Digital Transactions Authoritative, insightful and timely information for payments professionals
Tokenization is the key to reducing the risks posed by an ever-rising flood of data breaches.
Mastercard recently unveiled plans to eliminate manual card entry for online transactions in Europe by 2030, marking another milestone for tokenization in payment processes. This change aims to not only bolster payment security, but also further streamline and enhance the customer experience across devices.
As global payment brands lead the charge in tokenization, it is more pressing than ever for U.S. merchants to evaluate their own payment systems. In particular, working to secure ownership of payment tokens will minimize hassles for merchants as they navigate the payments landscape.
By owning payment tokens, merchants can mitigate risks from data breaches and ensure compliance with security regulations, all while enhancing their ability to adapt and respond to customer demands.
Many of us remember when the adoption of chip-and-PIN technology or contactless payments marked a new frontier. Now, tokenization promises to offer even greater ease for customers, especially online, where 23% of retail transactions are projected to take place by 2027.
This shift to tokens is sorely needed. Recent estimates indicate merchants globally stand to lose $91 billion to online payment fraud by 2028, due to the growth of e-commerce and use of artificial intelligence to carry out cyberattacks.
In response, Mastercard and Visa have forged ahead with replacing traditional 16-digit card numbers—also called primary account numbers (PANs)—with a randomly generated token. In a data breach or fraud attack, these tokens are unusable to hackers.
Tokens Equal Control
But while the movement toward tokenization is essential, it also presents new challenges for merchants. They must own their payment tokens to assert control over their payment processes.
Many merchants may work with large payment processors that offer tokenization at no additional cost. The issue is, the processors typically control payment tokens, which poses a challenge if merchants need to switch providers.
By prioritizing a solution that enables token ownership and portability, merchants can prepare for evolutions in the payments landscape, regulatory shifts, and even potential investment opportunities. Here’s how that works:
- Maintain control of cardholder experience
Customers want maximum convenience in online transactions, so many prefer to have merchants store their card information for future transactions. For merchants, that means determining how to manage and secure this sensitive data.
One option is to adopt an orchestration layer, which sits between the front-end system and payment processing back-end. When a transaction occurs, a provider receives data from the merchant and forwards the transaction to the processor. For each PAN processed, the provider produces a token.
Let’s say a retail chain wants to expand its operations with a new e-commerce platform. If the merchant has employed a third-
party provider or orchestration layer with multi-processor support, payment tokens will remain functional on any new payment processor, so the customer experience is never disrupted.
- Monitor regulatory compliance
A robust tokenization solution is also essential for ensuring compliance
with changing industry regulations. The Payment Card Industry Data Security Standard (PCI DSS) is continuously enhanced to keep pace with evolving theft attempts, so your business must keep pace as well.
By comparison to a bespoke solution, a PCI/DSS validated service provider ensures you have the essential resources and guidance needed to stay compliant.
Also, while some providers may limit their tokenization to card-not-present transactions—like e-commerce or mail order and telephone order—a more versatile solution can also protect card payments secured by point-to-point encryption (P2PE). This provides omnichannel tokenization for both online and in-person transactions.
- Drive continued value for your business
Business leaders know that data is king, and payment data is no exception. True control of your enterprise, and in many cases its valuation, requires consistent access to payments-processing data.
A large payment processor likely owns essential transactional data and can limit its portability, leading to processor lock-in. Relying on a third-party tokenization provider, however, allows you to migrate and detokenize tokens as needed, whether it’s to transition to a new processor or gain access to transaction information.
For potential investors or acquirers, this highlights your business’s capacity to swiftly distill customer insights, making you far more attractive from a strategic perspective as well.
- Adapt to future changes
To grasp the growing importance of tokenization, look no further than its adoption by top payments processors. Mastercard reports that tokenization now secures 25% of all e-commerce transactions globally. Visa recently issued its 10 billionth payment token, and processes around 29% of its transactions using tokens.
It’s likely that the value of traditional payment instruments, like physical credit cards, will diminish. Consumers will continue to demand more accessible and convenient payment options across multiple devices. Yet, one constant will remain: hackers targeting the weakest point in the security chain.
Selecting a tokenization solution with data portability is a proactive approach: its flexibility keeps you well-equipped to protect customer information even as payment processes and technology continue to evolve.
Token ownership is a winning scenario for merchants and customers. Customers win when merchants provide enhanced protection to safeguard sensitive payment details, while enabling a seamless checkout experience. Merchants win when essential data remains portable and at their disposal, rather than locked and restricted at a single payment vendor.
Still, let’s not forget the overarching goal of tokenization—to make data worthless to cybercriminals. You can’t prevent every breach. But taking control of your payment tokens enables you to robustly protect customer data, even amidst changes in the payments landscape.
—Tim Barnett is chief information officer at Bluefin.
