Payment Tokenization: A guide for merchants

The rise of online payments has come with benefits for both shoppers and merchants, but an ongoing challenge is ensuring that all transactions remain completely secure. As techniques for intercepting sensitive financial information evolve, security technology must also evolve, staying one step ahead. This ensures that trust in electronic transactions stays high and the cost of mitigating security risks stays relatively low.

Payment tokenisation is one such security technique that helps eCommerce transactions remain secure. In the context of online transactions, it involves replacing customers’ credit and debit information with a string of letters and numbers, known as a token. If this token is intercepted by fraudsters, it cannot be used to unlock the sensitive customer data.

In this article, we’ll go in depth on how payment tokenization works, its benefits for both merchants and marketplaces and how to implement the technique. After reading, you’ll be able to understand whether you need tokenisation to protect your business and how businesses like Airwallex can ensure you have this in place to protect your payments.

How payment tokenization works

Implementing payment tokenization doesn’t create any extra work for merchants. It just means that the tokenization service takes on the burden of keeping cardholder information safe, and ensures that it can’t be intercepted by malicious third parties.

This is the step-by-step breakdown of what happens when a tokenized transaction happens:

1. A cardholder initiates a transaction and shares their card details with the merchant’s payment system. This includes the primary account number (PAN), or long number on the front of a card.

2. Card data (typically the PAN) is replaced with a unique token. This can be done automatically as part of payment processing services with payment providers such as Airwallex.

3. The token is stored in the merchant's system, replacing the sensitive payment data. The original payment data is stored securely in the tokenization service's secure vault.

4. Acquiring banks and card networks are able to access the customer data, such as the primary account number, that they need to process the transaction.

5. For recurring transactions by the same customer, the same token can be used multiple times while still maintaining security.

What are the differences between tokenization and encryption?

Encryption involves using an algorithm to scramble data, which can be de-encrypted when it reaches its destination. Tokenization turns data into code that cannot be de-encrypted. This reduces the risk of pattern recognition, providing additional security. Tokens cannot be “unscrambled” to reveal the sensitive payment data.

Benefits of payment tokenization for eCommerce merchants

Payment tokenization has become a widespread method of keeping online and contactless payments secure. E-wallets such as Apple Pay and Google Pay use tokens to keep transactions secure, and subscription-based businesses can particularly benefit from the fact that tokenized customer data can be kept on file for recurring payments while minimising the risks involved in data storage.

There are many benefits of tokenization that apply to all types of eCommerce business:

Reduction in payment fraud

By eliminating the need to store sensitive card information, payment tokenization reduces the risk of data breaches and unauthorised access to sensitive cardholder information. This enhances customer trust and reduces the risk of chargebacks.

Boost conversions

The added layer of security also improves the likelihood that the transactions are approved by card networks. This means more payments are successfully completed.

Compliance with industry standards

Payment tokenization is often considered a best practice for protecting cardholder data, and so it can help businesses align with data protection standards such as the Payment Card Industry Data Security Standard (PCI DSS), which is mandated by card networks like VISA, Mastercard and American Express. It can also aid compliance with the European GDPR regulation, which protects customer data, as merchants don’t need to be responsible for storing sensitive information.

Remove friction from checkout

Repeat customers can pass through a merchant’s checkout process without a need to enter card details and card verification value each time, because the same token can be reused. This means merchants can enable one-click checkout for a swift completion that should help optimise conversions, while remaining secure and compliant.

Reduce processing costs

Transactions that use tokenization may be subjected to reduced fees by card schemes because of their enhanced security.

Benefits of payment tokenization for platforms and marketplaces

By turning the financial details of merchants, app developers and service providers into tokens, platforms and marketplaces can provide a seamless service while protecting their users and themselves. Here’s a breakdown of the key benefits:

Simplified payout management

Tokenization simplifies and streamlines payout processes for platforms by securely managing sensitive payment information. By storing tokens for recurring payments, tokenization removes friction from the experience, as users of the platform don’t need to repeatedly provide payment details.

Protection against data breaches

The high level of security that tokenization enables benefits platforms and marketplaces, as they protect both buyer and seller information from potential data breaches and fraud.

Reduced liability

By tokenizing data, platforms limit their liability if a breach does occur, because they have not been exposed to sensitive payment information. This can protect against financial and reputational damage.

Scalability

Tokenization integrates seamlessly with new payment technologies. This means that as platforms expand into new markets with different payment methods, and as technology evolves, payment tokenization puts them in a strong position to future-proof themselves.

How to implement payment tokenization

Collaborate with a reputable tokenization service provider like Airwallex to integrate tokenization into your payment processes.

