- Get Started
- Guides
- Integrations
- References
- API Reference
- Basic Payment
- Forex
- Authentication
- Card Account
- Apple Pay
- Virtual Account
- Bank Account
- Token Account
- Customer
- Billing Address
- Merchant Billing Address
- Shipping Address
- Merchant Shipping Address
- Merchant
- Corporate
- Recipient
- Marketplace & Cart
- Airline
- Lodging
- Passenger
- Tokenization
- Recurring Migration
- 3D Secure
- Custom Parameters
- Async Payments
- Webhook notifications
- Job
- Risk
- Point of Sale
- Response Parameters
- Card On File
- Chargeback
- Result Codes
- Transaction Flows
- Regression Testing
- Data Retention Policy
- API Reference
- Support
Tokenization
Last updated:April 11th, 2024
Merchants around the world are navigating the universe of tokens and tokenization. When used properly, tokenization for merchants serves a dual use:
- it can be used to protect sensitive card data
- it can serve as an enabler for omnichannel (eCommerce and in-store)
But before deploying tokens, it is important to understand what they are and how they work.
Definition
Tokens:
- replace sensitive data such as a cardholder’s primary account number, in a secure token vault.
- ensure that sensitive customer data is no longer stored in the merchant’s environment. This relieves the merchant from the burden of being PCI compliant which means less obligations and costs. In the event of a breach, sensitive data will not be exposed, and consumer's trust will ultimately be maintained.
Format
Tokens can be:
- Non-card format preserving. The token format is not the same as the sensitive information it is replacing. For instance, a Registration Token is transposed into an universal unique identifier (UUID) in a random alphanumeric format.
- Card format preserving. The token maintains the same format as the original PAN (Primary Account Number), but the values are randomly changed. For instance, an Omni Token keeps first 6 digits (BIN or Bank Identification Number) and last 4 digits similar to the original card number. This helps merchants offering loyalty programs based on a format preserving token. This helps merchants to still use the bin for dispatching to the proper merchant account or use last 4 digits to show the tokenized cards within the one-click checkout payment widget.
Types
There are several distinct types of tokens we support in payments, and it is important to understand the differences.
eCommerce only
Registration Tokenization is both card and non-card tokenization solution offered by Open Payment Platform to replace Primary Account Numbers (PANs) or/and other (non-)card details with a generated Registration Token.
Registration Tokens
- They are generated by the platform for a merchant operating eCommerce business.
- They should be stored by the merchant to initiate payments.
- They can trigger the creation of a Network Token where the card scheme provisions the token and Issuer participates in the token approval process.
eCommerce and in-store
Network Tokenization is a card tokenization solution offered by card networks (e.g. Visa, Mastercard or American Express) that replaces primary account numbers (PANs) and other card details with a network token issued by the card brand. Each card network operates its own scheme token service, and thus, the token is generated by the card network involving the Issuer in the token approval process. EMVCo defines a payment network token as “a surrogate value that replaces a primary account number (PAN) in the payment ecosystem.”
Network Tokens
- They are generated by the Visa, Mastercard or American Express card networks.
- They are provisioned when the merchant creates a Registration Token or an Omni Token
- They do not need to be stored by the merchant when Open Payment Platform acts as a TSP (Token Service Provider).
Two options are available:
1. Let Open Payment Platform provision and collect network tokens- No integration changes are required
- Onboard with Open Payment Platform as TSP (Token Service Provider)
- Continue to process payments using a Registration Token or an Omni Token
2. Use your existing network tokens
- Control your network tokens with your own TSP
- Process payments using tokenAccount API parameters.