Credit Card Processing Tokenization

There’s a lot of buzz around Tokenization lately and for a good reason. Format Preserving Tokenization™ is a rising data security model that can be used alone or to augment strong encryption to benefit companies that accept credit card numbers, including credit card processors.

Here’s how it works: Tokens are meaningless surrogate values that replace credit card numbers in systems, applications and databases, while the encrypted values they represent remain locked in a central repository, called a data vault.

This provides a number of benefits for companies that need to protect credit card information, including: safe internal and external tokens mobility, credit card data format preservation and taking data, applications and systems out of scope for Payment Card Industry Data Security Standard (PCI DSS) compliance and audits.

Several industry organizations are working on tokenization definitions, standards and guidelines. The PCI SSC Scoping Special Interest Group (SIG) is working on definitions and the application of tokens as it relates to PCI DSS and the Accredited Standards Committee X9 is working on a standard to define tokenization requirements related to credit card data in the financial services industry.

Format preserving tokens enable practical applications, such as: post authorization sales and marketing analysis, analytics, loss prevention and fraud detection. For example, a data warehouse program can use format preserving tokens to determine what type of credit card – standard, private label or gift card – was used for a purchase. In this scenario, the data warehouse contains only tokens, not the actual card numbers.

A word of caution for merchants: There is no such thing as token portability between credit card processors. Because of this, companies need to be cautious of vendor lock-in when outsourcing tokenization to protect cardholder data to their payment processor. This becomes a problem when the company decides to change processors, because the tokenized values are not transferrable. The new credit card processing company has no way to determine what credit card number is linked to each token, so the data is effectively lost.

The solution: In-house tokenization: The way to avoid this problem is for merchants to tokenize credit card data in-house using a commercial off-the-shelf tokenization solution that’s properly maintained by the vendor.

Gary Palgon,
CISSP, Vice President, Product Management, nuBridges

Tags: ,

21 Responses to “Credit Card Processing Tokenization”

  1. CCPrUs says:

    Dear Gary,

    Many thanks for this enlightening post – sure sounds like tokenization is ideal for protecting cardholder information for both processors and merchants.

    Your “word of caution” is priceless!


  2. says:

    […] We just posted Credit Card Processing Tokenization on our site – Thanks! […]

  3. Yaniv says:

    I was wondering what’s the difference between “Tokenization” and regular encryption done for PCI compliance, if any?

  4. CCPrUs says:


    Credit card data encryption and credit card processing Tokenization are one and the same.

    A new variation of tokenization – Format Preserving Tokenization™ — further extends the value of tokenization for credit card processors and the companies they serve.

    Format preserving tokens can maintain referential integrity with the data they represent so that business processes run uninterrupted and data analysis can be performed as if they were credit cards.

  5. says:

    […] Credit Card Processing Tokenization « posted on our site […]

  6. Ronald says:

    I don’t get it.
    In simple English, what does “Tokenization” stand for?

  7. CCPrUs says:

    Tokenization stands for replacing sensitive credit card information with other values (tokens).

  8. says:

    […] Credit Card Processing Tokenization « Linked to from our site […]

  9. Ronald says:

    OK, so what does “Format Preserving Tokenization” stand for?

  10. CCPrUs says:

    Format Preserving Tokenization maintains the original format of the data encrypted. If the original data was a 16 digit card number, the new token will also present a 16 digits figure.

  11. says:

    […] Credit Card Processing Tokenization « just posted on […]

  12. Dane says:

    Gary (or Gidi), Correct me if I am wrong here, but would it be fair to say that we are looking at just another layer of security, that is not exactly bulletproof. If someone gets to put his hand on your encryption method he has all the information of your clients. As a merchant, I think it is better to let the processors handle the risk!

  13. CCPrUs says:

    Indeed “just another layer of security”… :)

  14. says:

    […] Credit Card Processing Tokenization « Posted on our site […]

  15. says:

    […] Tweets that mention Credit Card Processing Tokenization […]

    This post was mentioned on Twitter by PROMOBULLET and CCRNOW, Cliff Torrence.

  16. Rudi says:

    We started encrypting credit card data long ago and always kept the original format of the data encrypted. Why should anyone do it any other way? Now turns out that this method of encryption is actually a “new variation of tokenization – Format Preserving Tokenization™”. Well – so be it. Old news as far as we are concerned!

  17. says:

    […] Credit Card Processing Tokenization was posted on our site […]

  18. Carrie says:

    There are other solutions other than in- house tokenization to address the problem of token portability between credit card processors. You can use a 3rd party gateway that is processor neutral, such as Transaction Network Services (TNS) Payment Gateways. Technically, the 3rd party gateway owns the tokens, so there is no issue if the merchant decides to switch processors.

  19. CCPrUs says:

    Carrie, as long as the merchant is both: happy with its 3rd party gateway provider, and wishes to switch to a processor supported by same gateway provider, the suggestion is a valid alternative.

    Token portability or lack of such becomes an issue once the merchant wishes to switch between gateway providers or considers using a processor not supported by its current 3rd party gateway provider. In-house tokenization covers these two scenarios as well.


  20. Carrie says:

    Good points, Gidi. Is that the trend for large (tier 1 and tier 2) e-tailers, to bring tokenization in house?

  21. CCPrUs says:

    Carrie, all merchants should try to avoid a vendor lock-in situation, though not all merchants have the resources to do so.

    Large eCommerce merchants usually maintain vendor mobility and tend to tokenize credit card data in-house.


Leave a Reply