Airwallex is a modern payments platform designed to help you grow and safeguard your global revenue. Airwallex facilitates the replacement of primary account numbers (PANs) with network-issued tokens to improve card acceptance rates and reduce processing costs. The process means that customer details can be safely stored for one-click orders in the future, while remaining compliant with all relevant data protection regulation.

Our full-stack payments platform directly integrates with all major card scheme networks. The process is an example of network tokenisation, as outlined above, which means that the translation of sensitive customer data to tokens is managed by the card networks themselves. This ensures security standards are extremely high, while checkout remains as frictionless as possible, keeping conversion rates high. 

Airwallex’s network tokenization feature is automatically enabled for all merchants at no additional cost. Airwallex will take the responsibility of handling the replacement of the account details with a network token and ensure seamless processing. However, merchants can opt out of this service and instead use an external token service provider if they prefer. In this case, Airwallex handles these externally generated tokens and ensures processing happens securely and without friction.

The global regulatory landscape for payment tokenization

Standards and regulations governing payment tokenization vary by region, and are being updated as payment technology evolves, so it’s important for you (or your payment provider) to stay aware of those that are relevant to your business. Key guidelines and pieces of legislation include:

EMVCo Tokenization Framework

EMVCo is a global technical body focused on standardising payment systems worldwide. The abbreviation stands for Europay, Mastercard, Visa: the three companies that created the standard. EMVCo has established a set of guidelines and specifications for implementing payment tokenisation, and it provides certification for those who wish to show that they meet this standard. Points addressed within the framework include:

• Ensuring the process for replacing sensitive cardholder data with tokens is secure.

• Managing the “lifecycle” of each token from generation to secure storage, transmission, and expiration or deactivation.

• The authentication and authorisation processes governing who can access and use tokens.

The framework also introduces the idea of Token Assurance Levels (TALs) which categorise tokens based on their security and usability. Different TALs may be suitable for different uses and levels of associated risk.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a set of security standards developed by major credit card companies, including Visa, MasterCard and American Express. It was created to ensure that all companies that accept, process, store and transmit card information do so securely. Non-compliance can result in transactions being declined and other penalties.

Tokenization is recognised as a valuable security method for achieving PCI DSS compliance. Because merchants don’t need to store actual card data in their own systems, there are fewer hoops to jump through to comply with PCI DSS requirements. These include strict controls on the storage of sensitive cardholder data.

PSD2 and GDPR

PSD2 and GDPR are two pieces of European legislation that cover payment services and data protection respectively.

• PSD2 mandates Strong Customer Authentication (SCA) for electronic payments, requiring merchants to ask customers for two forms of authentication (e.g. a password and one-time code texted to a phone or fingerprint scan) for certain types of transaction.

• GDPR focuses on the security, privacy protection of personal data. It encourages businesses to process the minimal amount of data necessary for the intended purpose, and to process and store it in a safe way.

Neither PSD2 and GDPR require tokenisation, but tokenisation can make compliance with these regulations much easier.

• SCA slows down the checkout process for customers. A tokenised payment process can ensure that repeat payments are almost instantaneous, enabling one-click transactions while adhering to PSD2’s high security standards.

• Tokenisation aligns well with the GDPR requirement for data minimisation, and with other parts of the regulation governing areas such as the security of data processing and the protection of personal data. 

Optimise your payment processes with Airwallex

Airwallex offers comprehensive payment solutions for businesses of all sizes, from individual eCommerce merchants to online marketplaces and platforms. This involves the reduction of chargebacks using built-in fraud prevention techniques and the seamless implementation of network tokenisation to optimise payment processes.

As outlined in this article, there are multiple ways that merchants and other businesses can benefit from payment tokenization:

• Fraud prevention: Eliminating the need to store sensitive card information helps keep data secure.

• Customer trust: The prevention of data breaches helps prevent reputational damage.

• Reduced costs: Minimising fraud rates also reduces the costs associated with reimbursements, and can reduce processing costs as your business can be considered lower risk.

• One-click repeat payments: Tokenized data can be safely held on file for quick recurring transactions.

• Conversion rates: Providing a seamless checkout process is a way to boost conversions.

• Compliance with industry standards: Rest easy knowing that compliance with regulations and standards are taken care of.

Find out more about Airwallex’s payment tokenization capabilities by clicking here.

Airwallex is an end-to-end payments and financial platform designed to empower eCommerce businesses to scale globally. With Airwallex as a partner, your business can accept payments from overseas customers through a fully localised and optimised checkout, settle multiple currencies into a Global Account without forced currency conversions, and pay international suppliers via high-speed transfers and multi-currency cards. Find out more about Airwallex Payments here.