Tokenization

Save payment information

Security is paramount when handling sensitive payment information. Tokenization is an additional security layer on top of encryption that protects this sensitive data. Tokens allow merchants to reference payment details stored in a secure vault for card on file transactions and recurring payments. These tokens can be stored by merchants without affecting their PCI DSS scope and without the risk of exposing sensitive customer information.

What is Tokenization?

Tokenization refers to the process substituting sensitive data - such as a credit card’s PAN (Primary Account Number) and CVV (Card Verification Value) - with a so-called token. A token is a random series of characters containing no sensitive data. Instead, it serves as a reference to the data it replaces.

A token thus serves as a security measure, and you can store tokens with no risk of exposing the underlying credit card data in the event of a data breach. This provides an additional layer of security for cardholders.

IXOPAY offers two types of tokenization, gateway tokenization and network tokenization.

Gateway Tokenization

Gateway tokens are tokens issued by IXOPAY and reference payment instruments stored in IXOPAY’s secure vault. IXOPAY tokens can be used with any payment provider connected via IXOPAY that supports the tokenized payment method.

The following payment instruments can be stored and tokenized in IXOPAY:

Credit cards (VISA, Mastercard, Discover, JCB and American Express)
Bank account details (IBAN)
Google Pay account details
Apple Pay account details

Use IXOPAY’s Account Updater to ensure that credit card details stored in IXOPAY’s secure PCI Vault are always up-to-date.

Network Tokenization

Network tokens are issued by the credit card schemes themselves. IXOPAY provides network tokenization as a Token Requestor Aggregator service, approved by Visa and Mastercard, and stores the network tokens in our PCI vault.

Changes to the underlying card data are automatically updated by the schemes and do not require a new token to be generated. Instead, the existing token continues to reference the same card with updated information.

Tokenization overview - how tokenization works — PCI tokenization process flow for transactions: A token consists of random characters that do not contain any sensitive data. The token refers to payment details that are stored in a secure vault. This increases security and allows merchants to store tokens for card-on-file transactions and recurring billing without the risk of sensitive data being exposed in the event of a data breach.

Avoiding Provider Lock-in with IXOPAY

Many PSPs provide their own tokenization services. However, these tokens only work with that provider, which leads to a high degree of dependence on a single provider and prevents you from switching to another provider with better conditions. It also poses a significant business risk in a volatile market; if the PSP goes out of business or decides to terminate your contract, you will need to find an alternative provider who will be unable to use your tokens. This can require customers to re-enter their card details and degrades the user experience.

Tokens issued by IXOPAY can be used to process transactions through any payment provider connected to IXOPAY. You can thus route transactions to whichever provider is best suited to process it - local providers typically have higher authorization rates and charge lower fees. Furthermore, you can implement automatic failover for transactions. If your primary PSP is unavailable for technical reasons or the initial transaction receives a soft decline, you can automatically retry the transaction via an alternative provider. This process is invisible to the consumer, and can result in a significant increase in sales. IXOPAY merchants report recovering up to 15% of initially declined transactions through such cascading.

Vendor dependency with and without IXOPAY

Payment Orchestratioj beseitigt die Abhängigkeit von einem bestimmten Zahlungsanbieter. Der Wechsel des Anbieters ist einfach und erfordert keine zusätzliche Implementierung, da alle Anbieter über dieselbe API integriert sind.

Interested in learning more?

Let's schedule a tech demo!

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months