One of the most important concept when it comes to credit cards is “tokenization”. To understand what it means we need to understand the full context of how credit cards work.

In any transaction that involves credit card the owner of the card provides their credit card details to the merchant in some form. This could be through card swipe at a point of sale (POS) machine or entering it manually on some merchant website.

The merchants system takes this credit card information and the charge data to the card network which could be Visa or Mastercard. Then the network authenticates this with the end issuer such as Chase or Citibank. The charge is authorized and merchant is notified about the same. Note that merchant system has access to the credit card details while this happens. Once the transaction is done, merchant is required to delete the credit card information from their system.

In some cases the merchant wants to charge your credit card on recurring basis. In such cases the merchant stores your credit card information with them. This stored information can be stolen by hackers in that case bad guys have access to the consumer’s credit card information.

At point of sale machines, hackers could attach a device that stole the credit card details. This was called “skimming”.

Once credit card information is leaked, the consumer has only one option. Ask the bank to cancel the card and send a new one. This step costs everyone a lot of money. It could take upto $40 for the bank to cancel and reissue a new card. If the hacker does any transactions with stolen credit card that is an extra loss.

Tokenization

Credit card companies around the world came up with a new idea. Instead of storing the credit card number on your card, the merchant passes this number to the card network which returns a different number in lieu of the number printed on the card. The merchant saves this number instead of the real card number. Also, card network notes that this new number can be used only by the merchant for transactions so even if it gets stolen no one else can use it. These are called “ecommerce tokens”.

Another form of tokens is called “Device Tokens”. This became mainstream with apple pay and android pay. Here, the mobile device exchanges a symmetric key with the issuer through the process of “tokenization”. Then from time to time the mobile device gets card tokens from the network and stores it one the device. When user taps their phone to pay, the mobile device provides a encrypted blob to the machine which is sent to the issuer. Since only device and issuer has the key they can recognize each other.

A hacker skimming the POS machine can’t benefit here as they might get the credit card information but they can not generate the encrypted blob (called Cryptogram).

There is a fundamental difference between ecomm tokens and device tokens. Device tokens are always generated with user in session. That is the user has to add their credit card to Apple Pay etc. For ecomm tokens the user permission is not needed. The merchants do this seemlessly behind the scene.

Benefits

Tokenization offers several benefits. The most important ones are.

1. Prevents card thefts.

2. Subscription payments can continue even if the physical card is replaced by the bank in future.

3. Less liability for merchants as they do not have to worry about side effects of data leaks on their side.

4. Banks benefit as there are less chargebacks.

Challenges

Despite these standards being around for more than 10 years now, merchants and ecomm companies are very slow to adapt to them. But adoption is increasing with time. You can see some of the interesting talk below.