There are few things more important than protecting your business assets. That’s especially true today given the ongoing threat of data breaches. Tokenization is a vital tool for protecting data, especially payments data which is a prime target for fraudsters.
Technologies that help protect companies like yours from the negative impacts of data breaches are needed now more than ever. Ponemon Institute’s 2019 “” report pegged the average cost of a data breach at $3.92 million, while the cost for US companies is the highest in the world at $8.19 million.
Tokenization may sound complicated, but in fact it’s easy to understand and even easier to implement. Payment tokenization helps maintain the security of businesses and the customers they serve; that helps protect everyone involved in making, accepting and processing payments.
What is payment tokenization?
Tokenization is a process of replacing sensitive data with a unique identifier called a token. Payment tokenization replaces primary account number (PAN) and other “real” data with a substitute value that performs all the essential functions. That replacement value (the token) is worthless in any other context, essentially removing payment data from visibility.
Payment tokenization replaces sensitive data—like the customer’s primary account number, or PAN—with a unique token generated by complex algorithms that cannot be duplicated or decoded. The token can then be used in subsequent transactions for functions like adding a tip or for recurring billing.
Payment tokenization adds an important layer of security that offers protection to sensitive data. Tokenization reduces the points where the sensitive plain text values are stored in your environment. Beyond just a stronger lockbox, payment tokenization renders data used to process payments useless to fraudsters if stolen.
Payment tokenization in action
Tokenization is making payments more secure for merchants and their customers and is used in a wide variety of ways.
- In-store—Tokenization services begin at the point of sale when your customer presents his or her card. Tokenization makes digital wallets among the safest and fastest-growing in-store payment technologies today.
- Online—Payment tokenization adds a critical security layer to online transactions by removing PAN data from online environments that have proven vulnerable to attack. Even if your business becomes a victim of a data breach, the tokenized payment data is worthless to criminals.
- In-app—Commerce today increasingly takes place within apps embedded in our smartphones. Tokenization improves the in-app experience for customers by allowing them to make purchases without repeatedly entering their personal information.
- Recurring payments—Subscriptions payment models help businesses serve customers better while generating consistent revenue streams. Tokenization makes recurring payments convenient by securely storing payment data for ongoing billing, i.e. a “card-on-file.”
How does payment tokenization work?
Tokenization takes place behind the scenes and doesn’t require new point of sale procedures. But when it comes to the money that fuels your business, it’s worth taking a quick look at what’s actually happening behind the scenes. There are several different types of ways tokenization workflows happen in the real world, but for simplicity we can identify a few key steps:
- Customer presents payment and their payment credentials are immediately tokenized.
- Merchant forwards the token as part of a transaction authorization request to their merchant acquirer. It's important to note that the merchant is unable to decode the token.
- The merchant acquirer routes the token to the appropriate token service provider.
- The token and other elements of the transaction authorization are routed to the customer’s issuing bank for authorization.
- The tokenized transaction is then routed back to the token provider.
- The token service provider routes the tokenized transaction (authorization or decline) through the merchant acquirer and back to the merchant (and eventually the merchant’s bank).
How is tokenization different from encryption?
Tokenization is often confused with another data security technology called encryption. Both tokenization and encryption are vital components of overall security strategies to help maintain payment safety. However, there are key differences in how they function.
Encryption protects data in motion while tokenization protects data at rest. Encryption is significantly more secure than transmitting raw data, though encryption can be reverse-engineered.
Tokenization combined with encryption is designed to create a comprehensive solution for protecting merchant and consumer data. Point-to-point encryption protects card data in motion, like between your point of sale and your payment processor. Point-to-point encryption addresses the risk of unauthorized interception of cardholder data. Unlike encryption, tokenization is not mathematically reversible.
Tokenization helps keep your business in compliance
Tokenization makes achieving and maintaining compliance with industry regulations easier. Tokenization addresses the PCI-DSS requirement set #3: protecting cardholder data at rest. Tokenization satisfies this requirement by preventing cardholder data from ever entering your systems.
PCI-DSS seeks to reduce retention of sensitive data and safely govern its storage and deletion. Beyond staying in compliance with payment card industry regulations, the good news is that PCI-DSS represent best practices on how to protect your data and your business from evolving and sophisticated threats.
Making tokenization work for your business
Worldpay is a global payments leader with pioneering expertise in using end-to-end encryption and tokenization to help protect payments everywhere they take place. to learn more about how encryption and tokenization can help protect your business.
© 2017-2019 Worldpay, LLC and/or its affiliates. All rights reserved. Worldpay, the logo and any associated brand names are trademarks or registered trademarks of Worldpay, LLC and/or its affiliates in the US, UK or other countries. All other trademarks are the property of their respective owners.