Tokenization in online payments: Understanding card tokenization

A reliable, secure and frictionless payments experience is now the expectation for consumers, especially when making card payments. One key technology that enables card providers and their merchants to offer this seamless experience is tokenization.

While tokenization of digital assets has a number of potential use cases, in the context of payments, tokenization refers to the process of replacing sensitive data – like credit or debit card numbers – with a unique identifier or a token. This token acts as a substitute for actual card information during a transaction, adding an extra layer of security.

In the early days of electronic payments, encryption techniques were used to protect sensitive card data during transactions. However, at that time, merchants and payment processors still had to store and manage card numbers, which posed many security risks.

After the introduction of clear Payment Card Industry (PCI) Tokenization Guidelines in 2010, businesses managing and processing card data finally had a framework for implementing tokenization within the payments industry, actively addressing the many data breaches that had occurred since the Payments Card Industry Data Security Standard (PCI DSS) was established in 2004.

According to Juniper Research, the total number of tokenized payment transactions is set to exceed 1 trillion globally by 2026, rising from 680 billion in 2022 – effectively representing a 58% increase in growth over the next few years. Key drivers for growth include the increased adoption of one-click payment solutions by merchants in the e-commerce space, by digital apps like ride-sharing, and by card networks who are encouraging mass adoption of tokenization at the network level to improve payment rates.

How tokenization is used today

Today, tokenization takes many forms and addresses multiple use cases. For example, digital wallets – like Apple or Google Pay – work by tokenising physical card information to create a digital version of a card. Doing so reduces the number of steps needed to make a card payment, and removes the need to carry a physical card. As a result, popularity has surged at a rapid pace. There are now more Visa network tokens in circulation than physical cards.

In fact, the piece of plastic in your wallet is also a token itself. The card was one of the first pieces of technology in this space that acted as a stand-in for an account number, removing the need to physically present the card number when making a payment.

Payments aside, thanks to developments in blockchain technology, tokenization of all kinds of assets is already starting to happen - from dematerialised assets like securities to alternative assets like private equity, to real estate and art. 11:FS Co-founder and Head of Strategy and Content at Sardine, Simon Taylor, put it like this: “Tokenization takes an asset, usually recorded as paper or an electronic ledger entry, and turns that record into a token. It also automates the rules of interacting with that asset, and the transactions become programmable.”

For the purpose of this article, we’ll focus on tokenization in the context of payments – specifically bank or card details, and Debit Orders, as a means to provide a more secure and seamless payments experience. 

Debit Order vs card tokenization

For businesses that require recurring payments, tokenization allows returning users to pay more seamlessly and significantly reduces the risk of failed payments.

Tokenization technology can be used for multiple payment methods - in our case at Stitch, for both card and Debit Order. However, there are some nuances for the customer. A Debit Order asks for a ‘consent request’, from which the output is consent. For Card, it’s a tokenization request, which results in a token.

In both instances, the customer is required to authenticate a transaction via their banking app, OTP or similar before the request for payment can be processed. 

Benefits of tokenization

There are a number of benefits offered by tokenization in payments:

• Enhanced security. The key advantage of tokenization is its ability to enhance security by reducing the exposure of sensitive payment card data. Even if a token is intercepted, it can’t be used to retrieve the original card information. This greatly reduces the risk of data breaches and fraud
• PCI DSS Compliance. Businesses offering card payments are required to abide by PCI DSS standards. As a PCI DSS Level 1 certified PSP, Stitch upholds a stringent standard of safety and security on our platform when it comes to accepting, processing, storing and transmitting card information. This simultaneously removes the need for a merchant to go through the lengthy, complex process of acquiring their own certification 
• Reduced friction. Tokenization also allows merchants to store tokens for future use, such as recurring payments or card-on-file scenarios, without having to store the actual card data
• Smoother customer experience with one-click checkout. Tokenized payments streamline the checkout process and enhance the overall customer experience by eliminating the need for customers to repeatedly enter payment information. This has the potential to increase customer satisfaction and retention, leading to higher conversion rates 
• A more effective collections process. For businesses with recurring payments or subscription models, tokenization removes a lot of the heavy lifting. Once a token is securely stored, it can be used to initiate subsequent transactions without requiring the customer to re-enter their payment information. This automated process reduces the risk of errors and eliminates the need for manual intervention, making it easier to manage recurring billing for businesses

Overall, tokenization provides a secure method for handling payment card data, protecting sensitive information throughout the payment process and reducing the potential risks associated with storing and transmitting cardholder data.

