Welcome to Tokenization 101. We’ve simplified the complex processes to help you understand the basics.
What is tokenization?
Tokenization is the process by which sensitive data is protected by replacing it with a randomly generated number called a “token.” In the context of credit card payments, the customer’s PAN (primary account number) is substituted with the randomized token number and then passed through merchant payment systems as the transaction is processed.
How is tokenization used?
Tokenization can be used to protect sensitive data from credit card or social security numbers to voter registrations and driver’s licenses. The surrogate token number acts as a placeholder, mapping back to a token vault that holds and protects the sensitive information leaving the original data untouched.
How does tokenization protect customers’ information?
Tokenization makes it much more difficult for hackers to gain access to sensitive data such as PANs through its randomized approach. Tokens are created through mathematical algorithms, ensuring the generated token value cannot be reversed to the original PAN and restricting unauthorized use.
How are merchants impacted by tokenization?
Tokenization drastically reduces a merchant’s risk if a data breach occurs. It renders the stolen information useless, as the hacker will not be able to monetize the token values. Additionally, tokenization saves merchants money by reducing costs associated with validating compliance with data protection rules and regulations.
How does a merchant know the transaction is authenticated (or not authenticated)?
The TSP returns the PAN plus any cryptogram and domain control validation results to the merchant acquirer. The merchant acquirer then routes the PAN and validation result through the process to enable the issuer to make an authorization decision (approve or decline).
Does the merchant retain the PAN?
No, the merchant does not retain the PAN. Once the merchant sends the PAN for authorization and receives a merchant token from the gateway/acquirer, the merchant deletes the PAN.
What is a security token?
A “security token” is another term for a “merchant” or “merchant acquirer” token. This term represents an alternative identifier used to protect payment or other sensitive data while at rest. The token replaces the sensitive data, so that the sensitive information is never stored within a merchant’s environment eliminating risk of unauthorized access.