Merchants are handling more sensitive data than ever before – including customers’ payment information. With cyber threats and data breaches becoming more frequent, companies must prioritize security without compromising a convenient checkout experience. Tokenization is one way that merchants can protect sensitive credit card data, streamline recurring transactions, and reduce the burden of compliance along the way.
The Fundamentals of Merchant Tokenization
What is Merchant Tokenization?
Merchant tokenization is – in simple terms – the process of replacing credit card data with secure, unencryptable data. Card numbers and security codes are replaced with unrelated letters, numbers, or a combination of letters and numbers; the business stores these characters on their system instead of the original cardholder data.
Single-Use vs. Multi-Use Payment Tokens
Single-use tokens generally represent one specific transaction. Multi-use tokens, however, are more common. These tokens can be continuously passed to the payment network any time the business needs to charge the customer’s card. Take a deeper dive into the payment data tokenization process here.
How Tokenization Works in Payment Processing
A token is generated the first time a customer uses a credit or debit card with a particular merchant. From that point forward, the tokens are saved to the customer’s account. The next time the customer wants to make a purchase using that card, they can select it (or verbally instruct the merchant to charge it). The business can then run the charge without having to manually type in the details. (The merchant can also use the token to issue the customer a refund or credit.) 
The Role of Tokenization in Omni-Channel Commerce
Omni-channel tokenization is considered the “gold standard” for its simplicity. Retailers don’t have to maintain separate payment tokens for each of their sales channels. Instead, one credit or debit card equals one token. That token can then be used online, in person, or for remote phone order entry. A customer can have multiple tokens for multiple payment methods on their account, but the merchant doesn’t have to re-create or manage duplicates for different environments.
Tokenization for e-Commerce and Online Merchants
Most of us are familiar with the concept of cards on file as they relate to a digital wallet or online checkout system. That’s why many merchants’ first exposure to tokenization occurs when they first build out an e-commerce payment processing system.
Some e-commerce token solutions transmit non-tokenized card data to the network and return a token back to the merchant after the initial transaction. However, this means that the organization is transmitting non-tokenized data on their system. As a result, they are responsible for protecting that sensitive data while it is in transit.
Other systems have the customer enter their card details in an iFrame, where the data collection and processing is handled by the payment service provider (PSP). The token is generated before the first transaction is sent to the network; the merchant does not ever transmit card data in its original format. When implemented correctly and validated by a Qualified Security Assessor, this can take the company’s e-commerce server out of scope for PCI compliance and reporting.
Tokenization for Retail Businesses
It’s less common for retailers to use cards on file in person. However, there are some situations where businesses may want to capture and store card details from a face-to-face transaction. For instance, a rental business that runs an initial charge at the counter may want to retain that billing information to charge the customer each month that they have the equipment out on rent. This can also be a time-saver for subscription- or membership-based businesses, such as gyms. It can also simplify the process of issuing a credit or a refund when a customer makes a return.
In these situations, the tokenization of credit card data doesn’t occur at the point of sale (within the credit card terminal itself). Instead, card data is encrypted at the terminal, then sent to the authorization network. The authorization network gets the authorization, tokenizes the card data, and sends the token back to the vault.
Tokenization for Phone Orders
Tokenization is also useful for merchants who specialize in mail and phone orders. Because these transactions take place remotely, back-office employees have to manually process each one. Selecting a stored card can significantly speed up the process and reduce the risk of mistakes.
The Role of Payment Tokenization in Security and Compliance
How Credit Card Data Tokenization Reduces Payment Fraud
As noted, tokenization is an excellent way to protect cardholder data from unauthorized access. In Verifi’s recently released 2024 Global Fraud and Payments Report, more than half of merchants who used a credit card tokenization service did so to improve their security and reduce the risk of data exposure during a breach. If a hacker were to breach a merchant’s system, they wouldn’t be able to revert the tokens back to the original payment data, making them a much less appealing target.
Tokenization vs. Encryption: Key Differences
As merchants build out their payment processing infrastructure, they often compare tokenization to encryption. Both measures – when implemented correctly – can help them fulfill their PCI compliance obligations. However, tokenization provides additional benefits beyond simply checking a security box. Most notably, it is irreversible. If a hacker were to breach a system and access the payment tokens, they would not be able to revert them to the original card data. In contrast, if they accessed encrypted payment data and the corresponding encryption key, they could easily use that data for fraudulent payments at other retailers.
It’s important to note that some card tokenization vendors do use reversible encryption methods to generate their tokens. With these providers, the tokens are considered encrypted PANs (primary account numbers); these reversible solutions do not qualify for the same PCI scope reduction benefits as non-reversible tokens.
Tokenization and PCI DSS Compliance
Another important caveat: tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance. However, “they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.”
In other words: a business cannot simply implement a tokenization solution and consider their obligation complete. They must still complete their annual self-assessment questionnaires to keep their merchant account in good standing. However, an effective solution can keep data from touching part – or all – of that merchant’s system; those systems would then not need to be covered by their self-assessment questionnaire. A PCI-certified Qualified Security Assessor can provide more specific advice; learn more about tokenization and PCI compliance here.
What Merchants Need to Know Before Getting Started with Tokenization
Choosing a Tokenization Solution
Choosing the right tokenization system can be tricky. When evaluating potential solutions, merchants should consider the following advice from the Payment Card Industry:
- Communications between the requesting application (i.e., the place where cardholder data is entered) and the tokenization system must be secured to prevent interception of unsecured data.
- The vault where the vendor stores the original data must meet or exceed PCI requirements for tokenization service providers.
- The system must support the secure deletion of cardholder data any time a customer asks for it.
- Even if a merchant uses a PCI-compliant third-party credit card vault and tokenization provider, they still have their own responsibilities for risk assessments, data retention, access control, usage policies, and logging. A PCI QSA can provide additional guidance on meeting these requirements.
Discover Curbstone’s Secure, PCI-Compliant Merchant Tokenization Solution
See why hundreds of merchants trust Curbstone’s PCI-compliant tokenization system for their e-commerce, brick-and-mortar, and remote transactions. For more information, contact us today. [/vc_column_text][/vc_column][/vc_row]
