Tokenization: Everything you need to know

If you’re a subscription or recurring businesses, the specter of unnoticed failed payments quietly eating away at your bottom line is probably keeping you up at night. In reality, they’re a headache for everyone. For customers, it means potentially going through the long winded process of re-entering their details. Worst of all, no one notices the payment failed until their service stops. That’s awkward.

For businesses, it means losing revenue and potentially new customers who could become regulars.

What if there was a way to lower the risk of a payment failing, while adding an extra level of security into the mix? We’re talking about tokenization.

Tokenization is a strategy that replaces sensitive data with safe, non-sensitive data. When it comes to payment tokenization, it’s a customer’s primary account number (PAN), expiry date, and CVV2 that's encrypted and transformed into a combination of unique numbers - this is our token.

A transaction triggers the real-time process of creating a token, connecting the customer’s card to the issuing bank to create a token used for the specific purchase. The PAN is kept out of sight, making tokenization a reliable way to boost security measures.

In the case of Adyen, we serve as the issuer. Our tokenization service securely stores customer card data and generates a token that can be used by a business to charge subsequent purchases, as shown in the diagram below.

Depending on the type of business and transaction, payment tokenization is carried out in different ways.

The first time a customer enters their card details on a platform, they can be tokenized and stored on file, meaning there’s no need to re-enter information. Additionally, a card on file system - like our Account Updater - can instantly update details if a card is lost, expired or stolen, meaning less risk of a failed payment. Card on file can be used for two types of transaction:

Subscription and recurring payments- Businesses can trigger and collect ongoing payments from their users without any obstacles. Think Netflix or Spotify memberships.

One-click payments- Cardholders simply need to confirm a transaction for their card to be immediately charged using the stored details. This is a great way to ensure an optimised, fast checkout - perfect for repeat purchases.

To be added to a digital wallet like Apple Pay or Google Pay™, sensitive card data is replaced with a token stored on a device for online, in-app, and in-person payments. This makes digital wallets widely accessible, since many checkouts accept them. Security is also increased as not only are tokens safe, but their built-in security means they meet the requirements of Payments Card Industry (PCI) compliance andPayments Services Directive (PSD2). This includes strong customer authentication via biometrics such as Touch ID or facial recognition.

Tokenization is suited to subscription-based business models or any company that generates significant business from repeat customers. There are several core benefits for those who implement it.

It’s secure:If fraudsters steal tokenized payment data, it doesn’t mean they can steal money. In fact, they can’t use the stolen tokens to pay online at all, since they're unable to link the token to payment information stored securely by the payment partner.

It saves costs:Businesses can save money in the long-run thanks to the secure nature of tokenization. As well as reducing compliance costs thanks to the minimal PCI scope, they’re at lower risk of data breaches that could lead to large fines or legal battles.

It streamlines payments:As seen in the payment tokenization use cases above, the payment process is not only faster - since it can take just one click to complete - but conversion rates are also increased. This is thanks to card details always being up to date.

Tokenization and encryption are both effective ways to protect data, but they’re not the same process. They’re sometimes used in unison to create a secure payment process from start to finish, but are not interchangeable. So it’s important to know the difference between them.

While tokenization swaps out sensitive data for a token, the original data is still present in encryption, but turned into an unreadable form accompanied by a key. This encryption key is shared between the sender and the receiver, which decrypts the data on the other side.

It’s this method that makes encryption ideal for transferring unstructured data. For example, long-form text like sensitive documents (medical records, financial information etc.). Encryption is also a good fit for databases that don't store across multiple systems or exchange information regularly. But…

For tokenization, a more complex process is required to reach the original details behind the token.

As the name implies, detokenization is the reverse process of tokenization - retrieving the exact card details that were originally entered. Most often, it can only be conducted using the original system used to tokenize. But on rare occasions, authorised applications are able to detokenize for an approved, strictly necessary business purpose such as fraud detection.

So, that's how tokenization works in the world of payments. We hope this has helped you understand the process better, and whether it would be a good fit for your business.