Need Help? Chat icon | Call - 1 888 414 7111
Merchant Accounts.ca logo
Home > News and Blog

July 5, 2018
by David Goodale



What is Credit Card Tokenization?

Everything you need to know about tokenization and how it works.

Campaign icon: What is credit card tokenization

Every business has security issues to consider when accepting credit card payments. The security considerations become more complex if you choose to store credit card numbers. Credit card tokenization helps to make it easier and more secure when storing credit card information.

In this article we'll explore what credit card tokenization is, how it works, and how it can help your business from both a cost and operational perspective.

What is credit card tokenization?

The term "Tokenization" may sound confusing but it's a fairly simple concept. It's to do with the storage of credit card numbers. More specifically, it refers to having a company store the credit card numbers for you, so that you don't have to store the sensitive data yourself.

A "token" refers to a credit card number that is being stored somewhere. Tokens can be stored by your credit card processor, or can be stored by a tokenization service provider such as Spreedly. To use it you will setup your website so that a 3rd party company will store the sensitive card information for you. Whenever you want to bill that card you just reference the token associated with that card. Your system will have no credit card numbers stored within it. Instead you'll have a list of token numbers (which isn't sensitive). Those token numbers can be used in place of a credit card number when submitting payments.

If that isn't quite making sense yet we should take a step back and consider the transaction flow.

How does tokenization work?

Puzzle Piece

Tokenization often begins it's life as a normal regular credit card transaction. For a moment, consider a normal online purchase where you go to a website, add things to your cart, and then go to the checkout to pay. You will be asked to type in your credit card information. At this point it's the exact same as any online / e-commerce sale.

The differences start once the transaction is submitted. After the sale is completed you might want to store that card for future use, and this is where credit card tokenization begins.

In other situations you might not want to process a credit card upfront, but want to tokenize a card for other reasons. For example, you might be signing up for an online service in which the first month is free. In these cases the customer will type in their credit card number during the sign-up process to create a token that can be billed later. To do this you would submit a $0 transaction is processed which is often called a "verify request". Behind the scenes your payment processor will contact the issuing bank to ensure the card is valid, but no charge will be placed to the card.

Once a card is confirmed to be valid it can be tokenized. Regardless of whether it's being tokenized from a regular e-commerce sale, or if it's initiated from a verify request, the ultimate point is to get a response back from the card issuer to determine if the card is valid.

Once the credit card is confirmed a token will be created. The token is a number that is linked to that specific credit card. For clarity, the token number isn't a credit card number. It's just a reference number to that credit card. The company that is tokenizing your data (storing your credit card numbers) knows which token numbers refer to which credit cards.

Any time you want to bill that card in the future you can reference the token number. You've managed to store credit card numbers without actually having the sensitive information on your system!

Examples

It's important to clarify that there is more than one way to do tokenization. It's beyond the intended scope of this discussion to examine every possible way to set it up, but we will explore tokenization from an order, and also tokenizing with a verify request. Functionality can vary with different processors. For example, one difference is that some credit card processors will allow you to create a token from a previously processed order, even orders that were processed a long time ago. The functionality does differ between providers, so that is why understanding how tokenization works will provide a lot of clarity, and will help you to figure out the best way to implement it for your project.

Let's pretend that a merchant is selling a monthly newsletter that costs $100. On the 1st of each month all customers are charged $100 to their credit card.

Example 1 - Tokenizing a credit card that was previously processed.

Credit card tokenization infographic - creating a token from an order.

Example 2 - Tokenizing credit cards by using a verify request.

Credit card tokenization infographic - creating a token from a verify request.

In both of the above examples you've offloaded the sensitive information onto your service provider. That way you don't need to deal with the security issues yourself.

How does tokenization reduce the security burden on a business?

We have arrived at the topic of security. Without taking a deep dive into the topic of data retention and security, we can make a simple and obvious statement: one of the best ways to prevent credit card information from being stolen is to make sure you don't have it in the first place.

By tokenizing you can ensure that credit card information is not being stored in your system. It's not just a matter of good practice though, because there are industry rules around the retention of cardholder data. We are talking about the Payment Card Industry Data Security Standard (also known as PCI compliance).

