Omnichannel Tokenization

In today’s personalized e-commerce environment, any friction in the payment process can be the difference between a successful sale and a missed opportunity. Online consumers expect to spend the least amount of time possible getting through the purchase process, but merchants want to manage their processing costs to maximize margins.

Reconciling these apparently incompatible desires is fundamental to balancing the scales between business economics and user experience. Implementing an omnichannel tokenization strategy can be the key to building a strong foundation. Omnichannel tokenization involves three elements:

• The consumer’s payment details are stored in a secure third-party vault.
• The merchant receives a token (a randomized string), which gives them access to send the payment details, but not to see them.
• The merchant uses the token to direct the third-party vault to route the payment details to their preferred payment processor.

The merchant, therefore, can accelerate the process of completing future payments by not requiring the customer to re-enter their details, and never storing those details in their own system. Indeed, the token that the merchant stores as a ‘key’ to accessing the customer’s details through the third-party vault can never be decrypted, nor can it be used to initiate payments by anyone other than the approved merchant.

Comparing Omnichannel Tokenization to Other Tokenization Options

In the payments world, there are several different tokenization options available, though most do not offer the flexibility of omnichannel tokenization. For example:

• PSP tokenization: a specific payment service provider (PSP) may offer tokenization, which achieves many of the same benefits as omnichannel tokenization—to whit, protecting the cardholder’s data from intrusion into the merchant’s payment systems, and the ability to transmit future payments smoothly. However, PSP tokenization is limited to the associated PSP. In other words, the merchant must use the PSP token to transact via the issuing PSP, eliminating their flexibility to build a network of PSP partners to optimize processing fees and routing options.
• Card network tokenization: a deeper-in-the-system option, in which the merchant stores a token provided by the card network (e.g., Visa, Mastercard, etc.) that is specific to the merchant. While this protects the cardholder data, increases close rates, and can shift fraud responsibilities from the merchant to the card network, it is challenging to build and maintain, as each card network has its own set of requirements and standards to keep up with.

The base concept of omnichannel tokenization is that the merchant uses a consistent approach to store tokens for any payment method, with the corresponding details stored in a common secure vault. The merchant then can concentrate development efforts on building a robust decisioning engine to route each transaction for the maximum likelihood of processing success at the lowest possible cost.

Who benefits from omnichannel tokenization?

Omnichannel tokenization is a rare win-win in the world of e-commerce! While it certainly benefits the merchant to develop options on how, and with which partner to complete transactions, it is also wise to have payment details securely stored in an alternative location fully hardened against penetration and data breaches.

For the merchant, the balance is clear: with a token in place that is not associated with a particular PSP partner, the merchant is free to add, replace, and remove other payment partners over time, pursuing the perfect combination of transaction success and cost. In addition, by opting to store the clear-text cardholder data outside their system, they inoculate themselves from the resource drain of many complex PCI-DSS efforts and gain the confidence that they are not vulnerable to embarrassing and expensive data breaches.

By contrast, while the consumer may never know the difference between merchants who practice omnichannel tokenization and those who do not, they should never have to experience the cold feeling of fear and betrayal accompanying the news that their preferred e-commerce merchant has been hacked or breached. 

With their payment details safely stored at a third-party vault, the risk of identity theft or damage is meaningfully reduced.

Omnichannel tokenization eases PCI-DSS costs, concerns

One of the most expensive elements of maintaining a sophisticated payment system for most merchants is remaining in compliance with the stringent requirements of the PC-DSS standard. Long story short, being PCI-compliant means annually ensuring the safety and security of all customer personally identifiable information (PII). For merchants that intend to store any cardholder data within their database, this can mean significant costs, as well as the need to pay an external Quality Service Assessor (QSA) to validate their efforts on an annual basis.

Omnichannel tokenization eliminates a large chunk of the concern because the merchant simply doesn’t have the customer’s cardholder data stored in a format that could ever be used, or even reverse-engineered into its original form. 

Tokenization, by definition, replaces the usable data with a randomized string, which cannot, under any circumstances, be converted back into the underlying data (this is in contrast to encryption, where the data could be converted back to its original form by anyone who can access, or ‘crack,’ the decryption key).

Merchants using an omnichannel tokenization strategy not only reduce the cost and complexity of their PCI-compliance program, but also sleep better at night in full confidence that no data breach could expose their customers’ details to the world.