Today, the concept of tokenization has gained momentum inasmuch as its implementation represents the end of traditional payment methods and the beginning of a new digital ecosystem in which data security is paramount.
Payment methods before tokenization
Although the evolution of payment methods involves several different aspects over many years of history, there are very specific elements that illustrate the road traveled up to the present day.
During the early days of card payments, when payment terminals did not yet exist, transactions were made using a manual validator that allowed the image of the credit or debit card to be traced on a piece of paper, which left the sensitive information embossed and completely exposed. This transaction data was then used to fill out a form.
As time went by, magnetic card stripes and dataphones were introduced, and later on, chip technology was adopted. The use of the chip significantly increased security, making it less easy to steal a visible card number or to copy a magnetic stripe. As a result, we are now entering an era in which data is more secure, especially with the implementation of contactless technology. In the mid-2010s, when economy digitalization was becoming more popular, tokens began to work their way into the payment ecosystem.
The ABCs of Tokenization
Tokenization was born as a solution to digitize transactions while protecting sensitive data such as card numbers, expiration dates, and security codes (CVV).
A
A token is a value that replaces and becomes the digital representation of the sensitive data associated with a card. This value can be stored by merchants or in applications, with the guarantee that, if it were exposed, it could not be used for transactions; thus, providing the cardholder with higher security in card-not-present payment methods, such as e-commerce and recurring payments, as well as in payments made with mobile or wearable devices.
B
Multiple tokens for a single card. A different token is generated each time a card is registered at a merchant or on an application that can request tokens from the corresponding brand. In other words, if the user adds a card to a mobile wallet, it will generate a different token than the one generated for their transportation app, their streaming service, or the e-commerce site they use.
C
Automatic card data updates. When there are tokens associated with a card but the card numbers or expiration date change as a result of a replacement, this data is automatically updated and reflected in the existing tokens, without the cardholder having to go through an additional process.
Key players in tokenization
There are several key players involved in the tokenization ecosystem. Some are well known in the industry of payment methods, but have new roles, while others emerged along with tokenization. Let’s review the specific roles of each of these key players:
Brands are token service providers (TSPs) in charge of providing and storing tokens, as well as regulating the tokenization ecosystem. Each brand has its own token vault and is responsible for translating a token into the corresponding card within the setting in which the token is valid.
The new player in the payment ecosystem, the Token Requestor, can be an e-commerce, a digital wallet, or a payment gateway, such as Placetopay.
The Token Requestor has a direct relationship with the cardholder as its end user. For example, Netflix has a direct relationship with those who purchase its streaming service, as does Amazon with those who shop on its platform. They are also responsible for providing a good experience to their end users. Moreover, the Token Requestor has a direct relationship with the brand in order to request tokens in replacement of card numbers.
The issuer is the financial entity that issues the cards for its customers, and the one in charge of responding to the token requests made by Token Requestors. For example: when a user registers a card in the Uber app, the token requestor (Uber) will send a request to the brand to generate a token to replace the card number. When the request reaches the issuer, it determines whether to approve the request and if it requires cardholder authentication. The entity is also responsible for keeping its customers' contact information up to date, sending the authentication OTP (one-time password) to the cardholder, and controlling automated changes in the token and card life cycles.
The acquirer maintains its standard function of processing transactions from its affiliated merchants, whether they send a token or a card number.
The end user receives the clear benefit of increased security when handling their sensitive data and in their transactions, plus the possibility of using new, more convenient, efficient, and secure payment devices that offer an improved user experience.
Token usage cases
- E-commerce and card-on-file tokens: if all issuer rules are met, these token requests are usually approved without needing cardholder authentication. This is known as the green flow.
- Wearable devices: this usage case refers to wearable devices that have digital wallets and allow token requests. Some well-known examples are the wallets used in Fitbit and Garmin devices, which store the token in a secure component of the device itself. These generally require user authentication for the request to proceed, which is known as the yellow flow.
- Industry wallets, such as Apple Pay, Google Pay, and Samsung Pay, are wallets that allow token requests for cards from multiple institutions worldwide. These wallets receive special usage cases from the brands due to their distinct characteristics.
- Issuer wallets are generally used in Android devices, which can be classified into two types: (a) a wallet issued by a financial institution only for its customers, or (b) a multi-issuer wallet where several issuers can incorporate their cards.
Benefits
Tokenization facilitates the implementation of innovative payment methods through mobile or wearable devices, adding a security factor to the transaction, by using device authentication methods before a transaction and by protecting sensitive card data, thus minimizing the risk of fraud, improving approval rates, and, in turn, reducing the number of chargebacks.
When paying with devices, the user experience is simple and smooth, and in addition to offering a wider variety of payment method availability at any given time, it lessens the need to have multiple physical cards on hand. The cardholder authentication required when registering their card in a wallet ensures that the registered card is valid and belongs to the person registering it.
In addition, replacing the card with separate tokens for each token requestor or device minimizes the risk of sensitive data being used by third parties for fraudulent purposes.
The technology of possibility
When thinking about the future of tokenization, we can safely conclude that the future is here and now.
While the future of payment methods and their digital transformation process is bound by the technology implementation and payment regulations of each country or region, we cannot ignore the fact that transaction security, as well as quick and efficient payment methods, driven by the accelerated growth of e-commerce, are the answer to the many years of innovation and evolution of the financial ecosystem.
It is not a secret that new generations move at the speed of technology, which is why issuers must be able to implement solutions that allow them to move along the path of digital transformation at the same pace as their users, and with Evertec, that is possible.
With Evertec, issuers will be able to respond to provisioning requests from various token requestors, manage the life cycle of the token cards associated to the card statements in an automated manner, along with the capability to modify the token life cycle manually, in addition to having a certified host to process tokenized transactions.
Shifting towards 100% digital payment methods, where security and ease of use prevail, is now possible with Evertec and its value-added service: tokenization.
– By Vilma Rodríguez Morales
Issuer product manager at Evertec