You might have heard the term tokenization and you’re curious what that means. Well you came to the right place, we’re going to cover this in business terms that all of us can understand in just a few minutes.
View the 5 minute video:
Or Read the Transcript:
Micaiah Filkins, Co-Founder & President, AppFrontier LLC
You might have heard the term tokenization thrown around and you’re curious exactly what that means. Well you came to the right place, we’re going to cover this in business terms that all of us can understand in just a few minutes. Let’s dig in.
First off it’s important to understand that tokenization is an industry standard and is more or less required by the PCI DSS for all organizations that take credit cards. That’s not to say that it is impossible to be PCI compliant without using tokenization, however it becomes much more challenging.
Tokenization is a technology developed industry wide to ensure that cardholder data is kept secure. This is accomplished by the receiver of the cardholder data assigning a random string of characters and returning that string to the provider of the cardholder data.
Okay I promised we would talk about this in simple business terms so let me try that again. In short, us merchants will give the credit card number through bank level encryption or a hosted payment page to a trusted partner, most likely your payment gateway. The payment gateway will in turn give you a reference that represents that credit card in their system for you.
A token cannot be deciphered. Because it was not encrypted. Instead a random string is assigned to the credit card number that the merchant gave to the gateway. I guess that this probably makes sense to most folks watching this video however I’ve come up with another analogy that I think paints the picture pretty clearly. And also help us understand how the system is secure.
Let’s say that you go to Las Vegas to play blackjack. And let’s say that you start off at MGM Grand when you sit down at the table you hand them $100 and hand you back twenty of five-dollar tokens. While you’re in the MGM Grand those tokens are essentially, as good as cash money. Now let’s say that you win one-hundred dollars at the MGM Grand and you decide to walk next door to New York New York. Now New York New York is owned by the MGM company, however your tokens from the MGM Grand, will not work at New York New York, they are only currency at the MGM Grand. If you were to put them on the table at New York New York you would be told that you cannot play with them they are no good there.
I believe that this is a solid analogy for how the payment industry works with tokens. A token that you get from your payment gateway is only good when you, the merchant are logged into that gateway and often times if you have multiple merchant IDs at that gateway the tokenized card data is only good for the one merchant ID. There are some exceptions to this sometimes it is possible to share tokens across MIDs for the same merchant.
This is what makes this system so secure. If a disgruntled employee or some sort of attacker manages to get their hands on these tokens, they are of no use to them. Even if this would-be attacker somehow also got your credentials to get signed into your gateway account, they still would not be able to use those tokens to get any money, as the tokens are tied through your merchant ID, directly to your bank accounts. Even if this attacker did try to charge something against the token, the money would be in your bank accounts and fully within your control to reverse.
If you wanted to dive deeper into the technical, there are many other videos out there on YouTube that will explain in much greater detail how tokenization works from a technical perspective. I hope this video helps us business users understand the value of tokens and why we should all use them.
It’s worth noting that there is sometimes a cost that your Gateway will tack on to tokenize the cardholder data for you. Also noteworthy is that most gateways now will also tokenize bank account data for us.
It seems to me that the value is easy to see, if you are not storing your customers credit card numbers, you cannot be at fault if they end up in the wrong hands.
At Chargent we recommend that all of our customers tokenize all of their card data that they use throughout their entire organization. To facilitate this we have developed our Payment Console and Payment Request features that ensure your protected cardholder data is tokenized without ever being stored in Salesforce for any amount of time.
Have questions about any of this? Feel free to drop a question in the comments below. You can also click the link on your screen to get in touch with us, The Chargent team is always happy to help!