What Payment Tokenization Means to a Merchant
Payment tokenization occurs when sensitive data is exchanged during a transaction for a unique but completely different identifier. That sensitive data is securely stored in a vault, and a token is properly presented and identified to authenticate a transaction.
Merchants have three options for payment tokenization:
- Delivery by Card Networks
- PSPs
- Third-Party Tokenization Platforms
How Payment Tokenization Works
For most merchants seeking to execute a payment tokenization strategy, there are effectively three core elements:
- Credit Card Data Collection: Rather than hosting their own forms and storing the data in their own database, merchants embed forms that deliver the details directly to their tokenization provider. The provider responds to the merchant with a confirmation code, and a token which can be used to access this information.
- Data Storage and Update: the sensitive information remains in the care of the tokenization provider in a secure token vault, which guarantees full Level One PCI-DSS regulatory compliance. If the customer wants to update their stored information, the merchant provides another form that will again deliver the update to the tokenization provider.
- Transmitting the Tokenized Data: using the token (as well as going through sophisticated identification and authorization processes), the merchant tells the tokenization provider to transmit the credit card data to the PSP of their choice. The provider executes the transaction and brings the result back to the merchant for their record - without ever revealing cardholder data that could cause the merchant’s payment system to come in-scope for PCI.
A real-world example of how payment tokenization works can be found with Passes, a creator platform enabling fans to access exclusive content and experiences. Because of the perceived high-risk nature of the platform, many PSPs that specialized in high-risk transactions were slow, difficult to work with, and could shut them down without warning.
The company wanted a cascading payment strategy, where alternate PSPs could be engaged depending on various factors with each transaction. Passes chose to work with Basis Theory for payment tokenization, and then routing the tokens to the appropriate PSP depending on those factors.
Payment Tokenization by Card Networks
Card networks are releasing tokenization solutions, which may generally be said to be network tokenization architectures.
In this scenario, the card network delivers a token in place of the primary account numbers (PAN) throughout the payment process, eliminating the need to transmit a cardholder’s information to any other participant in the transaction. In this way, networks can represent the payment instrument of their cardholder differently for each request, limiting the damage that can be done if there is a data breach. This would be known as credit card processing tokenization.
Merchants do benefit from reducing their PCI-DSS responsibilities (as they no longer have access to the PAN in plain text), and transactions using network tokens offer a higher close rate.
However, secure payments can be challenging for merchants doing business online to operate and maintain. They require the cooperation of several participants—not least the customer—to ensure that only network tokens ever land inside the merchant’s systems.
Tokenized Payments by PSPs
Many Payment Service Providers (PSPs) deliver an extensive set of services to cover all aspects of payment transactions, from card data collection and storage to merchant bank settlement. One service particularly popular from full-service PSPs (aggregators) is tokenized payments.
In this scenario, even though the PSP itself may collect the actual details of a customer’s credit card, it provides only a token to the merchant. In this way, the merchant is released from many of the requirements related to PCI-DSS because it never actually has access to cardholder data in readable form.
However, in this scenario, the PSP stores the cardholder information, meaning the merchant can access it when working with that PSP, as their token is valid only for that provider. So if the merchant wants to extend their processing system to encompass more than one PSP (say, to improve their performance in another geography) or even to replace their current partner with another, they risk needing to re-gather payment information from all their existing customers.
This can represent a significant resource drain for the merchant and negatively impact customer satisfaction.
Third-Party Tokenization Providers
Third-party tokenization service providers like Basis Theory deliver the same secure collection, storage, and access benefits PSPs offer, alongside the flexibility to automate and optimize payment systems by adding and removing PSPs at any time. The third party tokenization partner collects each credit card exclusively on the behalf of the merchant, provides them with the token they need to access the information, and enables them to select which downstream partner (generally a PSP) they wish to share it with to complete transactions.
Merchants find that this approach offers a shorter implementation time and lower maintenance load than network tokenization. Implementing a payment tokenization solution like Basis Theory reduces the cost and risk of regulatory compliance, offers the flexibility to reduce costs by automating payments and involving multiple PSPs, and drastically reduces the risks of data breaches and hacks.
