Payment Tokenization 101

Backspace Tech
5 min readJan 5, 2024

Imagine your payment details, like your card numbers, going on a secret adventure whenever you buy something online. It’s like giving them a disguise to stay safe from any potential bad guys on the internet! This magical disguise is what we call “Payment Tokenization”.

So, here’s the scoop: Your card has a number on it called the “CARD NUMBER”, but you don’t want that number to go on a dangerous journey. Instead, the number is swapped with special numbers called “tokens”. These tokens are like secret codes — completely different from the original numbers and generated randomly.

Now, when you make a purchase, it’s these tokens that go on the adventure, not the real card numbers. It’s like sending secret agents to do the job!

And guess what?

Even if some tricky characters try to sneak in and grab those tokens, they won’t get anywhere because the tokens are just a bunch of random characters — they’re like trying to solve a puzzle without all the pieces!

So, in a nutshell, payment tokenization is all about swapping sensitive stuff with cool, secret alternatives!

But wait!

Why should you care about all this tokenization stuff?

  • It thwarts fraud by replacing sensitive information vulnerable to financial crimes.
  • The characters comprising the token have no connection to the original data, making it impervious to decrypt by fraudsters. Even if unlawfully acquired, the token lacks inherent value because it cannot be reverse-engineered to reveal the original data.
  • Opting for tokens over actual card information enables merchants to offer customers a secure payment experience, concurrently diminishing the likelihood of data breaches.

Hmmm…

Let us know the whimsical dance of the Tokenization!

  • Customers provide payment data (e.g., card details) during a transaction initiation.
  • Depending on the merchant’s payment system setup, sensitive data is sent to a secure tokenization service, provided by a payment processor or third-party vendor.
  • Through algorithms and secure storage, a unique token is created, representing the original payment data. This token is a random string without intrinsic value.
  • The token replaces sensitive payment data in the merchant’s system, while the original data is securely stored in the token vault to prevent unauthorized access and breaches.
  • To process the transaction, the merchant sends the token to the payment processor or tokenization service. The service securely links the token to the original data, completing the transaction without exposing sensitive information.
  • For recurring transactions, the same token is reused without collecting card details again.

Buckle up, folks!

We’ve been exploring the nuts and bolts of Tokenization, but now it’s time to witness its real-world sorcery!

Real-Time Example

Consider a customer named Lily purchasing at a shop and the subsequent steps follow!

Checkout Process:

  • Lily provides her card details at the Point of Sale (PoS) terminal during checkout.

Information Routing:

  • The PoS terminal sends Lily’s card details to the Payment Processor.

Tokenization Process:

  • The Payment Processor channels this information to the tokenization system, which replaces Lily’s card number with a unique, randomly generated token (e.g., “a0n2u1s0n5”).

Transaction Finalization:

  • The tokenized data is returned to the Payment Processor, concluding the transaction using the generated token. The merchant, instead of storing Lily’s actual card number, securely maintains the token in their database.

Subsequent Transactions:

  • For future transactions, Lily inputs her details, and the token from the prior transaction is employed, with the merchant obtaining consent from her. This method allows the merchant to bypass the necessity of re-requesting Lily’s card information.

Ahem!

Clear your throat!

Because the journey doesn’t stop here! Let’s dig deeper into the Tokenization!

Token Enchantment: Generation, Characteristics, and Usage

Token Generation:

  • Upon payment initiation, a powerful cryptographic algorithm instantly scrambles the customer’s sensitive card numbers into a unique, meaningless token. This token, linked to but not revealing the original data, is safely locked away in the secure token vault, a heavily encrypted database.

Nature of Tokens:

  • Payment tokens exhibit a non-reversible nature. Once tokenized, the original data is neither stored nor retrievable from the token.

Single and Multi-Use Tokens:

  • Single-Use Tokens: These tokens are designed for a singular transaction and automatically expire after the completion of that specific transaction.
  • Multi-Use Tokens: In contrast, multi-use tokens have an extended lifespan and can be utilized over years to represent the same account across various transactions.

Types of Tokens

NON-FORMAT PRESERVING TOKEN (NFPT)

  • Non-format-preserving tokens are a type of tokenization where the generated tokens do not preserve the format or structure of the original data. In other words, the tokenized output bears no resemblance to the input in terms of its original format. These tokens include both alphabetical and numeric characters.

Example:

Original card number: 4549 5462 5445 2546

NFPT: bT#5sd&*f85k@j

FORMAT PRESERVING TOKEN (FPT)

  • Format-preserving tokens are a type of tokenization where the generated tokens maintain the same format or structure as the original data. They act as placeholders that mimic the original data’s structure.

Example:

Original card number: 4549 5462 5445 2546

FPT: 5469 1546 8546 5546 (different digits, same format)

PARTIAL REPLACEMENT TOKEN

  • Partial replacement tokens are a form of tokenization where only a portion of the original data is replaced with a token while retaining some unchanged segments. This approach allows for maintaining certain recognizable aspects of the data, making it suitable for scenarios where partial information needs to be preserved for specific purposes. This is also known as selective masking and is common practice for payment tokens. Partial replacement tokens are helpful in situations where a merchant might need to verify a cardholder by asking them for the last four digits of their PAN.

Example:

Original card number: 4549 5462 5445 2546

Partial replacement token: 4#### #### #### 2546

Tokenization in Real-Time Use Case

  • The Primary scenario is when the business retains your card information [card on file] for subscription billing and recurring payments.
  • The secondary instance can be observed on eCommerce platforms that provide frequent, returning customers with “one-click” checkouts.
  • Lastly, the third application can be found in NFC mobile wallets such as Apple Pay and Android Pay.

Tokenization Vs Encryption

While both accomplish the same objective (PCI DSS compliance) and are closely related ideas, payment tokenization and encryption are two different processes. Encryption converts data into an unintelligible format that can be recovered with a decryption key, whereas tokenization substitutes unique, meaningless tokens for sensitive data. In short, tokenization concentrates on data replacement, whereas encryption concentrates on data transformation.

Conclusion

In the realm of modern payments, Tokenization stands tall as the beacon of security and efficiency. As we draw the curtains on our exploration, through the intricacies of tokenized payments, one thing becomes evident: With every tap and click, Payment Tokenization paves the way for a frictionless, protected financial landscape.

To know more about the payment ecosystem, chargeback, and dispute nuances through delightful bytes of information, follow us on LinkedIn, Twitter, Facebook, and Threads.

P.S: What topic do you think we should explore next? Let us know in the comments.

--

--

Backspace Tech

Backspace Tech offers Fintech-as-a-Service to automate,simplify, and disrupt the payment industry by handling chargeback requests through a plug-and-play model.