June 18, 2021


Tokenization is a security mechanism that protects sensitive data, such as credit card accounts. Instead of storing the account details locally, merchants are issued a token that replaces the sensitive payment details with a series of randomly generated characters, called a token. The token is linked to the payment details in a secure vault hosted by the merchant's payment provider. When submitting a transaction, the merchant can simply submit the token with the transaction. The payment provider will then replace the token with the underlying payment details before forwarding the transaction to the next stop in the processing chain.

By storing tokens, merchants can handle card on file and recurring payments without needing to store sensitive payment details themselves. This reduces the merchant's PCI DSS scope and eliminates the possibility of malicious actors gaining access to credit card details in a data breach affecting the merchant.

Tokenization is the process of protecting sensitive payment data by replacing it with a randomly generated number called a token. The sensitive data is held safe in a secure token vault, while the merchant can store the token locally without any risk of exposing payment information.

When submitting a transaction, the merchant includes the token with the transaction request. The payment provider hosting the vault then uses the token to look up the associated payment details. The payment provider then forwards the transaction for processing using the actual payment details.

Tokenization is used to reduce the risk of sensitive data like credit card details from being exposed in a data breach. The token itself cannot be reversed engineered to discover the underlying payment details, as it is just a random series of characters. That means that in the event of a data breach at the merchant, consumers' credit card details cannot be accessed. This helps prevent fraud while reducing the merchant's liability and PCI DSS scope.

Tokenization uses a randomly generated token to protect the data and is unrelated to the underlying payment details. The sensitive payment information is stored in a PCI compliant card vault. Encryption transforms the actual sensitive data algorithmically to obscure the data. Tokenization cannot be reversed engineered, whereas it is possible to reverse engineer encrypted data with enough time and resources. Modern encryption techniques are designed to be secure enough that the time taken to reverse engineer them is long enough to be worthwhile. However, flaws in the encryption algorithm or errors during encryption can make reverse engineering easier.

Tokenization services are offered by payment service providers and payment orchestration platforms like IXOPAY. In order to offer tokenization, the provider or orchestration platform must have a PCI compliant card vault that stores the credit card details. When initiating a payment with a new card, the provider or payment platform will generate a token that the merchant can store locally and use for all subsequent transactions using the same credit card.

Tokenization speeds up the payment flow for transactions made by a return customers. Provided the merchant has stored a token for the customer's credit card, the customer can make subsequent purchases without having to re-enter their payment details.

Payments Explained: Tokenization

Further Information: