PCI and Tokenization on the Rise
Tokenization is a security mechanism that protects sensitive data, such as credit card accounts. In this article, we will take a look at some of the different types of tokenization used to facilitate credit card payments, how they work, what advantages they offer, and what the future holds.
What is Tokenization?
At its heart, tokenization refers to substituting sensitive data - such as a credit card’s PAN (Primary Account Number) and CVV (Card Verification Value) - with a so-called token. The token itself is just a random series of characters and does not contain any sensitive data. Instead, the token simply provides a reference to the credit card details it replaces. On its own, the token has no actual value - the actual value is in the credit card information itself. This means that if there is a data breach and malicious actors gain access to the token, this does not give them access to the underlying card details, providing an additional layer of security for cardholders.
An analogy that is often used to illustrate how tokens works is the use of casino chips or fairground tokens. While these tokens are purchased, they have no value outside of the casino or fairground itself - you cannot use a fairground token to make an online or brick and mortar purchase, for example. The only value these chips or tokens have is within the closed ecosystem that accepts them - the poker tables and fairground attractions. In the case of payment tokens, the tokens are only valid for a specific merchant or device and cannot be used elsewhere. If one merchant’s tokens are compromised, this has no effect on the tokens of other merchants that reference the same credit card. Contrast this with a data breach that involves actual card details - the card can then be used to complete a purchase at any vendor who accepts that card.
How are Payments Carried out Using Tokens?
At its simplest level, a token can be used as a replacement for credit card details when carrying out a transaction. Instead of directly storing and processing the PAN and the CVV (during an ongoing transaction), merchants simply store tokens in a user’s account for Card on File (COF) transactions. This token is forwarded to the merchant’s payment service provider (PSP) or payment orchestration platform (POP), where the associated credit card details are actually stored. The PSP or POP then forwards the actual card details on behalf of the merchant. Because the token itself is generated in a way that means it contains no sensitive information, storing a token poses a much lower security risk. This in turn reduces compliance requirements for merchants, as the actual sensitive data is stored elsewhere - in a secure vault at the payment service provider or on a payment orchestration platform. This method began gaining traction in the early 2010s following several high-profile data breaches at merchants.
The Benefits of Tokenization
Tokenization offers clear advantages to merchants. It shifts much of the burden of PCI DSS (Payment Card Industry Data Security Standard) compliance to your PSP or POP, outsourcing the high costs of compliance and security while potentially eliminating the need for expensive regular external audits. It also offers clear benefits to cardholders: if a merchant only stores a token locally, there is no risk of exposing card details in the event of a data breach. Instead, the credit card details referenced by the token are stored remotely in a secure, PCI DSS-compliant vault, either at the merchant’s PSP or POP (e.g. IXOPAY’s Card Vault). This method is referred to as “gateway tokenization”.
In gateway tokenization, the credit card details entered by a customer are sent to the gateway, which could be a PSP or POP (e.g. IXOPAY). The card details themselves are stored in the gateway provider’s secure vault, who then provides the merchant with a unique token that can be used for future COF transactions. Because the token poses a much lower security risk, it can be stored by merchants locally without needing to meet the stringent requirements of PCI DSS Level 1, the costs of which can be significant. By reducing their scope and only storing tokens, merchants can qualify for lower levels of PCI DSS compliance, dramatically reducing costs and overheads.
Benefits of Tokenization
- Shift the PCI DSS burden to your PSP or POP, reducing costs
- Lowers customer exposure in the case of data breaches
- Better security with no need to repeatedly enter sensitive details
- Seamless checkouts with lower cart abandonment rates
Downsides: Lock-in Risks and Keeping Credit Card Details Up-to-date
There are however some inherent disadvantages to gateway tokenization. One disadvantage is that it can make it easier to become locked in to a particular payment service provider, as the token is only valid for that provider. If you add or switch to a different payment service provider, you will need a new token for that provider. It is no longer possible to route transactions through multiple PSPs without access to the PAN itself. This disadvantage can be mitigated by using a payment orchestration platform like IXOPAY that acts as a middleman between you and the payment service providers, allowing you to use the same token across payment providers. In this setup, the token is linked to the credit card details on the payment orchestration platform itself. The POP can then pass on the actual card details to the PSP handling the transaction, giving you far greater flexibility in choosing how to route transactions and making it far easier to switch PSPs.
