As customers’ financial behaviors evolve to include digital banking and financial technologies—like peer-to-peer payment, virtual currency, mobile payments and mobile wallets—tokenization is one of the most important new technologies merchants can leverage to stand in the way of cybercriminal access to customer payment information.
What is Tokenization?
It is recommended that consumers use a paper shredder to destroy bank account statements, checkbook registers, tax forms, payment receipts and similar documents that include sensitive data because any account number reflected on the document that wasn’t destroyed beyond recognition could be used fraudulently. Similarly, when a shopper buys something online, they are required to divulge confidential and sensitive information, such as their address and ATM card info. Giving out this information online is risky since it may be stolen and used fraudulently.
Much like a paper shredder renders account information meaningless so that it’s made nearly impossible to re-assemble, repurpose or identify, the same theory applies to tokenization—through technology. Basically, tokenization is the process of replacing sensitive data with unique identification symbols that capture all the vital information about the data without compromising its security. The algorithmically generated number used to replace the sensitive data is called a token.
How It Works
Typical consumer credit/debit (ATM) cards come with names, 16-digit personal account numbers (PANs), expiration dates and security codes — any of which can be “tokenized.” When a merchant swipes a customer’s credit card, the PAN is automatically replaced with a randomly generated alphanumeric ID (“token”). The original PAN never enters the merchant’s payment system; only the token ID does. The merchant can use this special token ID to keep records of the customer. This token then gets transmitted to the payment processor who de-tokenizes the ID and authorizes payment.
This token is only readable by the payment processor — it is meaningless to any other party (including the merchant). Someone who manages to get his hands on this ID has no way of linking the token back to the original personal account number. More so, this randomly generated token is only valid with that single merchant. The ID can never be used to initiate payment with another retailer.
The cardholder typically won’t be aware that a token has been assigned to his/her card or know what the token is. Likewise, the tokenization assignment or approval process shouldn’t change the customer’s experience during transaction processing compared to a non-tokenized transaction (other than to make it more secure).
Benefits of Tokenization
Tokenization is an increasingly attractive way to make online payments. The technology is growing more rapidly in the eCommerce world as a more secure and cheaper alternative to what many businesses currently have on offer for customer payments. Here are some other reasons:
- Tokenization keeps card data safe — both from internal and external threats. Because the payment processor is the only party that can decode the token, this security measure is extremely effective at reducing consumer ATM fraud. Token numbers accessed by thieves are essentially meaningless. The “token” numbers can’t be used to initiate and conduct fraudulent transactions, or to identify other aspects of the account owner’s identity.
- It can also be used for any type of personally identifiable information, e.g
- Patient records
- Employee files
- Email addresses
- Customer accounts
Tokenization presents a more secure way of transmitting customer data, and ultimately, is a means to better protect your business from a potential data breach. Businesses that have not integrated this technology into their processes may become disadvantaged later.