Despite being one of the biggest rising forces in payments, tokenization is still an unknown entity to many people outside of the industry.
Whether you know about it or not, though, chances are you enjoy tokenization’s myriad benefits every day – either as a merchant, a customer, or both.
Tokenization is what makes many online and digital wallet purchases possible. It enables safer, faster one-click payments, reduces fraud, and boosts authorization rates – while sending abandoned cart rates in the opposite direction.
But what is payment tokenization, exactly – and how does it work? What are tokenization’s different types, use cases, and benefits? What does its future hold – and how can Checkout.com help you adopt this game-changing way to secure the payments you accept?
Let’s find out.
Payment tokenization is the process of replacing sensitive data in a transaction (such as the cardholder’s primary account number, or PAN) with non-sensitive data, called ‘tokens’.
These tokens don’t have any value, or significance, outside of the transaction. Instead, they’re simply random values: ‘references’ that relate back to the tokenized payment data, and allow it to traverse the networks it needs to to complete the transaction – without the risk of data theft.
When an online transaction takes place (be it through a credit or debit card, or a digital wallet) an algorithm generates a ‘token’ to replace the customer’s PAN.
This token – essentially a unique string of numbers – is issued in real time, and acts as a secure identifier of, or surrogate for, the PAN. This means the actual PAN doesn’t have to be transmitted – which makes the whole process more secure, and safeguards the cardholder’s details should a data breach occur.
Because tokens are generated randomly and are unique to each transaction, they’re extremely difficult for bad actors to predict or exploit (even if the transaction is hacked and the tokens themselves become accessible).
Here’s a quick overview of the payment tokenization process:
Not every payment made online is tokenized by default. Payment tokenization is an added security measure, and whether you – as a merchant – apply it to your transactions will depend on your industry, your payments setup, your needs, and your customers’ preferences.
Payment tokenization is, for example, particularly useful for businesses that rely on recurring payments (such as subscriptions) and ecommerce sites looking to reduce friction at the checkout. We’ll explore that in more detail below, though – in the meantime, let’s take a closer look at the different types of payment tokenization.
The main role of network tokenization is to secure cardholder data during payment transactions by replacing the customer’s PAN with a token.
Initiated and managed by the card schemes (including American Express, Discover, Mastercard, and Visa) or payment service providers (such as Checkout.com), network tokenization is the kind of tokenization we’ve been discussing so far in this article.
Network tokens are globally interoperable – so, rather than being limited to one merchant, device, transaction type, or channel, they can be understood throughout multiple payment gateways and acquirers around the world.
PCI tokenization’s role is to protect the cardholder data stored by merchants, payment processors, and other entities in the payments ecosystem.
Remember how tokens can be saved to enable quicker, more seamless recurring payments? Well, PCI tokenization is responsible for reducing the risk associated with the storage of this sensitive payment information, and helping merchants achieve PCI compliance.
Whereas network tokenization is run by the card schemes, PCI tokenization is managed by the entities actually storing the cardholder data: be they merchants, service providers, or payment processors. PCI tokens can be employed across a range of platforms and systems in an organization as a replacement for actual credit and debit card data.
What’s more (and, again, unlike network tokenization), PCI tokens are generally stored in the secure token vaults of the company that initiates the process – not on the cardholder’s device.
Digital wallet tokenization is a type of network tokenization used specifically in the case of digital wallets, such as Google Pay and Apple Pay.
When a cardholder adds a credit or debit card to their digital wallet, the card’s sensitive data (its PAN, CVV, and expiry date) are replaced as a token which serves as the card’s reference. These are then stored within a secure element or trusted execution environment (TEE) on the cardholder’s device (such as a smartphone or smartwatch).
Then, whenever the customer goes to pay with that device, the digital wallet only provides the token to the merchant – thus masking the original card details.
Payment tokenization adds an extra layer of security to an online transaction that all merchants and customers (as we’ll see below) can benefit from.
But there are some industries and use cases that payment tokenization is particularly helpful for – so let’s unpack them in more detail.
