Glossary

June 18, 2021

Tokenization

Tokenization is a security mechanism that protects sensitive data, such as credit card accounts. Instead of storing the account details locally, merchants are issued a token that replaces the sensitive payment details with a series of randomly generated characters, called a token. The token is linked to the payment details in a secure vault hosted by the merchant's payment provider. When submitting a transaction, the merchant can simply submit the token with the transaction. The payment provider will then replace the token with the underlying payment details before forwarding the transaction to the next stop in the processing chain.

By storing tokens, merchants can handle card on file and recurring payments without needing to store sensitive payment details themselves. This reduces the merchant's PCI DSS scope and eliminates the possibility of malicious actors gaining access to credit card details in a data breach affecting the merchant.

What is tokenization and how does it work?

Tokenization is the process of protecting sensitive payment data by replacing it with a randomly generated number called a token. The sensitive data is held safe in a secure token vault, while the merchant can store the token locally without any risk of exposing payment information.

When submitting a transaction, the merchant includes the token with the transaction request. The payment provider hosting the vault then uses the token to look up the associated payment details. The payment provider then forwards the transaction for processing using the actual payment details.

Why is tokenization used?

Tokenization is used to reduce the risk of sensitive data like credit card details from being exposed in a data breach. The token itself cannot be reversed engineered to discover the underlying payment details, as it is just a random series of characters. That means that in the event of a data breach at the merchant, consumers' credit card details cannot be accessed. This helps prevent fraud while reducing the merchant's liability and PCI DSS scope.

How is tokenization different from encryption?

Tokenization uses a randomly generated token to protect the data and is unrelated to the underlying payment details. The sensitive payment information is stored in a PCI compliant card vault. Encryption transforms the actual sensitive data algorithmically to obscure the data. Tokenization cannot be reversed engineered, whereas it is possible to reverse engineer encrypted data with enough time and resources. Modern encryption techniques are designed to be secure enough that the time taken to reverse engineer them is long enough to be worthwhile. However, flaws in the encryption algorithm or errors during encryption can make reverse engineering easier.

How can merchants use tokenization?

Tokenization services are offered by payment service providers and payment orchestration platforms like IXOPAY. In order to offer tokenization, the provider or orchestration platform must have a PCI compliant card vault that stores the credit card details. When initiating a payment with a new card, the provider or payment platform will generate a token that the merchant can store locally and use for all subsequent transactions using the same credit card.

How does Tokenization improve the payment flow?

Tokenization speeds up the payment flow for transactions made by a return customers. Provided the merchant has stored a token for the customer's credit card, the customer can make subsequent purchases without having to re-enter their payment details.

Payments Explained: Tokenization

Further Information:

Expertise

September 15, 2020

Tokenization: Control Your Payment Data

Don’t be held hostage by your payment provider

Expertise

September 03, 2020

Keep Your Payments Healthy

Avoid provider lock-in and take control of your payments set-up

Expertise

January 13, 2021

Payment Orchestration & the Platform Benefits

Features that make payment orchestration essential for your payment stack

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months