Posted November 11, 2019 by Bernard Clary

Understanding Tokenization

More than a buzzword, ‘Tokenization’ has gone mainstream, protecting merchants against the perpetual threat of omni-channel payment fraud and delivering the seamless, personalized experiences modern consumers love.  Indeed, for anyone wanting to enrich their customer sales journeys, tokenization is now a must.

That said many businesses, particularly smaller merchants and those in hospitality and travel have still to take the plunge. If you’re still undecided, here’s a quick snapshot to explain what tokenization does and how it can help you.

What is tokenization?

Essentially, tokenization protects bank account and credit card numbers by replacing the buyer’s primary account number (PAN) with a randomly generated alphanumeric code or a ‘token’.  This is linked to the payment method but has no exploitable meaning or ‘value’ for criminals as it cannot be reverse engineered to access the payment details.

How are tokens used?
Tokens are kept in a secure ‘virtual vault’ and can be transmitted across wireless networks and shared without risk to the original payment data. They can also be processed at the point of sale without any personal bank details being revealed. It lets you keep any sensitive data separate from your business systems, while allowing any transactions connected to the card or payment method to be tracked across various locations and channels.

What benefits does it offer merchants?

As well as adding an additional layer of security, tokenization helps streamline processes that involve follow-on transactions or repeat purchases by allowing your systems to ‘recognize’ the customer e.g. for e-receipts, one-click purchasing or to autofill payment pages. It also allows you to build a profile of their spending patterns and to provide insights for CRM and marketing to deliver more targeted loyalty programs, promotions and rewards.

Does it impact PCI?

Tokenization is often used in conjunction with PCI compliant point-to-point encryption, to minimize PCI scope, effort and cost for retailers. If no sensitive card data touches their system, it minimizes their risk.

What happens at the POS?
The consumer presents their payment card to the POS device or enters their card number manually on a webstore. The credit card number passes to a token vault (usually a third-party gateway) which generates a token. The token is passed back to the merchant’s system which associates the token with the customer. The merchant can store the token to use in follow-on transactions, such as future sales, voids or returns. All of this takes place instantly and is invisible to the customer.

Are their different types of token?

There are two types:  Single and multiple use. Single use tokens are used purely for data security to safeguard a single transaction and are not stored or linked to further transactions.  Multi-use tokens, on the other hand, can be stored and associated permanently with the customer’s payment method and can be retrieved whenever a customer presents it. For multiple locations, one token vault should be used for each destination as incorrect mapping can lead to cross-token issues.

What do you need to tokenize?
For tokenization to work, a payment gateway is needed to store sensitive data and to generate the random token.

Does it cost?
In most instances there’s no additional charge for the actual token but some gateways may charge a minimal fee to process it and for token storage. All in all, it’s a very small price to pay considering the benefits gained from fraud reduction and experience optimization.

While it’s easy to get caught up in the what and how, at the end of the day the real benefit of tokenization is that its invisible to the user, removes value for fraudsters, and reduces risk while unlocking opportunity for the retailer.

If you’re really serious about taking your retail business to the Next Level, then you need to embrace tokenization – not just for security and compliance but as an important part of your customer-facing strategy. Understanding how it works is just the first step of the journey.