PCI and Tokenization on the Rise

Tokenization is a security mechanism that protects sensitive data, such as credit card accounts. In this article, we will take a look at some of the different types of tokenization used to facilitate credit card payments, how they work, what advantages they offer, and what the future holds.

At its simplest level, a token can be used as a replacement for credit card details when carrying out a transaction. Instead of directly storing and processing the PAN and the CVV (during an ongoing transaction), merchants simply store tokens in a user’s account for Card on File (COF) transactions. This token is forwarded to the merchant’s payment service provider (PSP) or payment orchestration platform (POP), where the associated credit card details are actually stored. The PSP or POP then forwards the actual card details on behalf of the merchant. Because the token itself is generated in a way that means it contains no sensitive information, storing a token poses a much lower security risk. This in turn reduces compliance requirements for merchants, as the actual sensitive data is stored elsewhere - in a secure vault at the payment service provider or on a payment orchestration platform. This method began gaining traction in the early 2010s following several high-profile data breaches at merchants.

Tokenization offers clear advantages to merchants. It shifts much of the burden of PCI DSS (Payment Card Industry Data Security Standard) compliance to your PSP or POP, outsourcing the high costs of compliance and security while potentially eliminating the need for expensive regular external audits. It also offers clear benefits to cardholders: if a merchant only stores a token locally, there is no risk of exposing card details in the event of a data breach. Instead, the credit card details referenced by the token are stored remotely in a secure, PCI DSS-compliant vault, either at the merchant’s PSP or POP (e.g. IXOPAY’s Card Vault). This method is referred to as “gateway tokenization”.

In gateway tokenization, the credit card details entered by a customer are sent to the gateway, which could be a PSP or POP (e.g. IXOPAY). The card details themselves are stored in the gateway provider’s secure vault, who then provides the merchant with a unique token that can be used for future COF transactions. Because the token poses a much lower security risk, it can be stored by merchants locally without needing to meet the stringent requirements of PCI DSS Level 1, the costs of which can be significant. By reducing their scope and only storing tokens, merchants can qualify for lower levels of PCI DSS compliance, dramatically reducing costs and overheads.

Network tokenization is an attempt by the credit card schemes to address these issues. Instead of the gateway provider issuing a token to a merchant, tokens are issued by the credit card schemes (e.g. Visa, MasterCard, American Express etc.) themselves. Once again, these tokens can be stored by merchants for future use or recurring payments (Card on File). But as the token is generated by the credit card schemes themselves, any changes to the underlying card data do not require the credit card details to be updated by the cardholder. Instead, the card details referenced by the token are updated by the credit card scheme and the token can continue to be used by the merchant as if no changes had taken place.

Using this model, each merchant is again issued a unique token. If one token is acquired by malicious actors as the result of a data breach, other merchants remain unaffected. Only the victim of the attack needs to take action to invalidate the existing tokens.

For cardholders, this results in a much more seamless shopping experience, as they only need to enter their card details once, and can then opt to save their details for future use. Merchants get the benefits of Card on File (COF) while not having to meet the stringent requirements of PCI DSS Level 1. The net result is an improved experience for cardholders, which in turn can result in increased sales volumes and lower cart abandonment rates, while also reducing fraud. According to a Visa report published in May 2022, authorization rates increased by an average of 2.5% when using network tokens as compared to transactions using PANs, with fraud reduced by 26%.

Looking to the future, the next big change on the horizon is the introduction of Secure Remote Commerce (SRC). SRC was recently introduced in some regions by EMVCo, which is owned by the major card networks, and builds on the concept of network tokenization. SRC offers customers a streamlined purchasing experience similar to the popular “Buy Now” buttons, marketed to consumers as “Click to Pay”.

Using SRC, cardholders store their tokenized card details in a digital wallet provided by the credit card schemes. This wallet provides consumers with a single place to store all their credit cards (Visa, Mastercard, American Express etc.), while the tokens themselves are tied to the device storing the wallet (phone, notebook etc.). No card details are stored on the device itself. All the cardholder sees is the so-called card art, which includes a graphical depiction of the card, and the last 4 digits of the PAN, making it easy to select the desired card for a transaction.

Consumers enroll for the service either by creating a profile at checkout, adding cards on the card scheme’s website, or by enrolling through the card issuer’s website or app. Once stored in tokenized form on the device, the credit cards can be used to complete purchases at any merchant that supports SRC.

Merchants or PSPs will need to actively participate in SRC to offer this option to consumers. The availability of the function is indicated using the Click to Pay icon on participating websites. The benefits for merchants include a consistent payment process across all participants and a streamlined checkout with reduced friction, while still allowing custom checkout flows.

An additional benefit of SRC is that it eliminates the need for card updater services. Instead, the credit card scheme simply updates the card details referred to by the token while keeping the existing token. This could prove particularly valuable to subscription-based services as well as to merchants with a large number of repeat customers.

To what extent SRC will replace other forms of tokenization remains to be seen. Its success will ultimately depend on whether consumers and merchants embrace it, as well as how credit cards fare against the multitude of alternative payment methods that have been growing in popularity over the past years. SRC undoubtedly has the potential to ease the burden of PCI DSS compliance for merchants by eliminating the need to handle PANs directly and providing an easy to use guest checkout function on their websites. However, one thing is for sure: tokenization is here to stay.

About IXOPAY

IXOPAY is a payments orchestration platform enabling independent, flexible and global payment processing. As a highly scalable and PCI-DSS certified “fintech enabler”, IXOPAY fulfills the needs of large merchants as well as those of “white label” clients: payment service providers (PSPs), acquirers and independent sales organizations (ISOs). The modern, easily extendable architecture offers smart transaction routing and cascading, state-of-the-art risk and fraud management, fully automated reconciliation and settlements processing, comprehensive reporting as well as plugin-based integration of acquirers, payment service providers and alternative payment methods (APMs).

IXOPAY is part of the IXOLIT Group, founded in Vienna, Austria in 2001. With local entities in Austria and the USA, IXOLIT supports national and international customers across various industry verticals. The owner-led and -financed company has grown from 2 to more than 80 employees and is focused on building innovative solutions for eCommerce.

Please find more information about IXOPAY here: https://www.ixopay.com