Fraud is one of the biggest challenges faced by the payments industry, and tokenization is one way to prevent it.
Credit card tokenization is a fraud-prevention measure that protects sensitive information by replacing the primary account number (PAN) with a randomly generated alphanumeric ID – the token.
The only data stored on the merchant’s network is the token. The sensitive card data is stored on a high-security server – a virtual vault, and the token is the link to that data. Only someone with access to the token vault can map the token to the sensitive information.
One credit card can have multiple tokens, for each merchant where the card is used and for each device the cardholder uses to make purchases (e.g., smartphones and wearables). Each one of these tokens can be suspended or deleted without impacting any other tokens in use.
Tokens move through the transaction flow in the same way as the original PAN, so the cardholders’ buying experience is not changed. They can be used for card present purchases, card not present purchases, and in-app/mobile purchases as well.
Tokens can be issued by merchants, acquiring banks, payment platforms or card networks. Network tokens represent a customer’s credentials for the entire buying cycle which means when a merchant asks a network to generate a token, that token can be used and tracked for all subsequent transactions, even if the card has been replaced by the cardholder, because the credentials are automatically updated. For example, if a customer’s card is lost and the account number is changed, the token will still work because the credentials will be updated accordingly.
Tokenization and encryption are different. Encryption uses algorithms to encode sensitive data. If someone gets access to or figures out the encryption algorithm they can reverse-engineer any data that was encrypted by that specific algorithm. By contrast, tokenization creates a randomly generated alphanumeric ID that is unrelated to the original data, making it impossible to reverse engineer the token and access the customer’s payment information.
- Transaction is initiated and the primary account number (PAN) is replaced with a token. The token can be issued by the gateway, the card network (VISA, Mastercard, AMEX) or the bank that issued the card.
- Merchant treats the token like an account number and passes it to the acquiring bank to process the transaction.
- The acquiring bank passes the token to the entity that issued it. That entity will determine if the token is valid.
- If the issuer determines the token is valid, it will send the acquiring bank authorization confirming the token can be used to complete the transaction. The merchant will only see the token and the authorization.
- Transaction is completed by the acquiring bank and funds are transferred to merchant.
Improved Data Security
Verisave is a third-party cost-reduction firm specializing in merchant accounts and credit card processing fees.
Verisave is not a payment processor, and is not affiliated with any processors, card brands, or banks.
Verisave has more than 20 years of experience optimizing and monitoring the credit card processing industry.