How does PCI compliance factor into the use of credit card tokenization?

PCI Security Standards Council

All merchants that process credit card transactions must be PCI DSS compliant. PCI DSS is short for the Payment Card Industry Data Security Standard.

PCI is a complex topic and is worthy of a series of dedicated articles. However, for the purpose of this discussion we can simply state that all merchants that process credit cards must be PCI compliant. Achieving compliance is made easier when you don't have credit card information stored.

The elimination of credit card numbers from your system is actually a recognized best practice as outlined in the PCI standard. There is simplified version of the PCI self assessment questionnaire, called SAQ A, which can be found here. SAQ A is specifically for merchants that do not touch or store any credit card information on their system. If you rely on a 3rd party company to touch and retain all the sensitive information then you qualify to complete SAQ A (so long as there are no other ways that your company touches or stores cardholder information). SAQ A is a lot easier to complete than the full assessment, and this is one of the main security advantages of using tokenization.

What type of business can benefit from tokenization?

A lot of people don't understand what type of business can benefit from tokenization. A few obvious examples will come to mind, but the appeal is a lot broader than you initially may expect. It's not just for businesses that do recurring billing. Let's look at some examples.

Obvious uses for tokenization:

Less obvious examples of businesses that see major benefits from tokenization:

The list can go on and on. Any company that will bill a customer more than once can benefit from tokenization.

Using tokenization has many benefits beyond just the security aspects. It makes administration easier. You don't need to wait for slow payers to make a payment. Instead you can do it yourself via the tokens, or even automate it so you don't need to do anything.

Lower Processing Costs - Reduced Interchange Savings for Recurring Transactions

Did you know that there is a major cost benefit to recurring billing transactions?

Most merchants have no idea that there is a significantly reduced processing cost for recurring transactions. Those cost savings will only be seen if you implement it properly. Reduced Visa interchange rates can be found here and MasterCard here

In Canada, interchange for recurring billing transactions is typically reduced by 0.15% to 0.55% depending on the card type, with some card types such as Mastercard World and World Elite seeing even more significant cost reductions. If you are a merchant and are processing recurring billing transactions it's important to flag them properly, first to realize the cost savings that the card brands provide, and second to increase the authorization rate (since recurring transactions are passed without the CVV code).

Recurring transaction rate comparison

Card Type Standard Recurring
Visa Classic 1.52% 1.37%
Visa Infinite 1.71% 1.56%
Visa Business 2.00% 1.85%
Visa Infinite Privilege 2.45% 1.95%
Visa Debit 1.15% 0.60%
Mastercard Classic 1.58% 1.36%
Mastercard World 2.29% 1.48%
Mastercard Business 2.00% 2.00%
Mastercard World Elite 2.79% 1.90%
Mastercard Debit 1.15% 0.60%

(Rates current as of June 1st 2018)

To put it bluntly, you are literally giving away money if you are failing to properly flag transactions as recurring. You need to make sure your website is coded correctly (passing any special flags or requirements), and that your credit card processor (or your 3rd party tokenization service) is flagging the transactions properly so the reduced interchange rate is identified and passed back by Visa and MasterCard.

Another important note to make sure you see the cost savings is to make sure that you are getting interchange plus pricing from your payment processor. If you are not on an interchange plus pricing model your payment processor almost certainly won't pass on the savings. At Merchant-Accounts.ca we always recommend interchange plus pricing and will work with you to try to make sure your transactions qualify for the recurring billing interchange wherever possible.

Do all credit card processors provide tokenization?

Not all credit card processors support tokenization but many do. Even if your credit card processor does not support tokenization you can still use a 3rd party tokenization service provider such as Spreedly.

If you are looking for a credit card processor that offers tokenization one of the important criteria to consider is whether there is a cost associated with the tokenization service. Some credit card processors offer a free tokenization service, where others charge for the service. If your business has a small average ticket size (under $10/transaction) the cost of tokenization will become more important because a small per transaction cost can make a difference when you process small tickets. (a 10c cost added to a $5 sales = 2% cost increase). If you do larger tickets tokenization cost becomes less important.

