PDD#09: Payment Tokenization explained

There is one secret we ALL keep close to our chest – our banking information (account number and passwords). And there is a good reason for that – because safeguarding this sensitive information is crucial to protect our financial well-being and personal security in an increasingly digital world.

And yet, during the early days of card usage, it was a common practice to collect credit card numbers and CVV codes for payment processing. As e-commerce evolved, the large volumes of credit card information stored with merchants made them an attractive target for cybercriminals. The breach of Warner Music Group in 2020 (Magecart attack leaked customers’ personal and financial information) ,T-Mobile in 2021 (estimated 77 million people impacted) and Equifax in 2017 (personal information of 147 million people exposed) are just some of the famous examples where hackers targeted these vulnerable weak points. In fact, every 1 in 2 North American internet users had their accounts breached in 2021 (latest-cyber-crime-statistics)!

As a response to ever growing data breaches, industry came with an intuitive approach of tokenization to reducing the risk involved with storing and sharing sensitive card data. To help us understand this Tokenization, I have invited Ananya Bhattacharyya as the guest author for this article. She is Global Product lead of Mastercard Tokenization platform (Mastercard Digital Enablement Service aka MDES). MDES is the backbone technology behind enabling mobile payments solutions such as Apple Pay, Google Pay and Samsung Pay, which has now been extended to support e-commerce Payments. Below article is our collaboration, and with key details explained by her.?

This particular article does a deep dive into (Payment) Tokenization. Tokenization can also be explained in terms of tokenization assets on blockchains, but in this article we will only focus on the payment landscape. The article focus on breaking down:

• What is Tokenization, in context of payments
• Tokenized vs. Non Tokenized experience
• How Tokenization works (creating tokens vs. using tokens for payments)
• Benefits of Network Tokenization

Disclaimer: The information provided in this article is for general informational purposes only and should not be considered as a professional advice. The content is based on knowledge and research of the authors, and they have endeavored to ensure its accuracy. However, please note that information can change over time, and the authors cannot guarantee the accuracy, completeness, or relevance of the content at all times. The views expressed in this article are solely authors own and do not necessarily reflect the views of any organizations they are affiliated with.

What is Tokenization

Payment tokenization is the process of transforming sensitive data, such as credit card numbers, into secure non-sensitive data called as tokens. The term “tokenize” means to substitute or convert one thing into something else.?These tokens can then be used for transactions without exposing the actual sensitive data. The primary objective of tokenization is to enhance the security of payment transactions while maintaining the convenience and efficiency of digital payments. These numbers cannot be tracked to the original data without having certain keys, which are held separately from the tokens and cannot be accessed by unauthorized users. Payment tokens can either be implemented at an entity level (called PCI tokenization), or as Network tokens. While PCI tokenization replaces Personal Account Number (15-16 digit card number, also called or PAN for short) at a specific end point, the Network tokenization is provided by the payment networks like Mastercard, Visa, American Express, and Discover to replace PANs across the entire payment ecosystem.

The term “tokenize” means to substitute or convert one thing into something else.?These tokens can then be used for transactions without exposing the actual sensitive data.

Tokenized vs. Non Tokenized experience

To better understand the value of how tokenization adds value, let us start with the use of you having to pay your water, internet and cable TV bills. Let us say you select to pay using your credit card or a debit card, and authorize these merchants to save the card so that they can deduct money automatically when bills are due. That would mean sharing the 15-16 digit PAN card number and also providing additional details like secure CVV code in the back, expiry date and perhaps also the address details like ZIP code.

By sharing the credit card details with various players, you have now created many times more chances of your card details being compromised. All these merchants, their technology partners, their payment service providers are now potential risk points for the data to be leaked. And as all these digital copies are same, there is no way to know which value is stored in an authorized way and which one is stored without your knowledge/ consent.

Let us now plug in a Token Service Provider (TSP) in this flow. Say it's job would be to generate a new non sensitive token, every time some merchant asks for your card details. Such a service can then keep sending new numbers to the merchant, but will be the only one who could map those new numbers to the original card. At same time, merchants would be able to bill the customer as per their agreement, without any change.

Plus it can now do something more beautiful:

• You paid for a 7-day trial of a service, and now they want won't cancel the service? You can just deactivate/retire the token (of course you have to look at your agreement also though on what action is allowed vs not).
• Your cards were saved on iPhone device that got stolen? Just have the Apple Wallet deactivate/retire all tokens! None of those cards on THAT device will work anymore, but you can continue to use your physical card as usual.
• Your card expired and new one got issued? All your tokens that you authorized for monthly billing can now be automatically updated to the new card details. No missed payments, or finding all sites where you need to update the card details!