Furthermore, as the token is generated by a gateway provider, credit card details are not automatically updated if a card needs to be re-issued (e.g. it expires). Customers will still need to periodically update their card details on the merchant’s website as a result. While there are solutions that can automatically request updates to credit card data, such as IXOPAY’s Card Updater, an alternative approach is so-called “network tokenization”.
Network Tokenization in a Nutshell
Network tokenization is an attempt by the credit card schemes to address these issues. Instead of the gateway provider issuing a token to a merchant, tokens are issued by the credit card schemes (e.g. Visa, MasterCard, American Express etc.) themselves. Once again, these tokens can be stored by merchants for future use or recurring payments (Card on File). But as the token is generated by the credit card schemes themselves, any changes to the underlying card data do not require the credit card details to be updated by the cardholder. Instead, the card details referenced by the token are updated by the credit card scheme and the token can continue to be used by the merchant as if no changes had taken place.
Using this model, each merchant is again issued a unique token. If one token is acquired by malicious actors as the result of a data breach, other merchants remain unaffected. Only the victim of the attack needs to take action to invalidate the existing tokens.
For cardholders, this results in a much more seamless shopping experience, as they only need to enter their card details once, and can then opt to save their details for future use. Merchants get the benefits of Card on File (COF) while not having to meet the stringent requirements of PCI DSS Level 1. The net result is an improved experience for cardholders, which in turn can result in increased sales volumes and lower cart abandonment rates, while also reducing fraud. According to a Visa report published in May 2022, authorization rates increased by an average of 2.5% when using network tokens as compared to transactions using PANs, with fraud reduced by 26%.
Building on Network Tokenization: Secure Remote Commerce
Looking to the future, the next big change on the horizon is the introduction of Secure Remote Commerce (SRC). SRC was recently introduced in some regions by EMVCo, which is owned by the major card networks, and builds on the concept of network tokenization. SRC offers customers a streamlined purchasing experience similar to the popular “Buy Now” buttons, marketed to consumers as “Click to Pay”.
Using SRC, cardholders store their tokenized card details in a digital wallet provided by the credit card schemes. This wallet provides consumers with a single place to store all their credit cards (Visa, Mastercard, American Express etc.), while the tokens themselves are tied to the device storing the wallet (phone, notebook etc.). No card details are stored on the device itself. All the cardholder sees is the so-called card art, which includes a graphical depiction of the card, and the last 4 digits of the PAN, making it easy to select the desired card for a transaction.
Consumers enroll for the service either by creating a profile at checkout, adding cards on the card scheme’s website, or by enrolling through the card issuer’s website or app. Once stored in tokenized form on the device, the credit cards can be used to complete purchases at any merchant that supports SRC.
Merchants or PSPs will need to actively participate in SRC to offer this option to consumers. The availability of the function is indicated using the Click to Pay icon on participating websites. The benefits for merchants include a consistent payment process across all participants and a streamlined checkout with reduced friction, while still allowing custom checkout flows.
An additional benefit of SRC is that it eliminates the need for card updater services. Instead, the credit card scheme simply updates the card details referred to by the token while keeping the existing token. This could prove particularly valuable to subscription-based services as well as to merchants with a large number of repeat customers.
To what extent SRC will replace other forms of tokenization remains to be seen. Its success will ultimately depend on whether consumers and merchants embrace it, as well as how credit cards fare against the multitude of alternative payment methods that have been growing in popularity over the past years. SRC undoubtedly has the potential to ease the burden of PCI DSS compliance for merchants by eliminating the need to handle PANs directly and providing an easy to use guest checkout function on their websites. However, one thing is for sure: tokenization is here to stay.
Want to know more about IXOPAY?
Get in touch!Contact Us
IXOPAY is a payments orchestration platform enabling independent, flexible and global payment processing. As a highly scalable and PCI-DSS certified “fintech enabler”, IXOPAY fulfills the needs of large merchants as well as those of “white label” clients: payment service providers (PSPs), acquirers and independent sales organizations (ISOs). The modern, easily extendable architecture offers smart transaction routing and cascading, state-of-the-art risk and fraud management, fully automated reconciliation and settlements processing, comprehensive reporting as well as plugin-based integration of acquirers, payment service providers and alternative payment methods (APMs).
IXOPAY is part of the IXOLIT Group, founded in Vienna, Austria in 2001. With local entities in Austria and the USA, IXOLIT supports national and international customers across various industry verticals. The owner-led and -financed company has grown from 2 to more than 80 employees and is focused on building innovative solutions for eCommerce.
Please find more information about IXOPAY here: https://www.ixopay.com