What is Tokenization, and Why Should I Care?

Posted by Joe Musitano on Sep 26, 2018 9:53:02 AM

tokenizationTokenization is more than just a buzz word when it comes to payment processing. It is a security measure that will drastically reduce the scope of PCI Compliance when it comes to storing cardholder data. But there is still a good amount of confusion surrounding tokenization and why it's important, especially in the world of mobile payments. Here is some information that will help clarify this topic:

What is Tokenization?
Tokenization replaces cardholder data, in particular the primary account number, with randomly generated numbers known as token. This token is what is transmitted over the internet to process payments, never exposing the cardholder data to various networks. Should the payment transaction be compromised, the information is gibberish to the thief since all they see is the token and not the cardholder data.

What is the Difference Between Tokenization and Encryption?
Encryption, often called end-to-end or data field encryption, encrypts the actual cardholder data. If the encryption is de-coded, the cardholder data is visible. Whereas with tokenization, the cardholder data is completely replaced throughout the transaction until it is unlocked at a Level 1 gateway provider. Both security measures reduce PCI scope, but tokenization is a more cost-effective solution and is inherently more secure as the tokens themselves are not mathematically reversible with a decryption key, as they are with end-to-end encryption.

How is Tokenization Used in Payments Technology?
1. Recurring Billing. If your business offers subscription services or recurring billing options and keeps cardholder data on file, tokenization reduces your PCI scope as you are only keeping tokens on file and not the actual cardholder data. This removes the risk concerning storing cardholder data.

2. One-Click Checkouts. Many eCommerce sites offer the convenience of "Buy now with 1 click" for returning customers who hold accounts on that site. Tokenization again is used to increase that site's security to ensure they are not holding the cardholder data. In addition, we have multiple browser to gateway solutions that eliminate the cardholder data from touching our client's web servers for eCommerce/mobile transactions. Tokenization coupled with this technology REMOVES the merchant from PCI scope completely.

3. NFC mobile wallets like Apple Pay and Android Pay. When you take a picture of your card on your mobile phone, a token is created so your cardholder data is not stored on your phone.

Why Should You Care About Tokenization?
Using tokenization will not automatically make you PCI compliant, but it will help to reduce your PCI DSS scope and most importantly remove tremendous risk from the merchant’s ecosystem. Solupay's integrations make acquiring a token from a new client, or updating an existing client's information, simple and done in just a few clicks.  View our video tutorial in how we improved tokenization in our integration with one ERP system, NetSuite, as an example of how we have simplified the process.

View the Video



Topics: Multi-Merchant Tokenization, Card Security, NetSuite SuitePayments