Ecommerce businesses can leverage payment tokenization to securely save their customers’ card details on file.
This means that, when a returning customer comes to pay, the merchant can enable a faster, smoother experience at the checkout – reducing friction, and driving down cart abandonment rates. Better still, tokenization can help ecommerce businesses demonstrate their commitment to safeguarding customer data – which can enhance consumer trust and confidence in the online shopping experience.
If you’ve ever received – or made – a payment through your smartphone, you’ve experienced tokenization’s speed- and convenience-related benefits firsthand.
Whether a customer is paying through a digital wallet such as Apple Pay or in-app (or both), tokenization enables these mobile payments to take place faster and more securely. Tokenized transactions don’t, after all, require the same extensive validation and authorization as cardholder data does – so they enable smoother and more seamless mobile payment processing.
Businesses that rely on recurring payments – so, subscription services like Birchbox and Spotify – don’t have time to collect the full litany of their customers’ card details every month, or even year, they’re charging them.
That means subscription businesses need to be able to save, secure – and safely store – card information, while remaining on the right side of PCI regulations. Tokenization helps with this, as none of the actual card’s most sensitive details are stored – only algorithmically generated strings of data that stand in for these details.
Of course, subscription businesses also need to be able to charge these card details, too – or otherwise risk interruptions to the customer’s service, and the resultant lost revenue and customer churn. So tokenization also helps with the card-on-file payment process: generating network tokens to process recurring payments seamlessly, while working alongside a credit card account updater service to ensure the saved information constitutes the latest, most accurate credit or debit card details.
By allowing tokens associated with the customer’s payment method to be securely stored on their device, tokenization enables one-click payments. There’s no need for them to enter their name, their address, their CVV, or even have the physical card on them.
Some of the industries already using one-click payments to great effect include retail ecommerce, as well as the ride-sharing sector. Online marketplaces (Amazon being the most notable example) are also pioneering this tokenization-enabled form of quicker, more convenient payments.
MOTO (Mail Order/Telephone Order) payments occur, as the name suggests, either over the phone or through mail orders.
Usually, you’d have to collect your customers’ credit or debit card details manually (verbally, over the phone). The tokenization process, however, allows customers to provide a token associated with their card instead – reducing their risk of their sensitive payment information being exposed, and lowering your risk of data breaches and PCI non-compliance.
As we touched on above, network tokenization and PCI tokenization serve similar, but different purposes – and operate at varying levels within the payment ecosystem.
The key difference is that in network tokenization, tokens are issued by the card scheme – not the payment service provider or acquirer. Because of this, network tokens are interoperable across the entire payment ecosystem – and have a wider set of potential use cases.
PCI tokenization, on the other hand, is initiated and managed by acquirers or payment service providers on behalf of merchants. The role of PCI tokenization is to secure sensitive cardholder data as it passes between the token provider (such as Checkout.com) and merchant, and reduce the scope of the latter’s PCI DSS compliance requirements accordingly.
Payment tokenization has an impressive wealth of benefits for businesses and consumers – so let’s explore them in detail.
By tokenizing sensitive card information in digital wallets, customers can pay with saved card details – without having to actually carry their cards on them everywhere they go.
What’s more, the security features in-built into digital wallets dovetail nicely with those tokenization provides. Modern smartphones support different ways of biometric verification – whether that’s facial, fingerprint, or iris recognition technology – which allow users to confirm it’s really them making the transaction.
By authenticating the payment via two factors – possession (something they own) and inherence (a unique physical identifier) – these transactions also satisfy SCA (Strong Customer Authentication) requirements. This adds an even more comprehensive layer of security to the transaction, and – as we’ll see below – can even save you money on fees going forward, too.
Learn more: Tokenization vs Encryption
Tokens act as surrogates for sensitive cardholder data, yet are essentially meaningless outside of the system. There’s no universal tool that exists to decrypt them, or to ‘crack the code’ – tokens are generated by an algorithm, in real time, and are thus useless to attackers.
This means that even if a hacker does manage to breach a system, they’d only gain access to tokens (which, remember, are simply strings of numbers with limited usability), rather than any card details they could actually use.
