Tokenization is a method of protecting payment card data by replacing the cardholder’s account number with a surrogate value, called a token. Tokens can be used to authorize payments without exposing the underlying account number.
Why do merchants need to tokenize credit card data?
Merchants need to tokenize credit card data in order to meet the credit card data security standard, also known as PCI DSS. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, Mastercard, American Express, Discover and JCB.
What are some benefits of tokenization?
Benefits of tokenization include:
- Tokenization helps reduce the scope of a PCI DSS assessment.
- Tokens can be used to authorize payments without exposing the underlying account number.
- Tokenization makes it difficult for criminals to steal payment card data.
- Tokens can be used to identify customers in the case of returns, exchanges or customer service.
- Tokenization has minimal impact on business processes and workflows until it is time to perform chargebacks.
- This allows merchants to implement tokenization without having to make any changes to their current systems or workflows.
- Tokens can be replaced when required, such as when migrating to new systems without having to re-evaluate payment card security.
- Tokenization addresses the needs of all stakeholders: customers, merchants and issuers.
- Tokens can be used for digital wallets that consumers access via mobile devices or websites, virtual terminals, ecommerce applications, at ATMs and POS terminals using NFC technology, and other locations where traditional card data cannot be entered into the payment terminal (e.g., vending machines and parking meters).
- Tokens can also be used for Physical Security Token (PST) devices that generate one-time passwords to authenticate online transactions and access systems.
- Tokens can reduce PCI DSS scope by masking sensitive data.
- Tokens can help reduce the cost of PCI compliance by reducing both costs and risks associated with security administration and controls, as well as potential fines from non-compliance.
- Tokenization is an example of a strong authentication technology that reduces risk and lowers fraud losses compared to other technologies such as static passwords or signatures.
- Tokens can be used to reconcile transactions across multiple brands or issuers, and for high-volume merchants that might not otherwise be able to consolidate their reporting with one acquirer or issuer without negative impact on customers who are being asked to provide the same card details every time they want to make a purchase.
- Tokens can also be used to identify customers in the case of returns, exchanges or customer service.
- Tokens can be used to harmonize across multiple applications and to ensure that consumers are authenticated for all transactions even if their card number changes due to a reissuance by the brand or issuer.
- Adopting tokenization helps merchants keep pace with emerging technologies that can reduce or eliminate the need for cardholder data to be stored in their environment.
- Tokenization can help with PCI DSS compliance, reducing both costs and risks associated with security administration and controls, as well as potential fines from non-compliance
- Tokenization is an example of strong authentication technology which reduces risk and lowers fraud losses compared to other technologies such as static passwords or signatures.
- Tokenization also addresses the needs of all stakeholders: customers, merchants and issuers.
What are payment tokens?
Tokens provide an additional number in place of the actual credit card number on transactions, reducing the amount of personal information being stored by merchants. The number used during payment authorization is called a token, and it provides an additional layer of security for transactions that take place over the Internet or mobile channels by replacing sensitive account information with a substitute that cannot be reused.
What are the five types of tokens?
There are several different types of tokens being offered today including static, signed, challenge/response, dynamic and encrypted. Static tokens are the most common and are created using a one-time password or random number that is unique to each transaction. Signed tokens are similar to static tokens, but include a digital signature that helps to validate the token and the identity of the issuer. Challenge/response tokens are generated by submitting the user’s answer to a specific question that only the user would know, such as “What was your high school mascot?” Dynamic tokens are becoming more popular and are created by using a combination of different criteria including time, IP address and device identification. Finally, encrypted tokens offer an additional layer of protection because they encrypt sensitive account information during the transaction process.
How do tokens work?
Tokens work by replacing a card’s primary account number (PAN) with an unrelated token that has no value or relationship to the PAN that is processing as part of a payment authorization request. That token then validates that the user is who they say they are during the authorization process.
What is tokenization?
Tokenization is the process of replacing sensitive account information such as the credit card number with a substitute that cannot be used by thieves to access a consumer’s funds. Tokenization is an attractive option for merchants and consumers because it provides increased security and allows consumers to use cards on mobile apps and the Internet without having to share their personal account information.