It seems like data security breaches are everywhere these days. Identity theft and stolen card numbers are just a few of the many consequences of poor security. As a merchant, how do you protect yourself? One answer is using tokenization when processing credit card transactions at your business.
What the heck is tokenization, and how does it work?
Let’s start with the official definition, then break it down into layman’s terms. According to the PCI Security Council, tokenization is “a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.”
Now that I’ve confused you, let’s try to make everything make sense.
Tokenization is the act of switching out sensitive data (i.e.: cardmember information, account numbers, etc.) with a random number equivalent or other piece of data (the token) that cannot be used or exploited anywhere else. It’s like building a randomly generated treasure map or reference number that leads back to the data which is stored securely somewhere else, but only when the right decoder is present (de-tokenization). Take the map key away and you just have a map that can’t be translated into anything useful, let alone reveal where the treasure (the sensitive data) is.
![]() |
When you are a business owner, choosing a secure way to process personal information is vital. |
Tokenization for Security
Tokens are meaningless alone, so even if a hacker steals the information out of a tokenized terminal, they would only get random numbers. There is virtually no chance or pattern to get the real information referenced by the tokens when they’re without the original, intended system. This tokenization system itself is also secure with security best practices, so everything is in good hands.
Still looking for an example? You swipe your credit card, which has a card number of 2222 4432 5643 6674. This is then run through a random generator that makes a token of A537 8JR3 04ST 921F, which has no correlation and was made up randomly. Only the token data is stored in the server at the business and transferred through the payment process. Tokens are usually the same length and format as the original account number, so it appears to be the same as standard payment card number to the storage, processing, and transfer systems using it.
Tokenization vs. Encryption
“Tokenization takes away the need for merchants and websites to store sensitive data on their networks that can be stolen by hackers.”
So what are the differences between tokenization and encryption? Encryption is designed to mask the data through an algorithm while it is being transmitted. However, the original data is sometimes stored on the networks, creating a security vulnerability. Each time the card data is passed through a system, it is encrypted, decrypted, and re-encrypted, and the vulnerability to hacking increases. Tokenization, on the other hand, doesn’t store any of the information in the system and the token is completely randomly generated, so there isn’t a specific way to decode it. In other words, tokenization takes away the need for merchants and websites to store sensitive data on their networks that can be stolen by hackers.
What Tokenization Means For Customers and Merchants
Basically, tokenization means more security and minimal differences in experience. Customers will still swipe their card and the transaction will act just like a non-tokenized one on the surface. All of the differences are behind the scenes, so customers won’t experience any sort of learning curve or a new way of using their payment cards. For merchants, they can use the tokenized transactions just as they would a non-tokenized one. Refunds, exchanges, and transactions will appear just the same although they are doing their part to protect themselves and their customers.
Conclusion: How Do I Process Tokenized Transactions?
Tokenization is a process that is provided through your processor. Not all processors and equipment are the same; it’s important to check with your provider and ensure that you have tokenization security set up on your account.
If you have questions about whether your terminal or point of sale (POS) can process tokenized transactions or would like more information, we would be happy to go review your current equipment for you. You can contact us via email at info@getvms.com, call (888) 902-6227, or click the link below.