Tokenization in the financial card space is not new. Generally speaking, the technology was first applied to electronic payments in the late 1990s. However, trends in e-commerce and data privacy, along with the relentless evolution of hacking methodologies and technologies, are moving tokenization into the retail and banking spotlight. Also, EMVCo — the global technical body that facilitates worldwide interoperability of secure payment transactions by developing and publishing EMV® standards — has leaned heavily into tokenization in the last several years because the technology “limits potential risk from payment data compromise” and “promotes the development of new payment technology and scenarios where the risk of using a PAN would be deemed too high.”
So while it is not a new technology, sophisticated new strategies for improving fraud prevention, enriching user experiences, and streamlining compliance are evolving today and leading to a surge in demand for cloud-based tokenization technologies and services. In fact, what was a $3.4B (USD) market in 2021 is projected to reach $8.6B worldwide by 2027 for a CAGR of more than 21%.
Enabling global growth in e-commerce
Before COVID-19, global e-commerce accounted for 15% of total retail sales. But limitations on in-store shopping during the pandemic prompted more consumers to engage in online and mobile shopping. Today, e-commerce now drives more than 22% of retail sales worldwide. Leading financial organizations, such as Morgan Stanley, predict that the $3.3T (USD) in global e-commerce could easily reach $5.4T by the end of 2026.
Almost every card transaction that occurs in a payments ecosystem is enabled by the same digital elements: a primary account number (PAN), an expiration date, and a CVV2 security code. Of course, that data is targeted by cybercriminals who, unfortunately, tend to have more money and larger teams of coders than the organizations trying to fend them off. The attacks are so relentless that retailers and others selling products and services online must carefully consider every transaction. Even if PANs and CVV2 codes are encrypted, they’re vulnerable.
This is one of the realities driving growth and innovation in tokenization. By replacing a cardholder’s PAN with a one-time unique identifier, the information is rendered useless to a hacker. Retailers — or other online product and service providers — retain a token that represents the sensitive data. Every time a transaction is initiated, that representative token is used to verify the account. Even in the event of a lost or expired card being replaced, most issuers use lifecycle management systems that automatically update tokens when a new card is issued.
All of this helps create highly personalized payment experiences by enabling consumers to save their payment preferences for future transactions. Also, it’s important to note that every merchant will use a different token when storing a consumer’s credit card information. So, there’s no risk of a widespread information leak that would require consumers to cancel their cards completely. The same principle applies to mobile wallets. When credit card data is saved in a digital wallet, the PAN is replaced with a token that’s shared with the issuing bank. If a phone is lost or stolen, there’s no payment data stored on the device and the token that is stored is useless to any unauthorized users. This means that no card details are jeopardized if a smartphone is lost and stolen, as real payment data isn’t held by the device. These capabilities also give consumers the ability to manage their digitized cards on a per-merchant or per-device basis.
Tokenization is also popular with retailers, such as Amazon or Best Buy, who want to create exceptional in-app user experiences. This year, many experts predict that no less than 10% of all retail sales will be conducted through mobile apps. So, it’s important to bring both security and exceptional user experiences to branded apps.
How is tokenization different than encryption?
We hear this question frequently and it’s important to note some clear distinctions. Encryption protects data through the use of a mathematical cipher. This renders the data unintelligible to those who do not have access to securely managed keys. All of the data elements — such as financial card information and transaction details — are transmitted. If hackers successfully intercept encrypted transmissions, they have the data. But they can only read that data if they have also stolen the right keys. (In the future, they could also use quantum computing to break the encryption).
Tokenization doesn’t obfuscate data; it removes it from the interaction entirely. It replaces sensitive data with a token that represents the financial card data. If it’s stolen, it’s worthless to a hacker. The real data is stored in a digital vault and can only be retrieved when the correct token is presented. This makes common hacking attempts, such as man-in-the-middle attacks, ineffective. In the case of mobile or online payments, this protects the consumer's financial information and greatly simplifies PCI DSS compliance.
Aligned with the age of exceptional UX
There are a lot of reasons why tokenization is becoming a global standard for online and mobile payments. For merchants and issuers, there is a strong financial return on investing in tokenization. For example, Visa reported in 2022 that card transaction fraud has declined by 28% because of tokenization and that transaction approval rates increased by about 3%. The decrease in false negatives is a massive financial and brand experience win for both merchants and issuers. Tokenization is a boon for consumers, as well. The technology is proven to provide the best protection for their financial card data — and it allows them to develop safe and familiar relationships with the merchants they prefer. It helps enable seamless shopping experiences.
Ultimately, it seems the world will move to a place where every card-not-present will be tokenized and sensitive card data will not be at risk. Until then, it’s important for more issuers and merchants to understand the value of tokenization and for the remaining non-adopters to put systems in place. In the meantime, leading providers like Entrust will continue to evolve the technology and make it increasingly more intuitive, more intelligent, and easier to implement.