokenization is a process that can be used to protect customer data, and in turn, protect merchants and customers alike. We will go over what tokenization is, how it works, and why merchants should look to implement it into their business.
What is Tokenization?
Tokenization is the process of taking important information and turning it into a randomly generated “token” which is a string of characters. The advantage of tokenization is if the data gets breached the tokens can not be used or understood. The purpose of using tokenization is to keep valuable information, such as your customers card numbers, as safe as possible.
How Does Tokenization Work?
A token is a reference to the original data, but if the token get breached there would be no way to use it. When the information gets transformed into a token it is pulled from a database called a token vault. The token vault is what stores connections between the data and the token.
One of the most valuable ways that tokenization can be used is to protect cardholder information. Card networks have started implementing tokenization into their offers for merchants and cardholders. For example, Visa Token Service takes sensitive information such as a cardholder’s 16-digit card number and replaces it with a token. Allowing the payment to still happen without exposing any account details. Here are the steps of how this happens:
Step One – The customer starts a payment online, in-store or in-app. This is done through a token requestor. Since the launch in 2014, Visa has added 60 different token requestors that can range from mobile (Google Pay) and wearable (FitBit) manufactures, issuer wallets, online merchants, payment service providers and acquirers and more.
Step Two – The merchant sends the token to the acquirer as part of the authorization request.
Step Three – The acquirer sends to token to Visa’s networks to begin processing the transaction.
Step Four – Visa sends the token, along with card details to the issuing bank for authorization.
Step Five – The issuer either accepts or declines the transaction, and they send the response and token back to Visa.
Step Six – The token and payment authorization are routed back to the acquirer.
These six steps create a frictionless and secure environment for ecommerce and mobile payments.
This process protects the merchant and cardholder when a merchant stores the card number to either make the checkout process more convenient or for recurring billing. Instead of storing the actually card number, merchants can just store the token instead.
Tokenization vs Encryption
Like we mentioned earlier, tokenization is the process of turning data into a string of characters to protect it. The way this differs from the encryption process is that tokenization does not use an algorithm. When data is encrypted it takes readable text and turns it into ciphertext. An algorithm and an encryption key are then used to be able to turn the text back to its readable form. The encryption process is useful for sending information to a third party that has an encryption key.
Do I need to Tokenization to be PCI Compliant?
PCI compliant is necessary for all merchants that handle cardholder’s data. Although tokenization can help prevent some of the work that goes into making sure your PCI compliant, it is not necessary.
Why Steps Like Tokenization Are Important
Over the last couple of years data breaches have hit businesses big and small. This has created the need for every merchant to step up their data and fraud security. When a breach happens not only could it cost the merchant in fees or reparations, it can also cost in customer loyalty and reputation. Every merchant should have the goal to protect customers and protect themselves from fraud. Tokenization is one way to do that.