It’s a buzzword in the payments industry, but how does it work?
Credit card tokenization is a security measure that protects cardholder data as it passes through channels of the payment processing system. It converts card data, such as an individual’s Primary Account Number (PAN), into randomly generated codes called tokens. Each token serves as a substitute to live data in a company’s payment database and requires a specific tokenization system to be reverted. “Keys,” or identifiers of the tokens, are mapped out in a tokenization system, which is located at the data’s destination: the payment processor.
The goal of credit card tokenization is to render cardholder data meaningless until it’s processed. In the case of a security breach, a token is a non-sensitive string of characters rather than the valuable payment data it represents. It differs from encryption in that encryption is reversible using a mathematical algorithm. There’s a specific formula linking live data to its encrypted form, whereas tokenized data is random and requires a unique identifying system to be “unlocked.”
Merchants benefit from credit card tokenization because it frees them from the risks of storing and transmitting cardholder data. When a consumer makes a card payment, the card data only enters the merchant’s network in the form of a token, so there’s less liability for the merchant in the case of a security breach. With less raw data to protect, the business can shrink its Payment Card Industry Data Security Standard (PCI DSS) scope.
Tokenization is a convenient tool for subscription billing. Rather than collect cardholder data to process recurring payments, a business can keep an individual’s card information on file in the form of a token so that it can be used again. The token can only be reverted to live data when it gets transmitted to the highly-secure payment processor. One-click checkouts and mobile wallet applications such as Apple Pay also utilize tokenization. Customers can rely on the secure tokens stored on their accounts rather than re-enter sensitive card information every time they make a payment.