Credit card tokenization has evolved over time. Tokenization has made credit cards safer and more efficient for merchants, consumers and banks alike. In this article, I explain the different types of tokenizations.
What is tokenization ?
The physical credit card has certain information that is consider a sensitive information. For example the card number, expirty and CVV. Since cards are generally in your physical posession, they are safe. But it is no uncommon for your physical cards be
stolen or lost. In such cases, you have to order a new card and cancel the old card. This can cost some non-trivial amount of money for the bank to print a new card and then mail it to you.
But the moment you receive the new card, all the subscription payments you had setup start failing. You have to then go and update the card details everywhere. Meanwhile merchants lose revenue because of the failed payments.
Just like physical cards, the online card records can also be stolen. For example if a merchant’s database of customer credit cards gets leaked, all those customers might have to cancel their cards and order new ones.
With explosive growth in ecommerce over the years new standards and technologies have emerged to counter this problem. One of them is tokenization.
When you provide your card to a merchant’s payment processor, the processor can give your card credentials to the bank (or card issuer) and obtain a temporary card number (token) that represents the same card but with different details. These details are
also locked to that specific merchant. The card issuer will decline the payment if a different merchant uses those details. This protects banks and consumers from merchant leaking the card details. It also protects merchants from physical card thefts. Even
if the physical card is stolen and replaced, the token that merchant has continues to work. This tokenization makes the entire ecommerce process safer and economically more efficient.
Usage of such tokens also simplifies compliance with standards like PCI which the payment processors need to meet.
But there are different types of tokens.
Cloud Tokens or Card on File Tokens
These are the tokens meant for online commerce merchants/payment processors. At any time, a payment processor can request a token from card issuer in liu of the actual physical card number. The expectation is that the payment processor will not save the
actual physical card at all but only store the token in their own database.
Such tokenization does not require any additional permission from the card owner and merchants/payment processors could do it any time. From the card owners perspective they enter their physical number and thats it.
Virtual Card Tokens
Virtual card tokens are also very popular these days. These are virtual credit card numbers a consumer can generate from their own banking app. These are temporary numbers they can then use for specific merchants of their choice. They can also revoke these
virtual card tokens anytime they want.
This method is especially useful where subscription services might make it hard for a consumer to cancel the service or where the consumer does not fully trust the merchant.
Generating these virtual card numbers requires user’s explicit consent. The merchants however never find out if the number is a vritual or real credit card number.
Device Tokens
Another extremely popular form of tokens are device tokens. Apple Pay or Google Wallet are great examples of device tokens. When you add your card to the phone, the phone communicates with the card network (e.g. Visa or Mastercard) and obtains a new token
called DAN (Device Account Number). This DAN is then stored in a special chip on the phone called Secure Element (SE).
In addition to this, the phone and the card network also exchange certain cryptographic information which allows the phone to generate a “one time code” and the card network is able to verify if this one time code is valid when provided with one. The detailed
discussion of this method is outside the scope of this article but it uses symmetric key cryptography and this key is stored by the card issuing bank and your phone’s SE.
Everytime you tap your phone at a merchant point of sale machine, the DAN and the one time code (called cryptogram) is sent to the point of sale machine. The machine can then validate it with the bank directly. The merchant never gets the physical card number
ever.
Additionally, the one time code can be used just once so if someone skims the DAN, they can not use it for transactions as they can not posess the cryptographic key stored in SE.
Towards safer transactions
All these methods of tokenization have made credit cards much safer. Not just that new kind of services such as BuyNowPayLater etc. have emerged that use the concept of virtual cards to support new lines of credit on demand. Overall tokenization is a robust,
well understood and widely adopted idea. It remains to be seen how it will improve in the era of AI and Agentic Commerce.
