What is tokenization and how does it work?

Tokenization is gaining increased adoption in the payment domain. It can be used in different ways. There are payment tokens and security tokens, for example. Apple Pay is an example of a payment method using payment tokens.

This is how it works:

1. When a debit/credit card is added to the Apple Pay wallet, the original card number is replaced by a payment token, which is in fact a new card number.
2. This card number is then used to make payments with Apple Pay at payment terminals.
3. The payment machine treats the iPhone with Apple Pay as an ‘ordinary’ contactless EMV card.

Besides Apple Pay, the ING mobile payment app for Android also uses payment tokens.

Tokenization in the parking sector

While payment tokens are used to make payments, security tokens have a very different use. An example is parking in a car park.

1. You place your payment card (debit/credit card) against the contactless card reader upon entering the car park. The card number is read off the smart card and converted into a security token.
2. This token is sent to the Parking Management System (PMS) and stored there together with the time of entry.
3. When exiting the car park, you again place your payment card against a contactless reader. The card number is read off and converted to the same security token, which is again sent to the PMS.
4. The PMS can now calculate the parking time and fee. The system ensures that payment is made without the card numbers being sent to the PMS.

How is a card number converted into a security token?

The conversion of a card number into a security token involves hashing, encryption and secret keys. Each time card number X is presented, this results in the same security token Y. It is not possible, however, to retrieve card number X from security token Y. The conversion of the card number into the security token is thus a one-way street.

What is ‘anonymous customer tracking’?

Some payment machines (e.g. the VX 820 pinpad) allow to convert the customer card number into a security token for each transaction.

1. The security token is sent to the cash register after payment.
2. The cash register will store the items sold and the security token in the database.
3. Each time the same payment card is used, this results in the same security token.

This allows the cash register or an underlying system to trace the purchasing behaviour associated with this payment card, without knowing who the customer is. This is known as ‘anonymous customer tracking’.

What is the difference between ‘anonymous customer tracking’ and ‘customer tracking’?

If customers give their consent, a security token can be linked to personal account information, e.g. in the webshop of a large chain store. The token is then no longer anonymous, and ‘anonymous customer tracking’ turns into ‘customer tracking’.

Security tokens and loyalty programmes

Security tokens can also be used to replace (or as an addition to) existing loyalty cards. For example, by linking the security token of their payment cards to their loyalty accounts, consumers would no longer have to present their loyalty cards at the cash desk. The payment card's security token already indicates that the customer is a member of the loyalty programme.

About CCV Group

CCV applies in-store payment solutions, powerful online solutions and self-service payment terminals throughout Europe. We support our customers in creating an optimal omni-channel shopping experience, so consumers can pay when it suits them, using the payment method of their choice: online, in-store, by card or smartphone.