What is Payment Tokenization?

Payment Tokenization is process used in payments (Data Storing, Processing, Transmitting) to replace the Sensitive Data elements with an Alternate, Unique, Non-Sensitive equivalent value. This non-extrinsic or non-exploitable meaningless Identifier is called a Payment Token, which is also referred as Digital Account Number (DAN).

In payments, the objective of Tokenization is to remove the plain Primary Account Number (PAN) from the payment environment where the data can be vulnerable and to use the Payment Token/Digital Account Number as the replacement. The ‘Mapping’ between the real value of PAN and the Payment Token is safely stored in the Token Vault which is a PCI Compliant environment.

Tokenization is another approach that can be used to safeguard payment credentials from being stolen and used for fraudulent transactions. Tokens are random numbers and are not based on cryptography, hence they cannot be traced back to the original value. Sensitive Data stay in the control of the bank/issuer and external systems do not have access to this information.

This enables Banks/Issuers, Acquirers and Merchants to offer more secure payment services for their customers and connected stakeholders. In order to use Tokenization, a Bank or Merchant must become the Token Service Provider (TSP) and manage the entire life-cycle of payment credentials.

Token Service Provider (TSP) Life Cycle

1. Tokenization: Replaces the PAN with a payment token.
2. De-Tokenization: Converts the token back to the PAN using the token vault.
3. Token Vault: Establishes and maintains the payment token to PAN mapping.
4. Domain Management: Improves protection by defining payment tokens for specific use.
5. Identification and Verification: Ensures the original PAN is legitimately used by the token requester.
6. Clearing and Settlement: Ad-hoc De-Tokenization during clearing and settlement process.

However the TSP Lifestyle responsibilities and token is creation process is defined by the token solution provider.

How does a Tokenized Transaction Work?

Payment Token can be different with the ways to create them and the specific requirement to use them. Token can be general or specific to a merchant. It can be Single use or Multi-use. It can be store in cloud vault or at merchant location in a vault. But generally there two types of tokens are being used and/or defined in the payments industry

1. Tokens that will function in place of the actual PAN to perform a payment transaction
2. Tokens that replace the PAN and are stored by merchants and/or acquirers in place of actual PANs and used for other uses (e.g., for loyalty programs)

Once a token has been created, it may be tied to a card on file, individual transaction, payment card, account or device.

The industry is starting to see alignment among the standardization efforts around the EMV-Co tokenization specification. The EMV-Co tokenization framework also references its use with EMV chip cards, combining the security benefits of EMV chip with tokenization.

PCI SSC is also currently in the process of standardizing the security requirements and guidance (e.g., Functionality to exchange a token back to the original PAN :De-Tokenization as well as “Irreversible” tokens for which there is no mechanism supported to reproduce the PAN) for tokenization products such as tokenization platforms, applications or appliances that replace a PAN with a token.

This will improve cardholder data security along the payment transaction chain and minimize the retention of payment card data in an entity’s environment and hence simplify their compliance and regularity efforts. Same time these efforts will provide tokenization product vendors and developers with detailed technical requirements for how to generate and store tokens securely. A mechanism to evaluate tokenization products against the requirements is under consideration.