A Guide to Payment Tokens for Ecommerce

Innovation in electronic payments has always balanced risk and convenience. Generally, a payment method that’s convenient for consumers is risky for merchants. The use of “tokens” can reduce that risk by protecting credit card details.

In this post, I’ll explain how tokens can secure payment transactions and databases — and improve your ecommerce business.

The use of “tokens” can reduce that risk by protecting credit card details.

Tokens Explained

A token is a representation of something else. In payments, a token represents a credit card number.

Tokenization converts a credit card number to a string of random characters that have no value. Only one party can then convert that token back to a usable card number.

When a credit card payment has been converted to a token, a payment network such as Visa uses its secure keys to decode it and pass the card number to the standard electronic payment processors.

Importantly, merchants themselves cannot decode a token. Converting a token back to a card number requires access to the encryption keys, which are typically stored in military-grade security.

Moreover, merchants themselves do not create tokens. Industry providers — again, Visa, Mastercard, payment gateways — offer the service of converting card numbers to tokens. Typically, a merchant will embed on a checkout page an externally hosted iframe, which includes boxes for customers to input credit card numbers. The token service provider supplies the code for this iframe. The credit card details transmit directly to the provider and do not “touch” or interact with the merchant’s site.

As a result, merchants do not handle sensitive credit card information.

I should add that merchants could, theoretically, create tokens. But the merchant would then become responsible for protecting the encryption keys, which means building Fort Knox-like physical and electronic defense systems.

Furthermore, the merchant would have to coordinate key exchanges (and many other security systems) with every party in the payment-processing chain. Such a payment-token ecosystem is more-or-less impossible for any entity other than the largest financial and technology companies.

Tokens can be stolen, but they cannot be used to make a payment without the important cryptographic info. Absent that pre-arranged and pre-approved payment flow, a token would be rejected immediately.

Use Cases

  • PCI compliance. Since the merchant does not have access to credit card details, the scope of Payment Card Industry compliance is significantly smaller. In most cases, merchants that use a reputable token service provider automatically comply with PCI standards.
  • Customer convenience. Retaining tokens allows merchants to implement customer-convenience features such as one-click checkouts. Because they are easy to store in databases, tokens can be fetched to complete payments quickly, without asking the customer to re-input credit card details. If a token expires (and it can, like a credit card), most providers can update it without bothering the customer.
  • Subscriptions. With stored tokens, merchants can offer friction-free recurring payments for subscriptions and installment purchases.
  • Refunds and returns. Tokens can be fetched quickly and then used to reverse transactions — online or in person. Tokens therefore expedite processing of returns and refunds.
  • Post-purchase selling. Tokens are a simple way to offer post-purchase upgrades and cross-sells. Merchants can use the token to process follow-on transactions without asking the customer for the credit card info.
  • Custom mobile wallets. Merchants can use stored tokens for payments in a mobile app, thus creating a mobile wallet. Tokenization is essential for omnichannel payments.
Mike Eckler
Mike Eckler
Bio   •   RSS Feed