Credit card data is notoriously susceptible to theft (home depot and target). The problem stems from the use of a single set of data points to authenticate your card for payment.

For example, when you visit a merchant or online retailer, a single number, expiration date and CVV (card verification code) are used again and again for all purchases, everywhere, for years. This gives cybercriminals a long list of databases in which they may stumble upon your information.

Even commonly used authentication techniques are not used to protect financial transactions. No dual authentication requirement, no personal identification numbers, and almost no way to verify the identity of the individual using the card.

The solution: Payment tokens.

What is a Payment Token?

A payment token is a replacement for the Primary Account Number (PAN for those familiar with PCI-DSS). It is a 16 digit number just like your credit card number. It is processed just like your credit card number and even obeys the Luhn formula, an algorithm that works as a built in checksum and is used to validate a variety of identification numbers including IMEI numbers, social security numbers and of course, credit card numbers.

The payment token was designed to behave this way so that as it moves through the current systems and infrastructure that support credit card transactions. This means that very little has to be upgraded, reprogrammed, or replaced on current terminals and software because the existing systems interpret the token as a traditional credit card number.

The only change is that for users taking advantage of a credit/debit card using a payment token (in lieu of a traditional 16 digit card), there will now be an extra middle man in the mix of the transaction. This middle man is the Token Service Provider (TSP) who helps verify and protect your data.

The Token Service Provider and Managing Tokens

The TSP maintains a database called a Token Vault which is where issued tokens are stored and mapped to the credit cards they represent. Further, there is also the concept of a “stateless” or “vault-less” tokenization process as well that generates tokens separate of a database with the token being derived from some secret value or PIN. These implementations are considered cheaper and potentially more secure since there is no database of token to payment card mappings to secure and store.

Payment Card Tokens in Action and Simplifying PCI Compliance

On the surface, payment tokens might not seem very beneficial. A payment token is simply another 16 digit number mapped to a real credit card number; if a thief steals your token, they can use it instead… right?

The real power of payment tokens comes into play at the merchant. Merchants can now work with Payment Card Tokenization service providers to tokenize all their client’s credit card numbers. As the merchant collects new client card numbers, they trade them for tokens specific to their organization, issued by the tokenization service and remove all payment card data from their databases.

From then on, when customers complete transactions, a token is associated with their account and passed to the tokenization provider who then acts as a middle man to help complete the transaction.

In the event of a security breach, the merchant simply dumps the tokens for new ones and the criminal only runs away with a bunch of tokens that are unique to the organization who those tokens were issued to.

This simplifies risk management of payment card information drastically and obtaining PCI compliance becomes much cheaper and simpler.

The Challenges of fully Adopting Payment Tokenization

With the launch of the new iPhone 6 with the Apple Pay feature which uses Near Field Communication (NFC) to complete transactions electronically and its own brand of payment tokenization, payment tokenization at the checkout lane is suddenly a hot topic.

In my view, finding a single protocol, or framework multiple protocols may work side by side within, will be the biggest challenge. Currently, Apple Pay generates a single token tied to your device and maps that to your credit card. Other banks are using a Virtual Card Number with a new token being generated for each transaction, making the pseudo credit card number useless after the single use it was intended for.

What about “legacy” users and people who care to use good old fashioned credit cards? Getting everyone on a secure form of payment one way or the other is the biggest challenge to stopping fraud, not simply patching holes here and there in the leaky boat.

In time, I hope to see credit cards that will still fit in my wallet but use live, time sensitive tokens similar to the familiar RSA tokens many of us use to access VPNs every day at work.