With the right policies, strategies, and tools, your data remediation program can keep your...
What is a Card Network Token?
A card network token is a string of random numbers that is used to retrieve the real Primary Account Number (PAN) from a token value, where it is securely stored to avoid data leaks and hacking. A card network token is quite different from an encrypted value: by definition, encrypted PAN details can be decrypted by anyone with the encryption key, which means they are always at risk of being stolen by bad actors. By contrast, a card network token cannot be decrypted, because it bears no algorithmic relationship to the associated PAN, rather it is simply a reference to a stored value, protected by a token vault.
Who provides and offers card network tokens?
Card networks such as Visa, Mastercard, American Express, and Discover offer tokenization services directly to merchants. In this scenario, the card network may provide a merchant with a network token to store instead of a PAN. That card network token will not only be unique to the account owner, but also to the merchant, providing extra security to cardholders in the case of a data leak. In addition, because the vendor is using a card network token instead of the PAN, they can expect to have higher success rates on transactions, as common reasons for failures, such as consumers changing their card number, are now not applicable.
Additionally, many Payment Service Providers (PSPs) offer their own proprietary tokenization services, which allow their clients (generally e-commerce vendors) to avoid compliance requirements by never actually bringing customer Personal Identifying Information (PII) within their environment. Typically, the vendor will pass an end-customer’s PAN directly to the PSP, and receive back from the PSP a card network token that can be used to initiate future transactions. At no time should the PII flow into or through the vendor’s infrastructure, either for the first or any subsequent payment transactions.
Are card network tokens from card networks or PSPs better?
Often, PSPs act as middlemen between vendors and the card networks, reducing the amount of work it takes a vendor to get online and start receiving payments. In this regard, the PSP may well receive a card network token for each consumer from the card network - then provide a separate, proprietary card network token to the vendor for future use. This would mean that the underlying consumer details are uniquely held by the PSP itself, so all subsequent transactions that the merchant wants to execute using the stored card network token would necessarily have to run through that same PSP.
For merchants who want to manage both their cost-to-transact, and maximize their successful transaction rate, it is better not to rely on proprietary card network tokens held by the PSPs. Rather, such merchants can use a third party tokenization provider, such as Basis Theory, to create and have consistent access to tokens held securely in a token vault. In this way, the vendor can avoid the onerous compliance requirements, while still protecting their consumers’ personal data - and have access to a token with which they can transact business across a range of different PSPs, according to the merchant’s needs and preferences.
Isn’t encryption enough?
Encryption is necessary but insufficient to protect PII. By its very nature, data protected by encryption can be decrypted, and returned to its original plain text state, so that if a hacker is able to lay their hands on the encryption key consumer’s PII becomes vulnerable. Card network tokens, however, have no algorithmic relationship to the underlying data, so cannot ever be used to access consumer information.
That said, card network tokens should still be encrypted during transmission, as this adds an important extra layer of protection. All data should travel across encrypted connections, preventing bad actors from gaining access to the slightest information.
If you would like to learn more about how card network tokens - and tokenization as a process - can help secure data above and beyond standard encryption, contact one of our experts today.