What Is Tokenization?
Tokenization is the process of replacing sensitive data, such as credit card numbers, with unique identification data while retaining all the essential information about the data. Because tokenization is a non-destructive form of obfuscation, data is recoverable via a unique security key.
To help explain this more, think of tokenization as a secret code that uses a key to retrieve the coded message. The tokenized version of the credit card number has maintained its last four digits; however, the remaining numbers in the credit card number are random. The token is now safe to store in your database. Anyone who has access to this token alone cannot use it to compromise a credit card account.
To use these tokens to run a credit card transaction, the token must be mapped back to the original credit card number. A secure third party usually does this mapping.
What Information Should Be Tokenized?
Tokenization is often used to protect credit card numbers and is required by Payment Card Industry Council (PCI). However, there are many use cases where tokenization can help an origination securely store sensitive data. Consider personally identifiable information data, or PII. Both HIPPA and the General Data Protection Regulation (GDPR) require special handling, anonymization and secure storage of personally identifiable information. An organization should use tokenization anytime their business needs require saving sensitive information, namely:
• Social Security number
• Bank account numbers
• Passport number
• Driver's license number
• Credit card numbers
• Date of birth
• Gender or race
What Are The Various Types Of Tokenization?
When it comes to PCI tokenization, I like to think about three main types of tokenization: gateway tokenization, pass-through tokenization, and payment service tokenization.
If you are an e-commerce business, then there is a good chance you are taking payments via a payment gateway. Most gateways have technology that will allow you to save a credit card to their system and then return you a token. From that time forward, when you run a transaction, your system passes the token to the gateway instead of the credit card number, allowing you to remove credit card data from your system.
The disadvantage here is that each gateway provides its unique token schema. This means you are locked into using this gateway. Switching gateways is often a costly and time-consuming process of de-tokenizing your customers' data and moving them to your new processing gateway. In some cases, this is not allowed by the gateway.
A few stand-alone tokenization providers have a unique technology that lives between your e-commerce site and the gateway. These pass-through tokenization providers allow you to use your existing gateway integration code. One advantage of this type of tokenization is that it leverages your current technology and can be adopted very quickly. It also has the advantage of being modular. Unlike gateway tokenization, you can use it for more than just credit card payments. You can use the pass-through tokenization model to connect to most APIs and tokenize data other than credit card data.
Pass-through tokenization is a step up from gateway tokenization since it allows payment solutions the freedom to route transactions to different gateways in real-time, thus avoiding costly and time-consuming card data transfer among different payment platform.
Payment Service Tokenization
Another strategy for tokenization is the payment services model. This model provides a single API that, once integrated, can route payments to several gateways. The payment services model works best for companies with more complex payment needs. If your company needs to make payments in multiple regions or currencies or against multiple processors and gateways, then this model works well. The disadvantage of the payment services model is that the existing gateway integration code cannot be reused; however, the payoff is often worth it.
In addition to reduced PCI scope and increased security, a payment services tokenization model has some unique advantages. Not only can it simplify your integration code, but the payment services model also prevents payment gateways from controlling your tokens. In contrast to gateway tokenization, a token provided by a third-party company can be used on any supported gateway. In contrast, tokens provided by payment gateways can not be used against a competing alternative gateway.
Security and compliance alone are reason enough to implement tokenization. The truth is that the security demands of online payments are difficult to bear alone. Startups especially often decide to sacrifice security for time to market. If you accept online payments, then your organization is a target for bad actors. Utilizing experts in the field of security and tokenization will save your company time and money in the long run. When it comes down to it, keep these best practices in mind:
1. Choose a tokenization partner that is agnostic toward payment gateways and card brands.
2. Look for tokenization that can be dropped in with little integration work.
3. Find a provider that can integrate multiple gateways, methods and services in a single integration.
The one key piece of technology needed to stitch all of your payment solutions together is tokenization. When all is said and done, you need to find a tokenization provider that give you control of your tokens, provides redundancy, reduces your PCI scope and increases your security standards.