Every business has security issues to consider when accepting credit card payments. The security considerations become more complex if you choose to store credit card processer numbers. Credit card tokenization helps to make it easier and more secure when storing credit card information.
In this article we’ll explore what credit card tokenization is, how it works, and how it can help your business from both a cost and operational perspective.
The term “Tokenization” may sound confusing but it’s a fairly simple concept. It’s to do with the storage of credit card numbers. More specifically, it refers to having a company store the credit card numbers for you, so that you don’t have to store the sensitive data yourself.
A “token” refers to a credit card number that is being stored somewhere. Tokens can be stored by your credit card processor, or can be stored by a tokenization service provider such as Spreedly. To use it you will setup your website so that a 3rd party company will store the sensitive card information for you. Whenever payment gateway you want to bill that card you just reference the token associated with that card. Your system will have no credit card numbers stored within it. Instead you’ll have a list of token numbers (which isn’t sensitive). Those token numbers can be used in place of a credit card number when submitting payments.
If that isn’t quite making sense yet we should take a step back and consider the transaction flow.
Tokenization often begins it’s life as a normal regular credit card transaction. For a moment, consider a normal online purchase where you go to a website, add things to your cart, and then go to the checkout to pay. You will be asked to type in your credit card information. At this point it’s the exact same as any online / e-commerce sale.
The differences start once the transaction is submitted. After the sale is completed you might want to store that card for future use, and this is where credit card tokenization begins.
In other situations you might not want to process a credit card upfront, but want to tokenize a card for other reasons. For example, you might be signing up for an online service in which the first month is free. In these cases the customer will type in their credit card number during the sign-up process to create a token that can be billed later. To do this you would submit a $0 transaction is processed which is often called a “verify request”. Behind the scenes your payment processor will contact the issuing bank to ensure the card is valid, but no charge will be placed to the card.
Once a card is confirmed to be valid it can be tokenized. Regardless of whether it’s being tokenized from a regular e-commerce sale, or if it’s initiated from a verify request, the ultimate point is to get a response back from the card issuer to determine if the card is valid.
Once the credit card is confirmed a token will be created. The token is a merchant account number that is linked to that specific credit card. For clarity, the token number isn’t a credit card number. It’s just a reference number to that credit card. The company that is tokenizing your data (storing your credit card numbers) knows which token numbers refer to which credit cards.
Any time you want to bill that card in the future you can reference the token number. You’ve managed to store credit card numbers without actually having the sensitive information on your system!