Skip to main content
ArticlesPCI ComplianceSecurity

Card on File Tokenization: How to Securely Process Recurring Payments Without Storing Cardholder Data on Your System

By June 2, 2022March 9th, 2023No Comments

Card on file tokenization has become one of the payment industry’s hottest topics: but why is everyone talking about it? What are credit card tokens, and how do they help merchants process recurring transactions?

Tokenization impacted the payment processing world significantly. When it comes to organizations that handle credit cards and process a high volume of repeat purchases – either via recurring subscriptions or long-term customer/supplier relationships, the combined concepts of cards-on-file and tokenization really changed the game.

Tokens bridge the gaps, giving you the best of both worlds. You don’t have to make that embarrassing phone call to your customer to ask for their card number again when you need to collect another payment or process a refund.

Meanwhile, your operators will not have to re-key the same information for each transaction, saving you time and increasing order accuracy. Increased processing accuracy means fewer declines, which could improve your processing rate (saving you BIG money!).

Card on file payments also simplify the customer experience. Your customers can save their cards for future use, or perhaps even set up recurring payments. The next time you have the customer on the phone placing a new order, you can simply ask if they want you to charge the card you have on file. Or, when they check out online, they can select a previously used card from their digital wallet – providing a faster and easier experience that can reduce abandoned carts.

For each of these benefits, you would typically have to store the customers’ card data for future use. However, this comes with a complicated set of PCI compliance requirements. This is where tokenization bridges the gap – You can achieve all the benefits of keeping cards on file, AND you don’t have to store the customer’s card data on your system! That means fewer responsibilities and less reporting.

It sounds too good to be true, but the truth is – if your payment solution does not allow you to store card data as tokens, you are using a sub-par solution. That’s why everyone is talking about it. All of Curbstone’s technologies were designed with remote tokens as one of the key security features.

What is Card on File Tokenization?

Now we know a little more about the concept, but what is it exactly? How does it work?

Simply put, tokenization is the act of replacing sensitive data for something meaningless. You take the data you care about and you replace it with a token. Then, when you need to use/retrieve/interact with it, you refer to the assigned token.

Here’s an example of how card on file payments work in Curbstone:

For every transaction, Curbstone responds with a 15 character token. (In Curbstone lingo, this field is the MFUKEY – Management Field Unique Key). If a subsequent transaction is required against a card for which you already possess a MFUKEY, Curbstone only needs the MFUKEY to process that transaction.

EMV Tokenization

EMV tokens are created when payment is made on an EMV-enabled credit card terminal. Typically, the use of tokens is functionally the same for EMV devices as with any other payment form, with exception to how the tokens can then be used. Often, EMV tokens can only be used for EMV transactions. You should check with your terminal manufacturer to determine if tokens generated on one EMV terminal can be reused on another terminal.

EMV TerminalHow to Process Card on File Transactions with Remote Token Solutions

Remote tokenization for payment processing is easy. With Curbstone, we give you a token in the response for each transaction. If you give us a token, then we know to go to the transaction represented by that token, and to reuse the card authentication details for the current transactions. Easy!

This provides incredible flexibility. Now, your checkouts are faster, with a higher degree of accuracy, AND your customers are happy with all these secure new features. Your system can provide that experience without taking on the massive challenges that typically accompany the storage of card data.

In fact, regardless of whether you are talking about online, mail or phone order, or retail transactions, Curbstone’s technologies are designed to minimize the involvement of actual card data in your environment, while maximizing integration into your systems and programs. We also offer programmatic interfaces to maintain, roll-over, and update your tokens, saving you even more time and money.

Getting Started with Card on File Tokenization

Getting started first requires using a credit card processing solution that supports tokenization. That could mean starting fresh, or you can find a solution that allows you to bring your previous transactions with you. Curbstone supports the ability to “migrate” your existing card transactions into our platform, making the transition much simpler.

Once enabled, Curbstone recommends performing an initial $0 authorization for the card details you are tokenizing. This lets you confirm that the address and CVV match what the issuing bank expects. Once satisfied, you can be more confident in the authenticity of the card, and you are better equipped to combat potential chargebacks. From there, you can tokenize this transaction, effectively placing the card “on file” within the Curbstone Portal (NOT your system). Curbstone stores your data and returns to you a unique token – aka MFUKEY.

Once you have a process in place, you can begin customizing the way you use those tokens. You can configure a secure digital wallet to store your customers’ cards on your website, in turn letting you provide “one-click payments” to online customers. You can also automate recurring payments on a pre-determined schedule (i.e., for a monthly, quarterly, or yearly payment agreement).

The Security Benefits

Paraphrasing the Payment Card Industry (PCI), more effective than advanced encryption of data is not having it there at all. Tokenization is a PCI-approved method for protecting cardholder data.

How Payment Card Tokenization Improves SecurityWith a tokenized payment solution like Curbstone, the card data is removed from your systems – and potentially your network altogether. Instead, Curbstone stores it on our systems. We then complete annual third-party PCI compliance audits so you don’t have to.

On your end, you only store the tokens that are issued by Curbstone. If your environment is breached, or hackers target your website, or one of your employees decides to try and steal from the company… there isn’t anything usable in your environment to steal. Just a bunch of silly, useless tokens. You can rest easier at night knowing that you are protecting your customer’s most precious information.

Not only is there nothing valuable in your environment for a hacker to steal, you also get to spend less time on PCI compliance. Any entity that accepts, processes, or transmits credit card data must obey the regulations set forth by PCI in accordance with the applicable Self-Assessment Questionnaire, depending on several merchant-specific factors.

To sum up a very complicated matter into a simple sentence, having card data on your systems = a long and complicated self-assessment questionnaire; having tokens on your system = a much shorter and more efficient SAQ!

Learn More About Card on File Tokenization

To learn more about securely processing card-on-file transactions online, over the phone, by mail, or in person, contact us today:

A Trusted Member Of The Payments Industry