Today it is hard to imagine payment gateway software without tokenization. Honestly, we don’t know who and when invented what payment service providers and e-merchants now call “token” when speaking of accepting payments by bank cards via the Internet. But we are confident that the task entrusted to that person or group of persons, sounded like this:
“Find a way of providing Internet-based merchants with the ability to write off arbitrary amounts from their buyer’s bank payment cards, without asking to re-enter the card number and other details whenever needed.”
We can even envision the approximate train of thought that eventually led to such an elegant solution:
“To initiate a payment transaction by a bank payment card, one must at least know the number and the expiration date.
The buyer enters these data on the payment page of the online store when paying for the first time. The card details entered by the buyer need to be saved to initiate a second and subsequent payments by the same card to the same online store without having to re-enter them. Saved where?
Such confidential and sensitive to compromise information cannot be saved by the online store unless it is certified as compliant with the PCI DSS. However, 99% of Internet marketers have never heard of the standard.
Hence, the buyer’s card data can only be stored by the payment service provider the online shop is connected to. Then there should be a way of using the data by the Internet merchant without having direct access to them.
If only there were a replacement card number (and other confidential information) which could be kept freely by an online store. Freely – because this replacement can only be used in the online store and gaining unauthorized access to it will never result in disclosure of relevant information about the banking payment card.”
This is how the token might have been invented. So, a token is a unique pseudo-random sequence of symbols of specified length and associated with specific card data stored in a secure location by a payment service provider and used by the Internet retailer to initiate a payment transaction.
One token is associated with one credit card only.
Token usage pattern
Here is a classic scheme of token creation, obtaining and use:
- After the buyer has entered their credit card details and clicked “pay” button on the payment page provided to the online store by the payment service provider, the card data are saved in the payment service processing system.
- And the Internet shop gets the payment card token along with the result of the transaction.
- The online store can either save or ignore the token. In any case, regardless of whether the token is needed or not, the payment service provider processing system creates one and gives it to the Internet merchant when processing each payment transaction.
- Suppose the Internet shop stores the token and associates it with the card owner. Next time the online merchant is to receive money from the same client, all they have to do is just send their payment service provider a transaction request, specifying the amount and the card token.
- Payment service provider processing system replaces the token by the related card data and continues transaction processing just as if they were card details entered by the buyer themselves, not the token.
Payment gateway software: token security
A token is just a set of numbers and letters which make sense only for the payment service provider processing system which generated it, and only when used in a transaction request by the Internet merchant, to whom it was issued. Therefore, it can be stored freely anywhere.
A token has no value for cybercriminal because it is impossible to get the card number associated with the token.
Typically, a token in eCommerce is related to one-click card payments and recurring payments from clients and buyers.
Internet merchants have long realized the opportunities and advantages they may get from using a payment card token. And therefore, if your company is a payment service provider and helps online businesses accept payments over the Internet, the tokenization, i.e. replacement of card data by a token for future use, is what your processing system must offer, if you position yourself as a modern payment service.
As for eComCharge, the developer of beGateway payment gateway software for payment service providers, we understand your aspiration to be up to date with technological progress and offer your online merchants maximum opportunities in receiving payments via the Internet. Rent beGateway platform to get a fully functional, omni-channel, PCI DSS Level 1 certified system for online payment receiving and processing. You will be able to offer your customers not only tokenization (incidentally, beGateway enables online merchants to receive payment card tokens even before a first payment), but also lots of other useful options related to accepting money from the buyers.