Tokenization is a payment security technique that replaces credit card data – e.g., physical card numbers and CVV codes – with randomized digits. The tokenization process lets merchants “keep” cards on file without storing customer data on their local system. Because sensitive information is not accessible in the event of a breach, this offers a much higher level of payment security for both merchants and their customers.
The tokenization process is slightly different for different types of transactions. (It also varies slightly for different vendors.) A typical credit card tokenization flow is as follows*:
The below refers to multi-use payment tokens. The process is considerably different for single-use payment tokens, which are only intended to be used for a single transaction.
The Tokenization Process
The tokenization process is slightly different for different types of transactions. (It also varies slightly for different vendors.) A typical credit card tokenization flow is as follows*:
The below refers to multi-use payment tokens. The process is considerably different for single-use payment tokens, which are only intended to be used for a single transaction.
1. The Customer Initiates a Transaction
A customer starts a transaction using their credit or debit card. This can be done in person using an EMV terminal or contactless payment method; through an online checkout; or over the phone using manual data entry.
2. Card Details Are Captured
The merchant’s payment system captures the customer’s card details, including the:
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Card Verification Value (CVV) Code
3. A Token is Generated and the Payment is Processed
The credit card tokenization service generates a unique value to replace the original card data. This token is a random string of letters and numbers that is mathematically unrelated to the original card number.
For most in-person transactions, sensitive card data is encrypted at the terminal, then sent to the authorization network. The authorization network gets the authorization; then the tokenization system processes the card data and sends the token back to the vault.
In e-commerce and MOTO scenarios, the card data can be tokenized at the point of entry (for instance, on the web page where the customer types in their credit card information.) From there, the system can return the token for future processing; the merchant does not store the card data in its original format. This method reduces the number of places sensitive information is exposed and does not require the merchant to store the non-tokenized card data. As a result, it can reduce the merchant’s security obligations under the PCI DSS.
Once the token has been passed to the card network, the issuing bank verifies the card details. If the transaction is approved, the authorization response is sent back through the payment chain to the merchant. The merchant receives confirmation and completes the transaction for the customer. If the transaction is not approved, the payment is declined and the customer can be prompted for an alternative method of payment.
4. The Merchant Reuses the Token for Future Transactions
The next time the customer wants to purchase goods or services using that method of payment, they (or the merchant) can select the stored card to run the transaction. The processor recognizes the token and maps it back to the original card details.
If the merchant is using omni-channel tokens, they can create a token in one sales channel (i.e., on an online checkout page) and re-use it elsewhere (i.e., over the phone.) All the tokens associated with the customer’s account are available for future transactions.
5. The Token is Refreshed If/When the Card Expires
When a customer’s card expires, the merchant will need to enter a new method of payment. If the card number itself doesn’t change, the merchant can contact the customer for an updated expiration date, without having to re-enter the full card number. Proactive reports to inform the accounting team which cards are expiring in the near future can make this process faster and easier.
Discover Secure Payment Card Tokenization Solutions for Your Business
Curbstone’s remote tokens replace payment data in your order entry software and on your IBM i, allowing you to easily run recurring transactions without storing credit card information on your own system. For more information on our card tokenization technology and how it can help you reduce the burdens of reporting and compliance, contact us for more information.
***
