Tokenization is a security measure that replaces sensitive account and card information with a non-sensitive token or placeholder. This token is then used as an identifier during the payment process. The token can only be traced back to the original account or card data with a master key as a part of the tokenization system.
What is PAN and how is it connected to tokenization?
A PAN, or personal account number, is the 14, 15 or 16-digit number displayed on the primary account holder’s credit card. Typically, this number is simply referred to as the account number, but for technical terms it’s called the PAN.
This set of numbers is created using the following system:
- The first digit is the major industry identifier. This number identifies the type of credit card. American Express cards start with a 3, Visa cards starts with a 4, MasterCard cards start with a 5, and Discover cards start with a 6.
- The first six digits identify the credit card network associated with the card.
- The last digit is the checksum number and is considered helpful in preventing fraudsters from creating fake credit card numbers.
- The numbers between the first six digits and last are used to identify the customer’s account.
Some credit card companies, such as Visa, ask merchants to take extra steps to protect customer credit card data. Visa instructs merchants to avoid storing the full account number, with the aim of preventing fraudulent activity should there be a data or security breach. In the U.S., the Fair and Accurate Credit Transactions Act prohibits merchants from printing more than the last five digits of a customer’s credit card number and the card expiration date on a receipt.
The token that is used for secure payment communication masks the PAN and replaces it with non-sensitive data that cannot be traced back to the PAN or cardholder details.
What is the PCI Data Security Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
The PCI Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the evolution of the Payment Card Industry security standards with a focus on improving payment account security throughout the transaction process.
The PCI SSC was created by the major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to manage the PCI DSS. The PCI DSS applies to any organization that transmits or stores cardholder data.
- PCI DSS
- Visa PCI DSS documentation
- MasterCard PCI DSS documentation
- American Express PCI DSS documentation
- Discover PCI DSS documentation
How and where is tokenization used?
Because the main goal of tokenization is to secure and protect cardholder data, these tokens are created by a Token Service and then issued to your customer’s device by the Token Issuance process. This keeps the entire tokenization process secure and impossible to reverse engineer.
There are three common scenarios in which tokenization is used to secure cardholder data:
- Tap & Go. This payment method uses a standard card payment terminal, but rather than swiping or inserting their card the customer simply taps their card on the screen. The customer doesn’t need to enter a PIN or sign for verification.
- In-app purchases. To secure cardholder data over mobile and cloud networks, tokenization is used to transmit payment data. Customers are not required to enter credit card numbers and their identity is confirmed with the mobile device (fingerprint or other biometric data).
- In-app virtual purchases. Typically used within apps, such as video games or other subscription services, that allow customers to purchase additional services or options. A token is used to transmit the customer data.
If you have ever tapped your Apple watch on a payment terminal screen to pay for your purchase, you have used tokenization to communicate and secure your cardholder data.
Where can I learn more about tokenization?
We suggest you first read the documentation provided to you by your credit card companies and your acquirers.