SecurityCents Blog

Insights on payment data security, payments news and trends

3 Elements of Tokenization Every Merchant Should Understand


blog 6-24-15What is Tokenization?

Simply put, tokenization is a method of substituting a non-meaningful value for data of a sensitive nature. In eCommerce, this is frequently utilized to protect a Primary Account Number (PAN) from visibility or potential theft. By converting the PAN to a token, merchants protect their customers from becoming easy targets for fraud or identity theft. Tokens take the place of credit credentials passed between purchasers, merchants, and payment processors.

But it’s a little more complicated than that. There are multiple types and standards for generating and using tokens which have unique characteristics and benefits.

Single or Multi-use Tokens

A single-use token is typically utilized just as the name indicates—for a single transaction. These are also referred to as transactional tokens, since once they have been used they are no longer available for reuse. Single-use tokens are a first-generation approach to tokenization, and although they are still widely used, many merchants and payment processors are either moving away from them or have plans to do so. Drawbacks of single-use tokens are that they cannot be used for recurring transactions or refund/return processing.

Multi-use tokens are becoming more the norm in payment processing, as they offer the flexibility desired more by both consumers and merchants. One significant advantage of multi-use tokens is the ability to extend them through omni-channel payment support. This means that the same token can be utilized for internet shopping and purchases made in the same retailer’s brick-and-mortar store locations. With the significant growth of eCommerce and popularity of on-line shopping this becomes a considerable factor in selecting multi-use tokenization.

Reversible or Irreversible

Reversible tokens allow the sender to reverse the token back to its original information (the receiver cannot perform the reversal – only the sender). This allows a merchant to send the original PAN to a third party in cases where payments are handled by such third parties rather than by the merchant themselves. This attribute of reversibility also provides a method of extracting the original PAN in the event it may be useful in fraud recovery efforts.

Irreversible tokens have an obvious advantage from a security standpoint since, by design, there is no capability of extracting the original PAN information by either the sender or receiver of the token.

Format Preserving

Format preserving retains the format of the original sensitive information (for payment processing this is the card number) where the last four digits of the card number are reserved to allow easy identification. Preserving the original format of the tokenized data (format only, not the actual data) can reduce the impact on existing systems that the tokens interact with, since the length and basic format of the original data is maintained.

The Payment Card Industry Security Standards Council (PCI SSC) establishes guidelines for how tokenization should be addressed within payment service and merchants. These standards do not currently require format preservation though many third-party payment services offer this capability so that tokens are retained rather than sensitive information of their clients.

What Does This Mean to You?

Mainly this means you have options in using tokenization for secure payment processing. While the primary reason for tokens is definitely security, your business needs to provide flexibility that applies to your specific needs. It’s most important that your security requirements align with your business requirements without sacrificing or compromising either one.

Merchant Link provides clients with the flexibility and functionality needed to provide them with competitive advantages in payment processing. We are focused on delivering innovative solutions to payment processing requirements as your business and technology continuously evolve. Although we have a specific design toward merchants in the lodging, restaurant, and retail industries, our commitment to secure solutions and support extend to a variety of markets.