To learn more about how payment tokenization helps combat fraud, explore our in-depth guide to the topic.
SCA – which we touched briefly on before – is important, but its requirements can also be stringent. And the more layers of security you add to a transaction – the challenges and step-up authentications you pile on – the more friction you add to the checkout process.
Tokenization, however, is a security process that actually declutters the checkout; decreasing friction and improving rates of transaction success, while enabling you to recognize legitimate repeat business from across the different channels you sell through.
Visa’s own data supports the link between tokenization and increased authorization rates; it suggests that merchants using network tokens see an authorization rate uplift of around 2%.
Tokenization helps you achieve PCI DSS compliance by simplifying the process, minimizing the risks, and reducing the scope of cardholder data storage and transmission. Network tokens, for instance, hide the card’s details at every stage of the transaction. The merchant has only to handle the token.
It’ll mean you spend less time, resources, and energy on jumping through the hoops of PCI compliance, and enable both you – and your customer – to transact: safe in the knowledge that their sensitive data is secure.
False declines – when a legitimate transaction is mistakenly flagged as fraudulent – are part and parcel of payment processing. That said, they’re also frustrating, because they result in lost revenue, irritated customers, and – potentially – bad reviews, too.
Payment tokenization, however, can help. By providing banks and payment processors with more reliable transaction data, it can assist these entities in distinguishing between genuine transactions and suspicious ones.
What’s more, with fewer false declines – and a more accurate understanding of fraudulent transactions vis a vis legitimate ones – your own fraud monitoring systems will improve. You can feed all this data into machine learning algorithms that evolve and develop with the information, leading to even more effective fraud detection going forward.
If there’s one thing customers love as much as secure payments, it’s seamless ones. So, while payment tokenization’s security benefits are attractive to consumers, so too are the convenience and speed that one-click, MOTO, and card-on-file payments all offer them.
Remember, tokens make payments both safe and secure – and that’s half the battle.
As we’ve seen, payment tokenization solves a lot of problems – and can save merchants a lot of money. By reducing cart abandonment rates, bolstering PCI compliance, and preventing fraud, tokenization can safeguard your revenue from customer churn and cyber threats – while helping you sidestep the hefty fees of compliance.
However, there’s another way tokenization is set to save merchants money going forward – and it relates to a pending Visa price hike. As of October 1, 2023, Visa is introducing a fee increase of 0.025% on all ecommerce transactions within Europe that aren’t sent either with a Visa network token, with 3D Secure authentication, or through Apple Pay or Google Pay.
This kind of policy shows how much tokenization matters to the card schemes – and that they’re placing their collective faith in it for the future. What it also means is that tokenization isn’t a mere ‘nice to have’, but a must have – particularly for merchants unwilling to stomach that fee increase on every transaction they accept within Europe.
Visa already has a history of incentivizing merchants to tokenize their transactions, having previously announced a 0.10% decrease in interchange fees for qualifying merchants. And this, combined with the many years (and dollars) card schemes have invested in tokenization, makes it clear that when it comes to payment security, tokens are most certainly the way of the future.
As the old Chinese proverb goes, the best time to plant a tree was 20 years ago; the second-best time is today. And, while you couldn’t have implemented payment tokenization 20 years ago – it was only invented in 2001, and in a form far more basic than it exists in now – you can implement it today.
Here, Checkout.com can help. Our opt-in, managed network token solution automatically shares network tokens with card schemes such as Visa and Mastercard. And the best part? Since these schemes provide the tokens to us – and these are linked to automatic card updates – you’ll never have to worry about cards you have saved on file expiring; or stress that returning customers are having to re-enter their card details at one-click checkout.
What’s more, the Checkout.com engine can learn from your past transaction information, and – through crunching this data – optimize between the usage of network tokens and FPANs (Formatted Primary Account Numbers) for each transaction you process.
Ready to benefit from payment tokenization – and all the cost-saving, fraud-reducing, and authorization-rate-boosting benefits it offers?
Get in touch with our team today – or explore our network tokenization solution to learn more.