The payment industry is driven by digital technology and the need for payment security is crucial. As connected devices are used widely, consumers are looking for seamless and secure payment experiences in today’s payment ecosystem. The lack of secure element hardware storage on devices and the increase of transaction numbers with online devices create the need for strong software-based solutions like tokenization.
Tokenization is the process in which a Primary Account Number (PAN) is replaced with a surrogate value used in transactions in its place. It is used to protect cardholder data from being stolen and used for fraudulent activities. If it is stolen or hacked, it is worthless because tokens can be restricted for transactions with a specific mobile device or transaction type. Tokenization applies EMV chip card security to online, in-store and in-app payments.
Tokenization is a security layer for digital payments and its main advantage is that the actual PAN number is no longer used in the payment environment and stored in the systems. It helps merchants not to store sensitive cardholder data after authorization and for this reason, merchants using the tokenization process may be able to reduce the scope, risks and costs associated with ongoing compliance by PCI DSS.
How Does Tokenization Work?
Payment tokenization introduces two new players, the “Token Requestor” and the “Token Service Provider”, into the payment ecosystem. According to the EMV Payment Tokenization Specification – Technical Framework, published by EMVCo, the Token Service Provider is an entity responsible for providing payment tokens to registered token requestors. The Token Requestor can be a merchant, a digital wallet service provider, an issuer, or any other payment enabler.
The tokenization process starts with the token request from the Token Requestor. A cardholder presents the primary account number to the Token Requestor, who then sends a token request message to the Token Service Provider. The Token Service Provider may ask the issuer to perform identification and verification during token issuance. After an ID&V process is completed, the Token Service Provider returns the token to the Token Requestor, who sends it to the Cardholder’s device
How is the transaction flow when a payment token is used instead of an actual PAN? The transaction flow is highly similar to the existing flow, but the Token Service Provider plays a role. When the cardholder makes a payment to the merchant, for example an NFC payment, the payment transaction including token data is sent to the Acquirer, who forwards it to the Payment Network. The Payment Network sends it to the Token Service Provider for token cryptogram validation and detokenization. After the detokenization process, the transaction is sent to the issuer for financial authorization.
The Future of Tokenization
Global payment authorities like Mastercard and Visa have announced tokenization mandates for all new digital payment projects if the PAN is provisioned onto a mobile payment device, access device, or other non-card method. For that reason, all digital payment projects must comply with the global payment authorities’ Token Service Provider Rules and Standards. Apple Pay, Samsung Pay, Android Pay and many others have already integrated with the global payment schemes’ TSP solutions. And as the rest of them certainly plan to do, it seems that the future of payment security will be enhanced by tokenization, which makes digital payments more secure and affects their usage positively.
How Cardtek Can Help You
If your organization would like to explore the adoption of tokenization and how to be part of the tokenization ecosystem, Cardtek experts would be more than happy to assist you!
Lutfiye Bilgin Product Group Manager @Cardtek