Tokenization is a process through which sensitive information or data is replaced with a unique set of characters that retain all the essential information without compromising the security of the sensitive information.

In the payments space, tokenization is the process of replacing the 16-digit payment card account number with a unique digital identifier known as a ‘token’ in mobile and online transactions. This token then allows payments to be processed without exposing sensitive account details that could breach security and privacy.

Substitution methods like tokenization have been around for a while as a way to separate data in ecosystems, and databases. Before tokenization was introduced, encryption with reversible cryptographic algorithms was the preferred method of protecting sensitive data. Unlike encryption, a process that encrypts cardholder data at the origin, and then decrypts it at the end destination, tokenization replaces sensitive cardholder detail with a stand-in token. Because of the random assignation of tokens, it’s almost impossible to reverse-engineer or compromise a token.

Let’s take a look at what happens from the time a customer uses his credit card to the time where the payment is processed, to better understand the process of tokenization.

  • A credit card is swiped at a POS machine or is used for an online transaction
  • The credit card number is passed to the tokenization system
  • The tokenization system generates a string of 16 random characters to replace the original credit card number.
  • The tokenization system returns the newly generated 16 digit random characters to the POS machine or e-commerce site to replace the customer’s credit card number in the system.

tokenization
Curious about what a token looks like?

There are two types of tokens, format preserving tokens and non-format preserving tokens.

Format preserving tokens maintain the appearance of the 16-digit credit card number.

Example:

Card number: 5945 8612 5953 6391

Format preserving token: 4111 8765 2345 1111

Non-format preserving tokens do not resemble the original credit card number and can include both alpha and numeric characters.

There are specific format-preserving tokenization schemes which maintain the IIN (first 6 digits) as well as the last 4 digits of the card number.

Example:

Card number: 5945 8612 5953 6391

Non-format preserving token: 25c92e17-80f6-415f-9d65-7395a32u0223

At Razorpay we use non-format preserving tokens in the form of a 14 digit alphanumeric series of characters.

What is the impact of tokenization on online businesses?

Credit card tokenization helps online businesses improve their data security, from the point of data capture to storage as it eliminates the actual storage of credit card numbers in the POS machines and internal systems. But the greatest benefit of tokenization is that it minimizes the impact of security breaches for merchants.

Since merchants are storing tokens instead of credit card numbers in their systems, hackers will acquire tokens which are of no use to them. Breaches are expensive, and many retailers and banks have experienced huge losses as a result of data theft. Tokenization helps minimize this.

What is the impact of tokenization on customers?

Apart from the comfort that comes with knowing that your credit card is less likely to get hacked, there’s also the fact that tokenization is very convenient for customers in the case of fraud or theft. This works because of the fact that multiple tokens are issued for the same card payment on different platforms that use tokenization.

So even if a website you use gets breached and the tokens are acquired by the hacker/miscreant, its difficult to reverse engineer the actual card number from it as access to the tokenization logic will also be needed.

Does using tokenization make you PCI DSS compliant?

Storing tokens instead of credit card numbers is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.

The following key principles relate to the use of tokenization and its relationship to PCI DSS:

  • Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.
  • Verifying the effectiveness of a tokenization implementation is necessary and includes confirming that a financial card number is not retrievable from any system component removed from the scope of PCI DSS.
  • Tokenization systems and processes must be protected with strong security controls and monitoring to ensure the continued effectiveness of those controls.
  • Tokenization solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes.

Both tokenization and encryption are widely used today to protect sensitive data stored in cloud services or internal applications. An organisation can decide to use encryption, tokenization or a mix of both depending on their use case. This also depends on the different types of data that the organisation wants to secure.