SecurityCents Blog

Insights on payment data security, payments news and trends

5 Tips for Choosing a Tokenization Service for Your Business


Most businesses that accept credit cards for payment are doing their best to avoid touching and storing cardholder data. One of the best ways to protect cardholder data at rest is to use a tokenization service to convert cardholder data to tokens, which cannot be used to commit fraud if they happen to be stolen or intercepted by hackers. But not all token service providers are the same. Here are five things to consider when choosing which company to entrust with tokenizing your customer’s sensitive cardholder data:

  1. Use Format-Preserving Tokens: Some tokens are just long strings of alpha-numeric characters. These can be hard to store in systems that were designed to store credit card data without a major software enhancement. Format-preserving tokens look similar to credit card numbers and will pass a credit card “mod-10” validation, which makes them much easier to store in systems that were accustomed to storing card data. Good token services will maintain the last 4 digits of the original card, so that it can be used as a reference and printed on receipts.
  2. Omni-Channel Tokens are the Most Versatile: An “omni-channel” token simply means that the token provided is the same value for the same card, no matter where the cardholder data is originally input. Whether the card data is entered through a smartphone app, an eCommerce order, or through a retail POS system, a restaurant POS system, a hotel PMS system, or a custom POS system for a spa or golf course, the same token is always returned for the same card. This feature can enable your customers to order things online and return them in-store in a frictionless way. It will also allow you to track cardholder spend across all of your businesses, in the case where you own multiple retail, restaurant, and lodging entities.
  3. A merchant-friendly, processor-agnostic, token service provides more flexibility: Especially if you want to measure cardholder activity by unique card across all of your stores without mandating that each store uses a specific processor. A merchant-friendly provider will also be willing to help you exchange your tokens to cards and back if you change ownership or want to switch to another token provider.  If storing historic cardholder activity data is important to your business, and you might want to change payment service providers, be sure the provider you choose will assist you with detokenizing and re-tokenizing data should that happen.
  4. Your tokens should be the same when the same card is used within your brand: Use a “multi-use” token service to get the same token back whenever the same card is used at any of your locations. This will allow you to run analytics on unique cardholder activity within your brand. Make sure that your token provider is not providing the same token for the same card when that card is used at another merchant that is not part of your group. A good token service will provide the same token each time the same card is used within a particular brand, but different tokens for the same card when used at another merchant. Tokens should be randomly generated and never be created via an algorithm or hash which could be reverse-engineered.
  5. Choose a token provider that you can trust with your customers’ cardholder data: Ultimately, the token provider is storing your customers’ sensitive payment credentials, so be sure to choose an enterprise-grade vendor with many years of experience doing this, and a long list of references of major name brand merchants that have entrusted them to provide cardholder tokenization services.

Choosing the right token service provider will enable you to eliminate friction in the buying process and track your customers’ spending habits across all of your stores without forcing you to process cards with just one acquirer. Omni-channel tokens can open the door to a seamless shopping experience where consumers can order online and make changes or returns in-store. A merchant-friendly vendor will work with you to replace, exchange, and update tokens if you sell your business or choose to move to a different provider. Merchant Link has been providing enterprise-grade token services to tens of thousands of merchants for 10+ years and is here to help you protect your cardholder data while maintaining the ability to analyze your customers’ spending habits and providing a seamless online and in-store shopping experience.