How tokenization works in card payments

The process of tokenization varies marginally, depending on the method of payment, but the principle remains the same: a token represents sensitive information digitally to ensure the security and privacy of a transaction with an encrypted substitution. Here's how it works at Stitch.

1. Data capture: When a customer initiates a transaction via card, their card details are captured, including the primary account number (PAN), cardholder name, expiration date, and security code (CVV/CVC).

2. Token generation and storage: The sensitive card data is securely transmitted to the Stitch card vault. This system generates a unique token to represent that card data. From there, the token is stored in a separate Stitch token vault. The token is linked to the original card data stored in the card vault, establishing a relationship between the two.

3. Payment processing: When a customer initiates a payment for the first time, or comes back for a repeat transaction, the merchant uses the token instead of the actual card information to process the payment.

4. Token lookup: Stitch receives the token and performs a lookup in the Stitch token vault to retrieve the original card data associated with the token.

5. Transaction authorization: With the original card data retrieved, the PSP can proceed with the transaction authorization process, which involves verifying the card's validity, availability of funds and other necessary checks.

6. Transaction completion: Once the authorization is successful, the PSP sends the payment confirmation to the merchant, and proceeds with the transaction.

Tokenization enables a transfer to be executed without exposing sensitive payment information. Even if a token is intercepted or compromised, it can’t be reverse-engineered to reveal original details without access to the token vault.

Tokenization at Stitch

At Stitch, we use tokenization as a way for our merchants to offer returning customers a seamless payments experience. This extends across verticals – from e-commerce, to insurance, subscription platforms and more. Reducing the number of steps to making a payment or finalising a transaction results in higher conversion and retention, ultimately boosting revenue.

With Stitch, you can choose between two types of tokenization: standalone tokenization or tokenization during payment.

Standalone tokenization is most commonly used in a scenario where a customer’s payment details need to be stored for future use. E-hailing platforms like Uber would use standalone tokenization so that after a customer creates an account, they’d enter their payment details in the account set-up process, but might not need to request a ride or order food right away.

Tokenization during payment is more commonly used on e-commerce platforms if a customer uses a guest checkout feature or creates an account and chooses not to store their payment details on the platform. In this case, the token wouldn’t be stored, and the customer would need to re-enter their details in order to make a future payment.

Regardless, both methods require payment authorization via a token. When a transaction is initiated, the token is presented, along with the payment amount, to Stitch, before the transaction is processed.

Why Stitch Card for enterprise businesses

Stitch Card has been designed with a high level of functionality and customizability to help our clients tackle common challenges faced with other providers, and keep growing their business.

• Configurable 3D Secure rules. A dynamic 3D-Secure functionality means you can decide whether you want to present 3D-Secure authentication screens to customers every time they make a new payment, or just once-off, allowing for a more seamless user experience  
• Own your own network tokens. We’re the only provider in South Africa that offers the ability to own your tokens, meaning you’re not locked into a single provider. This enables the flexibility to move processors seamlessly and take your tokens with you. It also makes it easier to transfer tokens from an existing provider to Stitch
• Decreased risk of failed payments. With the ability to automatically update expired or lost cards, the risk of payment failure is kept to a minimum
• Once-off or card-on-file payments. Customers can choose to store their card details (or tokens) so they can make seamless one-click payments when they return, or make a once-off payment 
• Automated chargeback management. Stitch is the first payments processor in South Africa that enables clients to manage chargeback disputes programmatically via API, significantly reducing administrative burden
• Programmatic reconciliation. Free your finance teams with automated, digital recon on all card transactions. You’re also able to reconcile card transactions alongside other payment methods in one place
• Direct integration with multiple banks. We’re connected across the payments stack, meaning you’ll enjoy more uptime, increased reliability and options to cater for redundancy

Get in touch to see how your business can benefit from Stitch Card, alongside other payment methods, through one API.

Reap the benefits of tokenization with Stitch Card Request a demo