One of the main reasons for the recent closure of tokenization is mobile payments. Having more credit card numbers than being powered by wireless signals makes it easier for fraudsters to “listen” to insecure transitions.
Tokenization replaces the transmission of sensitive data with something that has no internal meaning and cannot be decrypted. The only party able to link the token to the cardholder’s personal account number is the tokenization service provider, which can be a card network, payment gateway or digital wallet platforms like Google or Apple Pay.
Step by step, here’s how it works:
The cardholder provides a credit card number to a merchant’s application or website to enable the tokenization.
Merchants receive a unique token from their service provider and store this token in their computer system, not the pan.
When the cardholder makes a purchase, the merchant submits the token to their acquiring bank to process the transaction.
The acquiring bank has verified with the tokenization service provider that the token matches a valid credit card.
The transaction is processed without the cardholder’s PAN ever being on the merchant’s server or sent to the Internet as part of the transaction.
If the merchant’s servers are hacked, you will receive all the fraudulent useless tokens, not any real credit card information.