Explore today’s hottest topics
See all featured topics
Cybersecurity and trust
Artificial intelligence
Small business
Fintech
Sustainability
Our people
Global
Asia Pacific
Europe
Eastern Europe, Middle East & Africa
Latin America
Fraud prevention

Tokenization explained: Protecting sensitive data and strengthening every transaction

March 19, 2024 | By Simon Phillips

Phishing scams, hacked Wi-Fi networks and other data breaches have exposed millions of stolen payment card numbers that find their way to the dark web and can be bought for as little as $5. Fraudsters use that data to buy thousands of dollars’ worth of merchandise, creating headaches for cardholders and huge losses for merchants and card issuers.

But what if those bad guys never had your card numbers to begin with? That’s the essence of tokenization, the technique that today helps secure billions of payments a year, including the skyrocketing number of digital wallet transactions enabled by tokenization services.

Tokenization turns your 16-digit card number into a different number stored on your device, so your actual card information is never shared when you tap your contactless card or your phone in store, or make payments in-app or online. Cryptograms give another layer of security with a unique value that helps verify the authenticity of each and every transaction.

token
/ˈtōk(ə)n/ • noun

1. something serving to represent or indicate some fact, event, feeling, etc.; sign

2. a characteristic indication or mark of something; evidence or proof

 

Digital payments are ubiquitous now, but a decade ago, only 6% of retail sales were conducted that way. In 2013, Mastercard and others introduced the tokenization standard to improve security and deepen trust in digital transactions. In 2014, Mastercard launched the Mastercard Digital Enablement Service, which now helps secure billions of transactions each year.

Here’s how payment tokenization works.

What is tokenization?

Tokenization is when the number on your payment card is replaced with a ”stand-in” number that is saved in your phone or watch or the merchant’s site where you register your card. Tokenization protects your account by using that token instead of your real card number, which the merchant never sees or stores.

What are the benefits of tokenization?

The benefits of tokenization are a better experience and greater safety and security. Because fraud risk is lower with tokenized transactions, approval rates are higher, which means a lesser chance of your bank declining a transaction.

And if your physical card is lost or stolen, you can continue to use your tokenized card  while you wait for your new plastic card to come in the mail.

What are the other layers of security to secure your digital payments?

Your digital payments are secured via a combination of two other technologies in conjunction with tokenization. First, on-device authentication confirms your identity directly with your device, typically by tapping in a code or using your fingerprint or face scan.

Then, the card stored inside your device or your online merchant account generates a one-time code, or cryptogram, for every transaction. This makes sure every transaction is really coming from your device or a genuine merchant account.

Where can tokens be used?

Tokens can be used in-store, in-app and online to make secure digital transactions.

In-store using a phone or watch

Using a digital wallet like Apple Pay, Samsung Pay or Google Pay, you can make secure contactless payments at checkout. These digital wallets use the same tap-and-go tech as contactless cards and can be used wherever contactless cards are accepted, with the added benefit that higher value purchases can made, because you authenticate yourself on your device before you tap.

Online and in-app using a phone, tablet or laptop

You can also use your digital wallet to make in-app or website payments. Here the wallet provides the token details, the cryptogram and can automatically provide shipping details.

Online – using a card on file

You can also make tokenized purchases online through merchants where you have saved your card details — an e-commerce marketplace, for example, or a streaming service for subscription payments. Your card on file is simply replaced with a token, and the merchant contacts Mastercard to get a cryptogram for every transaction, securing your purchase.

Online – guest checkout

If you’re not a frequent customer and your card details aren’t stored on file, your card details can also be tokenized at guest checkout using a digital wallet like Click to Pay without needing to enter card details or be redirected elsewhere to complete the purchase.

Who provides the tokens?

Tokens are provided by token service providers, which issue, manage and store tokens. A variety of entities within the payments world can be a token service provider, including a payment network like Mastercard, the card issuer or other companies, so long as they comply with industry standards and specifications.

How does tokenization work?

Tokenization works without us being aware of it. Digital transactions happen in the blink of an eye, but there is a lot that goes on behind the scenes to first tokenize the card and then make it simple and secure for the cardholder to pay.

How does tokenization work for device-based contactless payment?

Tokenization works when you enter your card details into your digital wallet on your device. The digital wallet first checks with the payment network to ensure that the card issuer is set up for tokenization and then requests to tokenize the card.

The token service provider sends a message and required details to the card issuer who decides to either approve the tokenization, ask for additional authentication or declines the request.

The token service provider, the digital wallet and the card issuer work together to complete any additional cardholder authentication. This might include sending you a one-time passcode, or OTP, authenticating via the bank’s app, or calling the bank’s customer service center.

Once the token request is approved, the token service provider then securely sends the token, an image of your card and a cryptographic key to the digital wallet, completing the activation process, and your “digital card” is ready to be used.

All of this happens in seconds and is mostly invisible to you. Mastercard is able to “push” your tokenized card directly to your digital wallet or merchant account without requiring any passcodes by harnessing the security of your card issuer’s app. 

How does tokenization work for online card on file payments?

Tokenization works for online card on file payments in a similar way to mobile devices. It starts in most cases when you opt to save your card details with an online merchant. This is typically included at checkout when creating an account. The merchant then sends a tokenization request to the token service provider for the card.

Once the tokenization request is approved, and following any further authentication checks, the token service provider stores the card data and keeps it up to date (even if certain card details change, like the expiration date when you receive a new card), provides the merchant with a token, which can then be used for future online transactions.

Simon Phillips, senior vice president, Mastercard Digital Enablement Service (MDES)
Related stories
Your guide to identifying social engineering scams and cyber threats
By Dianna Delling
Testing 1, 2, 3 … cents? Why you shouldn’t shrug off those tiny charges
By Melanie Gersten
Quantum cyber threats are likely years away. Why — and how — we’re working today to stop them
By Christine Gibson
Sellers beware: Getting to the bottom of first-party fraud
By Christine Gibson