What is Tokenization in Payments?

Tokenization is a process by which sensitive data is exchanged for a unique, but completely different, identifier. The sensitive data can be securely stored, and the token must be properly presented and identified in order for it to be used in any way. In practical terms, this means that merchants building secure, PCI-compliant payment mechanisms can have customers’ credit card details collected and stored by a third party, accessing a ready-made secure environment without having to build one within their own organization.

Merchants have three options for payment tokenization: delivery by card networks, by PSPs, or by third-party tokenization providers.

Tokenization Delivered by Card Networks

Card networks have released tokenization solutions, which generally speaking may be said to be network tokenization architectures. In this scenario, the card network delivers a token throughout the span of the payment process in the place of the primary account numbers (PAN), eliminating the need to transmit a cardholder’s information to any other participant in the transaction. In this way networks can represent the payment instrument of their cardholder differently for each request, limiting the damage that can be done if there is a data breach. 

Merchants do get the benefit of reducing their PCI-DSS responsibilities (as they no longer have access to the PAN in plain text), and transactions using network tokens offer a higher close rate. However, for merchants doing business online, this can be challenging to build and maintain, as it requires the cooperation of a number of participants - not least the customer - to ensure that only network tokens ever land inside the merchant’s systems.

Payment Tokenization Delivered by Payment Service Providers

Many Payment Service Providers (PSPs) deliver an extensive set of services to cover many of the aspects of payment transactions, from card data collection and storage through to merchant bank settlement. One of the services particularly popular from full-service PSPs (also known as aggregators) is tokenization. In this scenario, even though the PSP itself may collect the actual details of a customer’s credit card, the PSP provides only a token to the merchant. In this way, the merchant is released from many of the requirements related to PCI-DSS, because they never actually have access to cardholder data in readable form.

However, in this scenario, the cardholder information is fully stored by the PSP, meaning that the merchant has access to it when working with that PSP, as their token is valid for only that one provider. So if the merchant wants to extend their processing system to encompass more than one PSP (say, to improve their performance in another geography), or even to replace their current partner with another, they are at risk of having to re-gather payment information from all their existing customers. This can represent a significant resource drain for the merchant and negatively impact customer satisfaction.

Payment Tokenization is Best Delivered by a Third Party

Third-party tokenization service providers like Basis Theory deliver both the secure collection, storage, and access benefits offered by PSPs, alongside the flexibility to automate and optimize payment systems by adding and removing PSPs at any time. The third party tokenization partner collects each credit card exclusively on the behalf of the merchant, provides them with the token they need to access the information, and enables them to select which downstream partner (generally a PSP) they wish to share it with to complete transactions.

Merchants find that this approach offers a shorter implementation time and lower maintenance load than network tokenization; and substantially greater flexibility than PSP-offered tokenization; while delivering the benefits offered by each.

How Payment Tokenization Works

For most merchants seeking to execute a payment tokenization strategy, there are effectively three core elements:

• Credit card data collection: rather than hosting their own forms and storing the data in their own database, merchants embed forms that deliver the details directly to their tokenization provider. The provider responds to the merchant with a confirmation code, and a token which can be used to access this information. 
• Data storage and update: the sensitive information remains in the care of the tokenization provider in a secure token vault, which guarantees full Level One PCI-DSS regulatory compliance. If the customer wants to update their stored information, the merchant provides another form that will again deliver the update to the tokenization provider.
• Transmitting the tokenized data: using the token (as well as going through sophisticated identification and authorization processes), the merchant tells the tokenization provider to transmit the credit card data to the PSP of their choice. The provider executes the transaction and brings the result back to the merchant for their record - without ever revealing cardholder data that could cause the merchant’s payment system to come in-scope for PCI.

Payment tokenization providers offer extensive API interfaces, prepared templates, and design guides to accelerate the implementation process.

Tokenization Solves the Trickiest Payment Problems

Managing payment systems can be complex, expensive, and time-consuming. Implementing a payment tokenization solution like Basis Theory reduces the cost and risk of regulatory compliance, offers the flexibility to reduce costs by automating payments and involving multiple PSPs, and drastically reduces the risks of data breaches and hacks.