How Tokenization Works

As explained earlier, Tokenization replaces sensitive card data with equivalent non-sensitive data (tokens). Here is how different players use tokenization in their payment flow:

1. Card Issuing Bank: Your bank, the one that issued your credit card, can enable tokenization at card product level. They make your card eligible to be tokenized when you add your card to a mobile wallet or a payment app. This keeps your card info safe.
2. Merchant: The online store where you shop can also decide to use tokenization. When you give them your card details, those details are saved by their payment service provider or Token service provider who converts cards to tokens and share the token back to the store. So, the stores like BestBuy, Target, Netflix won't have your actual card data on their servers. In case they are breached now, your finances are safer, and they are safer from litigation!
3. Payment Network: It is now a standard for payment networks like Mastercard, VISA and American Express to have issuers enable tokenization for their card products. Given these players at the heart of card rails, they are able to offer a single integrated platform for all players (Issuers, Wallet Providers, Merchants, and other Token Requestors) to enable the digitization of eligible card types. Their tokens are also called Network Tokens.
4. Card holder: When you add your card to a payment apps like Apple Pay or Google Pay, you are giving consent as a cardholder to save your card info. Apple and Google in turn than can start using a unique transaction code, so your card number is never shared with a merchant. For Apple Pay, this token is called Device Account Number (DAN).

What is a Network Token?

Network tokens, as the name suggests, are tokens offered and managed directly by payment networks like Mastercard, VISA and American Express. It replaces a primary account number (PAN) during payment transactions , safeguarding sensitive card account data. This technology plays a crucial role in combatting fraud for both card-not-present digital transactions and card-present physical transactions.

How Does Network Tokenization Work?

Here is one real-world example of how network tokenization works:

• A customer wants to pay their cable TV bill, and enters the sensitive data on their cable TV merchant website (credit card number, cardholder name, etc.)
• This cable TV service provider would have integration with a tokenization provider (like Mastercard, Visa, American Express etc. also called TSP). The sensitive information will go straight to the tokenization server of TSP, without storing any data in the cable TV service provider’s server.
• Then it reaches the token vault, where the original data is secure. It, in turn, returns a token of random alphanumeric representation of the same length. The actual data is contained within the ciphered text.
• This token is now passed to the merchant’s acquirer bank, and this bank passes the token to the credit card network.
• Then the card network processes the token and maps it to the customer’s account number, authorizes and passes it to the issuing bank.
• The issuer bank now authorizes or denies the transaction based on the fund balance.
• After the successful transaction, a unique token returns to the merchant.
• Merchant now has no record of the customer sensitive data but only the customer tokens. In this way, merchant can enable the customer to make secure seamless payments every time.

Benefits of Network Tokenization

Network tokens provide significant benefits, including automated card lifecycle management, enhanced security, fraud mitigation, and lower operational costs.

1. Automated Card Lifecycle Management: Network tokenization minimizes customer attrition by automatically maintaining card credentials and reducing false positive declines, resulting in higher customer retention, increased payment approval rates, and enhanced revenue.
2. Enhanced Security: Network tokens replace sensitive PANs with unique token identifiers used throughout the payment processing lifecycle, offering superior security for merchants and cardholders.
3. Fraud Mitigation: Network tokens cover the entire credit card processing lifecycle, significantly reducing the risk of fraud. In case of a breach, the surrogate nature of network tokens limits the impact.
4. Lower Operational Costs: Network tokens fall outside the scope of PCI DSS, reducing auditing requirements. Additionally, merchants can decrease the processing costs of e-commerce transactions

Concluding Remarks

Tokenization has been a catalyst for the growth of digital payments by making them more secure, convenient, and versatile. It has also played a pivotal role in enabling embedded finance wherein the financial services are seamlessly integrated into non-financial platforms. To keep the article concise, we intentionally did not go too deep into the tokenization technical aspects like use of static vs. dynamic tokens and how tokens are enabled on the iPhone vs. Android phones (there are nuances in those flows). In case there are enough questions, we can explain it in a future article.

I would like to thank Ananya who spent multiple hours on this article with me. She has a deep understanding of eCommerce payments and it was a very learning experience to understand how network tokens have evolved since the industry first started working in this concept. You can follow her on LinkedIn

That is a wrap up for now. Your comments, opinions, and corrections are all much welcomed. If you enjoyed this article and think others will too, give this article a like below and share it. Thank you!