Breadcrumb

Tokenization Payment Technology Guide

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedSept 20212 min read

Security should be at the forefront of any payment processing strategy. Buyers won’t make a purchase if they feel their payment details could be compromised, while sellers bear responsibility for protecting this customer data. Fortunately, there are numerous tools to boost online payment security, including tokenization. What is tokenization in payments and how does a token payment system work? Keep reading to find out.

What is tokenization in payments technology?

If you’ve made any online purchases recently, you’ve probably seen some reference to ‘tokenization’ along the way. It’s a popular buzzword, but what does it mean? In a nutshell, the token payment system works by replacing sensitive financial data with a randomly generated number, or token.

For example, with credit card payment tokenization the card’s primary account number (PAN) is replaced with a series of numbers (the token). The token is transmitted online or through wireless networks during payment processing. Because only the token is transmitted, hackers can’t access the actual PAN.

Payment tokenization explained

Security experts have long used substitution techniques to isolate data in a digital ecosystem. However, traditionally this was accomplished with encryption methods. For example, cryptographic keys could be used to scramble data and then use the key to decode it at the endpoint of transmission. Many companies and apps still use encryption, including mainstream messaging apps like iMessage and WhatsApp.

Yet when it comes to payment processing, tokenization has become increasingly popular due to its added security and ease of use. You can apply the token system to ecommerce platforms, POS terminals, e-wallets, and payment apps. With credit card payment tokenization, card details are never at risk of being revealed.

How does the process work, exactly? Here’s payment tokenization, explained:

A customer enters card details into an online checkout form or app.
The payment gateway creates a unique token in the API and sends it to the server.
The server authenticates the token and sends it to the merchant’s payment processor.
The merchant processes the payment using the token.

Because it’s the token being transmitted between payment gateway and payment processor, the customer’s card details are protected at every step.

Examples of payment gateway tokenization

Here are two real-world examples of how tokenization is used:

Mobile wallet: You add your credit card details to your smartphone. The digital app sends card details to an issuing bank, replacing the card number with the token. The token is what’s sent back to the digital app, which is stored in your mobile wallet. If your phone is stolen, no card details are present inside the wallet – only the token.
Ecommerce store: The customer makes a purchase online at an ecommerce store. When they enter card details into the payment gateway, these are tokenized and stored on file. If the store is ever hacked, only customer tokens are stored rather than card details.

Payment tokenization vs encryption

There are many similarities between encryption and tokenization, but what are the differences between the pair? End-to-end encryption also scrambles cardholder data during a transaction, encrypting it when you initiate payment and decrypting it when payment is complete. By contrast, tokenization replaces the card number completely with a random token. While you can decode encrypted data with the right key, tokens bear no relation to the original account number and cannot be reversed.

The bottom line

While all online transactions carry some fraud risk, tools like a token payment system reduce this significantly. Implementing payment gateway tokenization into your online business ensures that customers can make safer, more secure payments. Even in the event of a data breach, the information will be useless to a fraudster. This type of system is also cost-efficient, built right into your payment platform for ease of use.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.