Protecting sensitive data as it moves across networks is a major concern for all participants in the payments ecosystem. Tokenization is one solution that helps reduce the exposure of sensitive data in situations where it could be accessed by criminals.
In the processing of payments, tokenization refers to replacing certain data – typically the account number on a consumer’s card – with a series of randomly generated numbers that would be useless to a criminal if other security methods are compromised and the number is obtained. That series of numbers – known as a token – serves as a unique identifier as the transaction travels through the payments system.
Tokens can be used in-store and online, and they are often used in cases where card information is stored for future use, such as digital wallets, instances of recurring billing and ecommerce sites. When a consumer provides their account information to one of these services or retailers, that business will request a token from a service provider. The steps to tokenization may vary slightly depending on the application, but we can use the example of Visa’s token service to demonstrate the basic process.
According to Visa, it shares the token request with the issuing bank – the bank that holds the consumer’s payment account. If the bank approves the use of a token, Visa’s token service then generates the token and sends it to the original requestor (business) to keep on file. Visa safely stores the sensitive card information in a token vault.
Then when the consumer seeks to initiate a payment or purchase, the service or retailer it is using – the digital wallet or web site (for example) – will route the transaction, including the token, to its merchant acquirer as usual. When Visa receives the transaction information from the acquirer, it sends the token and the associated card information to the issuing bank for authorization. To complete the transaction, Visa routes the token and the authorization back to the merchant acquirer upon approval from the issuing bank.
Tokenization helps to reduce PCI scope for retailers and other services that use it, because they are not storing the actual payment credentials within their systems. Instead, they are storing the token, which is worthless outside of the context where it’s being used.
Payment facilitators may serve as the token providers for their submerchants by partnering with token service providers and integrating those services into their platforms — giving their entire portfolio access to such data protections as another benefit in their suite of solutions.