There’s a lot for ISVs to consider when choosing integrated payments partners. In addition to making sure the solution provides the best user experience and functionality for your client’s type of business, the current threat landscape requires that you bump security to the top of your priority list. You need to ensure the payments solution you integrate with your application provides your clients comprehensive payment security, including tokenization.
Marci Gagnon, VP of strategic alliances for Qualpay, points out that the concept of tokens — replacing something of value with a different item to represent it — has been around for decades. Players in an arcade, for example, exchange money for tokens, which they can use to play games inside the arcade. Once they leave the arcade, the unmarked tokens have little value. Similarly, modern payment tokenization technology replaces sensitive credit card data with a series of randomly generated symbols — tokens — that could be passed back and forth between a merchant and a token vault to eliminate the need to transmit actual account numbers. Outside the merchant’s system — like in the hands of a hacker — tokens have no value.
How Tokens Work
Gagnon explains that there are six steps in tokenization:
- The consumer enters a card number manually or via a card reader.
- The credit card number passes to a token vault.
- A token is randomly generated.
- The token is passed back to the merchant.
- The merchant’s system associates the token with the customer.
- The merchant can store the token to use in follow-on transactions, such as future sales, voids or returns.
Gagnon says that tokenization has a bit of an edge over encryption because there’s no way to reverse engineer a token — it’s not based on an encryption algorithm, it’s random. And only the merchant has the key to unlock it.
Merchants can opt for single use tokens, but multiuse tokens allow them to quickly manage follow-on transactions or for omnichannel engagements such as handling an in-store return of an online purchase. Merchants with multiple locations, however, should use one token vault for each destination. “If they’re not mapped correctly, it could create cross-token issues,” Gagnon explains.
An Extra Layer of Security
Using tokens greatly reduces PCI scope since no payment card data is used in the merchant’s system. Gagnon says e-commerce merchants who use embedded fields or a hosted payments page can reduce PCI scope even further — card numbers bypass the merchant’s system completely and go directly to the token vault.
Only the merchant has the key to access tokens for their customers, and for extra security or if the merchant thinks their system has been compromised, keys can be turned. .
Additional Ways Tokenization Benefits Retailers
It’s clear that tokenization is a valuable security measure, but retailers will also benefit through:
- Easy follow–on transactions: Tokenization can make returns —even across channels — quick and easy, providing customers with efficient, convenient service.
- Gift and Loyalty: Retailers can use tokenization for loyalty rewards or gift cards accounts, associating them with the users’ email addresses.
- Recurring Billing: Merchants can use tokens to set up payment plans or monthly billing.
- Innovative Applications: Tokenization can be used anytime a retailer wants to replace real data with a different item. It can mask social security numbers or replace pictures of payment cards uploaded to mobile wallets.
Advice for ISVs
When you are looking for partners who provide tokenization technology, check with the provider up front to ensure they will allow your clients to migrate tokens if they decide to switch providers. “Make sure you aren’t putting your clients in tech handcuffs,” Gagnon says.
She adds that some providers will also set up vendor keys that ISVs can use to set up a gateway properly. This eliminates the need to wait for the merchant to provide the key and API, helping to streamline onboarding.
Tokenization is the New Normal
With consumers more aware of technology that masks their account numbers, they may have more confidence in merchants who use it. Gagnon comments, however, “You still see folks passing credit card data.” She says most gateways and integrated payment solutions offer tokenization, but “it’s a question of whether they use it.”
Citing the IBM Cost of a Data Breach Study, Gagnon says 40 percent of fraud can be traced back to employees not following best practices. “It’s best not pass actual payment card data,” she says. “Consumers just enter the data, and it’s tokenized.”
Gagnon says with integrated payments providers like Qualpay, there’s no additional charge for tokenization, but some gateways may charge a minimal fee. She says even if tokenization costs an additional few cents per transaction, it’s well worth it. “The average cost per record compromised in a data breach is $233,” Gagnon says. “If they’re doing a lot of recurring billing that could mean 5,000 records times $233. For a couple of cents, tokenization is really beneficial when you look at the financial impact,” she says.