Tokenization Offers Great Benefits: Be Aware of These 5 Pitfalls
Merchants are always on the lookout for ways to improve their security, while keeping as much friction as possible out of their purchase processes. Some of the options they’ve experienced over the years have had really significant tradeoffs, like 3D Secure, which eliminated a significant volume of fraud but also made it harder for consumers to buy. Tokenization can come close to eliminating the risk of data breaches, while also opening up the universe of potential payment service provider possibilities for merchants - but that doesn’t mean there aren’t opportunities for those benefits to silently morph into threats.
What is Tokenization
Tokenization, simply stated, is replacing one string (normally sensitive personal data) with another randomly generated one. The bearer of the token passes it to the entity holding the underlying information (generally known as a token vault), along with a range of authentication and authorization information, in order to gain access to it.
Unlike with encryption, there is no risk of a single-location data breach with tokenization. While a hacker might be able to access a store of encrypted data and its encryption key (allowing them to decrypt the data to its original form), tokens stolen from a hacked store cannot be converted back to their underlying form without also defeating the authentication and authorization protocols of the token vault.
Tokenization Pitfalls to Avoid
Pitfall #1: Using the wrong kind of token.
In the payments industry, there are a number of different kinds of tokens, the most commonly seen being:
- Network tokens: delivered by the card networks themselves; these are merchant-specific values that represent a given individual’s account. Network tokens can be used only by the merchant to whom they are assigned, which means they are often immune to the risk of credit card expiration and rejection owing to unrelated fraud.
- Processor tokens: shared by the payment service provider (PSP) directly to the merchant. This prevents the merchant from having to bring their storage up to PCI-DSS standards, as the actual primary account number (PAN) is held securely by the PSP; however, it also means that it is the PSP that controls the data, likely meaning the merchant cannot use it to execute transactions with alternative PSPs.
- Vault tokens: these are provided by programmable payment vaults, such as the one offered by Basis Theory. Vault tokens may represent the actual PAN, or a network token, and can be used by the merchant to submit transactions to virtually any PSP or payment gateway.
Vault tokens deliver the most flexibility, as they may incorporate network tokens and offer the merchant the opportunity to expand their roster of PSP partners.
Pitfall #2: Not getting both programmability and storage.
Using tokenization is incredibly valuable, whether the tokens are stored within your own payment system or onsite with a token vault provider. Merchants eliminate the risk of broad fraud problems for customers in the event of a data breach and can shift liability for fraud from the merchant back to the issuing bank.
In order to recognize the maximum benefit, however, merchants should do more than simply avoid holding non-tokenized PAN. The most efficient merchant payment systems orchestrate transactions with a range of different PSPs, allowing them to increase the close rates while reducing the overall cost to process.
As such, merchants may find that trying to code their own connectors to deliver network tokens to an array of payment partners may be resource-intensive and subject to human error. It’s worth, therefore, looking to move those network tokens to a programmable vault designed to provide easy connectivity to downstream service providers.
Pitfall #3: Not understanding the maintenance obligations.
Any time a business seeks to improve its service, or to reduce its costs, there is work involved, and this is so with most payment tokens. In fairness, processor tokens from full-service PSPs require relatively little maintenance, but they are also usable with only one PSP and, therefore, hobble the merchant’s ability to extend their PSP partner network.
Network and vault tokens do require some effort, if only to create a system by which you use them and to ensure they are kept up to date. It is critical to understand any expiration parameters (even network tokens can’t be used without re-authorization in perpetuity), and to map out a decision tree for selecting the right PSP to work with for each.
Finally, a tracking and analysis function is necessary to evaluate over time the overall performance of classes of tokens with each PSP, so the merchant can fine-tune and tweak the decision tree over time.
Pitfall #4: Not confirming your PSP partners are compatible
The best way to maximize transaction success, while minimizing processing costs, is to work with multiple PSPs and use a programmable payment vault to submit the network token to the partner best suited to each sale.
Therefore, it becomes vital to ensure that any PSP you add to your roster of payment partners is able to accept network tokens and requests submitted by your token vault.
Pitfall #5: Not managing the underlying data.
Although network tokens are more efficient than PAN, it is still important to ensure they are kept up to date, and used efficiently in an orchestrated payment process.
For instance, although they don’t expire with the physical card, you may still need, from time to time, to confirm the customer’s address. Similarly, it’s important to have a sophisticated decisioning system for soft declines that informs the question of whether and when to re-submit a transaction. Trying too often can raise fraud flags with the networks, while missing obvious re-submission opportunities can hurt the bottom line.
Find a Tokenization Provider
When done right, tokenization reduces your risk, reduces your cost, increases your close rates, and improves security for your customers. Avoiding pitfalls with tokenization requires planning, and a dedication to considered management of the tokens and the systems that use them.
A network token, managed by a programmable token vault, can be used effectively, efficiently, and with substantially any payment provider in the world.