What is Tokenization?

This entry was posted on Tuesday, March 18th, 2014.

Tokenization has fast become a buzz word in payments. With American Express, MasterCard and Visa announcing their intention to develop specifications for payment tokenization in 2013, followed by EMVCo stating that it would expand its scope to pick up the work earlier this year, the industry knew it would only be a matter of time before a market agreed framework would be available. Last week, EMVCo released its EMV Payment Tokenization Specification – Technical Framework v1.0.

So, what is tokenization, how can it be implemented and why has this payment solution gained so much traction in the last few months? Read our definitions guide to find out more.

What is Tokenization?

Tokenization is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. In other words, a traditional primary account number (PAN) is replaced by unique identification symbols to create a ‘token’.

To tokenize a payment transaction, the PAN is sent to a centralized and highly secure server called a ‘token vault’ where it is stored in a PCI-compliant environment provided by a payment service provider (such as a payment system). Immediately after authorization from the card issuer, a unique, token number (with its expiration date) is generated and returned to the merchant’s systems for use instead of the PAN.

While payment tokens are reversible and can be ‘mapped’ back to the traditional PAN by authorized parties, this is a highly complex process. The token is therefore meaningless if someone gained malicious and unauthorized access to the data.

How are Tokens Used?

A token is generated for one time use within a given and pre-defined environment, such as to purchase goods from an online retailer. In most circumstances, it will perform just like the original PAN for business functions such as returns, sales reports, marketing analysis, recurring payments etc. It cannot, however, be used to conduct a transaction outside of that merchant’s environment.

The data only has meaning within the pre-defined environment for which it was created.

What is the Aim of Tokenization?

The process removes traditional PAN information from environments where data can be vulnerable and, if stolen, used for illegal purposes. Tokenization completely and quickly disconnects the real PAN and replaces with a token, while maintaining backwards compatibility with existing business processes.

For this reason, tokenization offers a real alternative payment solution that could significantly reduce fraudulent activities. In this way, tokenization can retain all the essential customer data without compromising its security.

So, What is New?

The standardization of payment tokenization systems will promote credibility of this payment solution and encourage market interoperability. The framework provides different models and potential flows for several identified tokenization scenarios, enabling suppliers to map existing solutions against these and develop new ones ready to meet new token service provider needs.

Bell ID’s Offering

PCI standards do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who supplies a tokenization facility. The service provider then handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down, for which they require industry proven secure solutions.

With Bell ID’s Tokenization Manager and Secure Element in the Cloud software, banks and merchants can also become their own in-house service provider to manage their own mobile and e-commerce EMV payments solutions including tokenization.

Interested in learning more about tokenization and becoming your own service provider? Get in touch!