Digital tokenization is a hot topic in the financial news – and if you closely follow the world of FinTech, then this post is not for you.
But if your organization accepts payments and prioritizes data protection (as you should!), you need to understand how tokenization helps you better protect your customers’ credit card information.
Tokenization by the Books
Tokenization, as defined by Gartner, refers to a process by which a piece of sensitive information, such as a credit card number, is replaced by a surrogate value known as a token.
We’ve put together an explainer video that walks you through exactly what that means – in straightforward business terms you can understand in just a few minutes.
Tokenization Helps PCI Compliance
First, it’s important to understand that tokenization is an industry standard, essentially required by the PCI DSS for all organizations that take credit cards. It’s not impossible to be PCI compliant without using tokenization – but it’s challenging.
How Exactly Does Tokenization Work?
Tokenization is a technology developed industry-wide to ensure that credit card data is kept secure. This is accomplished by the receiver of the cardholder data assigning a random string of characters to replace sensitive information and returning that string to the provider of the cardholder data.
However, we promised to talk about this in simple business terms, so in short:
As the merchant, you provide the credit card number through bank-level encryption or a hosted payment page to a trusted partner, most likely your payment gateway. Your payment gateway, in turn, will give you a reference that represents that credit card in their system.
A token cannot be deciphered because it was not encrypted. Instead, a random string is assigned to the credit card number. How is this a secure way of storing sensitive data? Here’s an analogy:
In this scenario, you’re headed to Las Vegas to play blackjack. Let’s say that you start your evening at the MGM Grand. When you sit down at the table, you hand them $100 and get back the equivalent in $5 tokens. While you’re in the MGM Grand casino, those tokens are as good as cash.
But if you head next door to New York-New York, your tokens from the MGM Grand will not work. They only have value as currency at the MGM Grand.
This is essentially how the payment industry works with tokens. A token from your payment gateway is only good when you are logged into that gateway. Often, the tokenized card data is only good for one merchant ID. However, there are some exceptions to this – sometimes it is possible to share tokens across MIDs.
This is what makes this system so secure. If a bad actor manages to get their hands on these tokens, they are functionally useless. Even if this would-be attacker also accessed your credentials, and signed in to your payment gateway account, they still would not be able to use those tokens, as the tokens are tied through your merchant ID, directly to your bank accounts. And if they did attempt to charge something against the token, the money would be in your bank accounts and fully within your control to reverse.
Tokenization Builds Customer Trust
We recommend that all of our customers – and really, any organization that accepts payments – tokenize all credit card data throughout their entire organization. Additionally, most payment gateways will also tokenize bank account data.
When your customers trust you with their sensitive information, following the highest security standards is implicit in that trust. 83% of companies will experience a data breach – and handling payment data as securely as possible helps to reduce the logistical and reputational fallout.
Some payment gateways do add a fee for tokenizing cardholder data. However, that added cost is a worthwhile investment in risk mitigation and customer confidence.
For organizations taking payments in Salesforce, Chargent makes tokenization easy. Our Payment Console and Payment Request features ensure your cardholder data is protected – without ever being stored in Salesforce.
Still have questions? Our team is always here to help – get in touch today and let’s talk tokenization.