Understand how tokenization works in online payments, and how Stitch uses the technology to power recurring or repeat payments, creating a better payments experience and stronger security for both our merchants and their end users.
A reliable, secure and frictionless payments experience is now the expectation for consumers, especially when making card payments. One key technology that enables card providers and their merchants to offer this seamless experience is tokenization.
While tokenization of digital assets has a number of potential use cases, in the context of payments, tokenization refers to the process of replacing sensitive data – like credit or debit card numbers – with a unique identifier or a token. This token acts as a substitute for actual card information during a transaction, adding an extra layer of security.
In the early days of electronic payments, encryption techniques were used to protect sensitive card data during transactions. However, at that time, merchants and payment processors still had to store and manage card numbers, which posed many security risks.
After the introduction of clear Payment Card Industry (PCI) Tokenization Guidelines in 2010, businesses managing and processing card data finally had a framework for implementing tokenization within the payments industry, actively addressing the many data breaches that had occurred since the Payments Card Industry Data Security Standard (PCI DSS) was established in 2004.
According to Juniper Research, the total number of tokenized payment transactions is set to exceed 1 trillion globally by 2026, rising from 680 billion in 2022 – effectively representing a 58% increase in growth over the next few years. Key drivers for growth include the increased adoption of one-click payment solutions by merchants in the e-commerce space, by digital apps like ride-sharing, and by card networks who are encouraging mass adoption of tokenization at the network level to improve payment rates.
Today, tokenization takes many forms and addresses multiple use cases. For example, digital wallets – like Apple or Google Pay – work by tokenising physical card information to create a digital version of a card. Doing so reduces the number of steps needed to make a card payment, and removes the need to carry a physical card. As a result, popularity has surged at a rapid pace. There are now more Visa network tokens in circulation than physical cards.
In fact, the piece of plastic in your wallet is also a token itself. The card was one of the first pieces of technology in this space that acted as a stand-in for an account number, removing the need to physically present the card number when making a payment.
Payments aside, thanks to developments in blockchain technology, tokenization of all kinds of assets is already starting to happen - from dematerialised assets like securities to alternative assets like private equity, to real estate and art. 11:FS Co-founder and Head of Strategy and Content at Sardine, Simon Taylor, put it like this: “Tokenization takes an asset, usually recorded as paper or an electronic ledger entry, and turns that record into a token. It also automates the rules of interacting with that asset, and the transactions become programmable.”
For the purpose of this article, we’ll focus on tokenization in the context of payments – specifically bank or card details, and Debit Orders, as a means to provide a more secure and seamless payments experience.
For businesses that require recurring payments, tokenization allows returning users to pay more seamlessly and significantly reduces the risk of failed payments.
Tokenization technology can be used for multiple payment methods - in our case at Stitch, for both card and Debit Order. However, there are some nuances for the customer. A Debit Order asks for a ‘consent request’, from which the output is consent. For Card, it’s a tokenization request, which results in a token.
In both instances, the customer is required to authenticate a transaction via their banking app, OTP or similar before the request for payment can be processed.
There are a number of benefits offered by tokenization in payments:
Overall, tokenization provides a secure method for handling payment card data, protecting sensitive information throughout the payment process and reducing the potential risks associated with storing and transmitting cardholder data.
The process of tokenization varies marginally, depending on the method of payment, but the principle remains the same: a token represents sensitive information digitally to ensure the security and privacy of a transaction with an encrypted substitution. Here's how it works at Stitch.
1. Data capture: When a customer initiates a transaction via card, their card details are captured, including the primary account number (PAN), cardholder name, expiration date, and security code (CVV/CVC).
2. Token generation and storage: The sensitive card data is securely transmitted to the Stitch card vault. This system generates a unique token to represent that card data. From there, the token is stored in a separate Stitch token vault. The token is linked to the original card data stored in the card vault, establishing a relationship between the two.
3. Payment processing: When a customer initiates a payment for the first time, or comes back for a repeat transaction, the merchant uses the token instead of the actual card information to process the payment.
4. Token lookup: Stitch receives the token and performs a lookup in the Stitch token vault to retrieve the original card data associated with the token.
5. Transaction authorization: With the original card data retrieved, the PSP can proceed with the transaction authorization process, which involves verifying the card's validity, availability of funds and other necessary checks.
6. Transaction completion: Once the authorization is successful, the PSP sends the payment confirmation to the merchant, and proceeds with the transaction.
Tokenization enables a transfer to be executed without exposing sensitive payment information. Even if a token is intercepted or compromised, it can’t be reverse-engineered to reveal original details without access to the token vault.
At Stitch, we use tokenization as a way for our merchants to offer returning customers a seamless payments experience. This extends across verticals – from e-commerce, to insurance, subscription platforms and more. Reducing the number of steps to making a payment or finalising a transaction results in higher conversion and retention, ultimately boosting revenue.
With Stitch, you can choose between two types of tokenization: standalone tokenization or tokenization during payment.
Standalone tokenization is most commonly used in a scenario where a customer’s payment details need to be stored for future use. E-hailing platforms like Uber would use standalone tokenization so that after a customer creates an account, they’d enter their payment details in the account set-up process, but might not need to request a ride or order food right away.
Tokenization during payment is more commonly used on e-commerce platforms if a customer uses a guest checkout feature or creates an account and chooses not to store their payment details on the platform. In this case, the token wouldn’t be stored, and the customer would need to re-enter their details in order to make a future payment.
Regardless, both methods require payment authorization via a token. When a transaction is initiated, the token is presented, along with the payment amount, to Stitch, before the transaction is processed.
Stitch Card has been designed with a high level of functionality and customizability to help our clients tackle common challenges faced with other providers, and keep growing their business.
Get in touch to see how your business can benefit from Stitch Card, alongside other payment methods, through one API.