If your credit card processor does not offer a tokenization service (or in some cases even if they do) you may want to consider using a 3rd party tokenization service provider such as Spreedly or HostedPCI. In the next section we'll explore options for using a 3rd party tokenization service.

Spreedly

Spreedly Logo

Spreedly presents some interesting options because as the service has matured the tokenization capability has been combined with other complimentary benefits that fit hand-in-hand with the tokenization service itself. For example, since Spreedly fits in between your website and the payment processor, it means that Spreedly can redirect payments, as necessary, to other credit card processors. For example, if your website detects downtime at the payment processor, Spreedly can redirect those payments to your backup processor.

Spreedly works with over 120 payment gateways, which is a massive number of integrations. This gives access to many different payment processors in different regions and is a benefit that is especially valuable to mid-sized and larger merchants. This allows you to integrate your website with one service, but maintain a network of different payment processors. Although outside of the scope of this article, it means that you can build one integration but enjoy domestic interchange savings from Visa and MasterCard in a number of countries - major dollar savings in the thousands or tens of thousands of dollars monthly for larger merchants.

In addition to multiple integrations and the processing uptime / redundancy there are other benefits to consider exploring. Another example could be in the case of a declined transaction. If your first credit card processor has returned a decline message, you don't have to give up quite yet. You can use Spreedly to re-route and attempt a declined transaction a second time at a different credit card processor. The reason for doing this is admittedly not obvious. You be asking "If one processor declined a transaction why would another approve it"? There are valid reasons why this can happen. It would get too far beyond the intended scope of this discussion to get into a lot of detail, but there is a detailed discussion on the topic to be found here.

In brief, a lot of declines are instigated by the card issuer. The card issuer will see a transaction request come in, and their anti-fraud algorithm evaluates whether the transaction appears legitimate. If it's the middle of the night and the transaction is submitted to a Canadian credit card processor, it's at least potentially feasible that the card issuers anti-fraud algorithm could identify this as outside of the customers purchasing profile. However, if after the decline was received that transaction can be resubmitted to Spreedly to a second processor based in Europe, where it's the middle of the morning, it's at least conceivable that an approval could be issued on the second attempt. It's not an exact science and it's a moving target, but when you get into the world of optimizations and global e-commerce these things make a difference (Especially for larger merchants that are processing a lot of money). For the record, this is exactly the type of credit card processing consulting that we do at Merchant-Accounts.ca. The ultimate takeaway point on declines is that if you have a high-volume business the cost of making a second attempt can be well worth the effort if it results in even a modest boost in approval rates.

There are both advantages and disadvantages to using a 3rd party tokenization services such as Spreedly. It's important to evaluate your unique business case. (If you need help why not contact us to discuss your project). We'll provide a list of the major differences below.

Benefits of in-house (at processor) tokenization

Drawbacks of in-house (at processor) tokenization

Benefits of 3rd tokenization services (ie: Spreedly)

Drawbacks of 3rd party tokenization services

Summary

Although tokenization sounds complicated, it's fairly simple to implement. You have a few options to consider as you set it up.

If you are feeling overwhelmed don't lose sight of the fact that Rome wasn't built in a day. You can always start simple. You don't have to concern yourself with the more advanced aspects explored in this discussion (such as making sure your transactions are qualifying for reduced recurring billing interchange rates). Don't lose sight of the fact that ultimately your goal is to make sure you aren't storing cardholder data. Even if you accomplish only that and don't worry about anything else, you'll still have reduced a lot of the security concerns facing your business. Over time, you can build on that and apply some of the more advanced strategies discussed in this article.

Learn How To Lower Your Credit Card Processing Fees


If you haven't reviewed your processing costs in a while take a moment to view our rates.

View Rates
David Goodale About the Author

My name is David Goodale, CEO at Merchant Accounts.ca. I launched our business in 2001 and have almost 20 years of expertise in the field of online payments. If you have a payments related question or project, and especially if it relates to multi-currency or international e-commerce don't hesitate to contact me. I'm always happy to help with an honest opinion, and enjoy chatting with folks from interesting businesses.

Toll free: 888-414-7111 ext. 5
Direct: (905) 901-2254
david.goodale@merchant-accounts.ca

Did you like this article?