Security is one of the most crucial components in payments. As technology advances and payment solutions evolve, it’s important that payments are kept safe and secure for merchants and consumers. Tokenization, EMV, and encryption are all key players in ensuring this. To provide a deep dive into each, we are doing a “Payment Security Spotlight” blog series, with the first being focused on tokenization.
Tokenization is the process of replacing the Primary Account Number (PAN) with unrelated, scrambled digits after the initial authorization. Tokenization limits the amount of vulnerable information transmitted and stored by merchants, or on mobile devices.
Tokenization is most often used in two forms: Transaction tokenization, where card and transaction are tokenized, and durable (or card-based) tokenization, where card and merchant are tied together in a durable token.
Transaction tokenization is focused on securing the payment information during the time of the transaction. This type of tokenization protects the payment in-transit. In this type of tokenization, when a consumer makes a purchase, a one-time token is created for that one-time transaction. If the consumer decides to return the item purchased, they would be returning it on the token created in the initial transaction; the card acts as auxiliary information. Merchants who don’t initiate multiple sales over time with a consumer (recurring or subscription-based transactions), or who don’t have the need to track a consumers buying pattern, use this type of one-time transaction tokenization.
Durable tokens, which Apriva specializes in, ties the card and the merchant together, making recurring payments possible while protecting the card information from being used with another merchant. When the consumer uses a payment card with a merchant for the first time, that first point of interaction creates a token. Every time the consumer goes to that merchant, the token that was created from the first interaction will be used, and is only able to be used with that merchant alone. If someone were to attain that specific token from that specific merchant and try to use it with a different merchant, it would not work. This type of durable tokenization is typically used at places like car washes and gyms, where “card-on-file” is practiced and subscriptions are common.
Durable tokens allow for faster transaction time and higher security because the specific token is stored with the merchant as opposed to vulnerable cardholder data (CHD), which the merchant doesn’t need for processing payments. Apriva, in the back end, stores the CHD in an encrypted data base making the entire transaction more secure for merchant and consumer.
Tokenization, while not a PCI compliance requirement, does simplify PCI compliance for merchants. If a merchant has tokenization, they may be able to declare reduced PCI scope as CHD is not involved. You can learn more about this in the PCI DSS Tokenization Guidelines.
Looking forward, Big Data and advanced analysis are creating a path for further innovation for tokenization. The next step will be for card issuers and processors to be able to bring in another layer of information for determining if a token is correct and should be approved. Currently, durable tokens can be used with the one merchant only, but through various portals (devices, online, etc.) with that merchant. To add another layer on this would mean that durable tokens would only be usable with the merchant they are tied to, through the acceptance method they had initial interaction with. For example, the durable token that would be used in an in-store transaction by a consumer, would only be usable on that device in-store. If the consumer were to buy from that same merchant, but online, a different token for the specific transaction would be used. This will increase payment protections and make it even more difficult for hackers to use tokens they may gain access to as they look to exploit vulnerabilities in merchant systems.
Tokenization plays a critical role in the overall payment security chain, and will continue to do so as tokenization technologies advance. We will discuss other parts of the chain in future posts, so be sure to check back in with us for part two of our Payment Security Spotlight series, focusing on the role of encryption in payments security.