Tokenization: Control Your Payment Data

Don’t be held hostage by your payment provider
September 15, 2020 | Expertise

Tokenization is the new zeitgeist in digital payments, with many payment providers and payment solutions offering card vaulting and tokenization capabilities. But what is it? Are there different forms? What type of flexibility will you have with your data? What happens to this data when you wish to switch payment service providers?

What is tokenization?

The current trend is seeing organizations move away from encryption, which requires a key to decipher the coded data, and move towards tokenization and data vaulting, as it allows users to store credit card information in mobile wallets, eCommerce solutions, and POS software. This storage of sensitive payment data gives consumers the opportunity to make further payments without re-entering their card information. 

The term is used to describe the practice of replacing sensitive card information with a randomly generated number called a token. It is a measure against credit card fraud. With credit cards, the customer’s primary account number (PAN) is replaced with numbers, called a “token” that is then used to process payments without bank details being exposed, keeping the actual details safe within a PCI compliant vault. The token is secure, it holds no payment data and is useless if stolen

Who is allowed to store/tokenize payment data? 

In order to process, store, transmit credit or debit cardholder data you (the merchant) or your card vaulting provider must be Payment Card Industry Data Security Standard (PCI DSS) compliant. It is generally recommended to use a PCI DSS compliant partner rather than storing the data yourself as keeping up to date with data compliance requirements is an expensive and time-consuming task. In addition, an annual audit by an independent external auditor is necessary in order to maintain the PCI DSS status.

How does payment data storage work?

There are multiple acceptance channels, also known as Omnichannel, which includes: e-Commerce, Data Vaulting, Recurring Payments, Batch Processing, Virtual Terminal Proxy, Web Services, etc. In order to accept payments, these channels need to be connected to a payment gateway. The payment gateway stores this information in their vault (see above) and when a returning customer makes a purchase they will automatically fill in the payment information, this is a proven way to increase conversion rates. But why else should you do it:

  • It provides enhanced customer assurance as no personal data is transferred.
  • It increases security and protects against potential data breaches, the token is useless on its own and cannot be reverse-engineered. 
  • By using a payment management solution you do not have to capture sensitive information and therefore reduce your PCI compliance scope.

What are the dangers of storing your data directly with your payment provider?

However, there are dangers in storing this information directly with the payment gateway. Some payment processors who offer a payment vault will use your data to stop you from forming partnerships with another provider. Creating an exit barrier, if you will, by refusing to hand over your payment data. This Payment hostage situation can severely limit your growth and highlights the importance of having a provider agnostic platform.

The solution to payment provider lock-in

A way in which you can avoid vendor lock-in is to use a payment management platform or a third-party tokenization service. In doing this your payment service provider or providers do not store or have any sort of access to your customer payment data. For example, IXOPAY utilizes tokenization software to prevent card numbers from ever entering the merchant’s system. When the payment field pops up, the IXOPAY solution will capture the number outside of the merchant’s ERP application, retrieve and store it securely and return a token in its place; this is done with either a secure browser field or via an integrated checkout option

No matter what payment services provider you use to process the transaction you can use your client token (so long as it is the same payment method). This third-party independent credit card vault also takes the compliance strain off of the merchants and gives them the freedom they need to switch or add new payment providers. Having a multi-acquirer or multi-PSP set-up allows for a flexible payments infrastructure, giving the organization the ability to set-up the most efficient payment process strategy for their business.

How does IXOPAY handle your data?

IXOPAY views the customers’ data as the customers’ own, it has no right to the data and acts only as a 3rd (third) party vault and secure storage facility. IXOPAY’s central repository is PCI DSS, Level 1 compliant. You can view the certificate here. To find out more about the platform’s features and how tokenization can improve your business, get in touch with our sales team, who will provide a platform demo and answer any of your questions.

Alternative ways in which payment data can be tokenized

However, there are forms of tokenization that happen outside of the eMerchants business such as digital or eWallets and card scheme network tokens. 

A digital or eWallet, like Apple Pay or Google Pay, works differently to a traditional card payment tokenization, as the wallet has already tokenized a customer's data. If you accept eWallets as a payment method via your eShop, the customer simply has to login to the app and approve the transaction to complete the purchase.

A new form of tokenization is also being implemented at the payments card network level. This means payment service providers are unable to hold your data hostage as the token is created by your customers’ card scheme. It also gives the consumer more control on how they would like to manage their payments. However, in order for it to work both the cardholder and the eMerchant have to have registered for this form of tokenization. eMerchants will also have to sign up to schemes with a variety of payment card networks

Take control of your payments with IXOPAY

Get in touch!



IXOPAY is a payments orchestration platform enabling independent, flexible and global payment processing. As a highly scalable and PCI-DSS certified “fintech enabler”, IXOPAY fulfills the needs of large merchants as well as those of “white label” clients: payment service providers (PSPs), acquirers and independent sales organizations (ISOs). The modern, easily extendable architecture offers smart transaction routing & cascading, state-of-the-art risk & fraud management, fully automated reconciliation and settlements processing, comprehensive reporting as well as plugin-based integration of acquirers, payment service providers and alternative payment methods (APMs).

IXOPAY is part of the IXOLIT Group, founded in Vienna, Austria in 2001. With local entities in Austria and the USA, IXOLIT supports national and international customers across various industry verticals. The owner-led and -financed company has grown from 2 to more than 65 employees and is focused on building innovative solutions for eCommerce.

Please find more information about IXOPAY here:

You might also be interested in: