Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

An intro to tokens: card-based vs. transaction-based

March 2, 2011 | No comments | Tokenization

Written by: admin

By Sue Zloth

As you may have read in my previous post, I’ve been working with the PCI Council Special Interest Group to provide recommendations on tokenization. While the PCI Council guidance on tokenization hasn’t been released yet, I decided to pursue the topic here on our blog to help educate merchants about it.  Last week, I discussed what tokenization is. This week, I’d like to talk about the different types of tokenization.

There are two main types of tokenization: transaction-based tokens and card-based tokens.

  • Transaction-based tokens relate to individual transactions. With transaction-based tokenization, a new token is created each time a transaction occurs.
  • Card-based tokens are generated for each card number. In this approach, the same token is reused every time that card number is used.

Is one approach better than the other? There really isn’t a simple answer to that question. In the end, it’s up to the merchant to evaluate how they would use token information and make the decision that is right for them.

Many merchants need to track customer purchases. They may use the credit card number as the “key” for that analysis. Once a merchant moves to tokenization, they will use the token instead.  Unfortunately, a merchant using a transaction-based tokenization system would lose the ability to track customer purchasing behavior because the token will be different for each transaction. Since the token is tied only to a single transaction, the merchant won’t know if a customer buys, for example, three items from a store over the course of a month using the same credit card.

With a card-based tokenization solution, merchants are given more insights into the purchasing decisions and activities of their customers. Card-based tokenization allows the merchant to see a customer’s activities across online and brick-and-mortar environments since the same token is always used for the same credit card.

Ultimately, both types of tokenization vastly reduce the risk of sensitive customer data being stolen should a data breach occur. Since these tokens have no value to the thief if ever stolen, the customer’s real data is kept secure.

Next up in the series: What to consider when implementing a tokenization solution

Related content:

  1. A Different Take on Card-Based Tokens
  2. Hoteliers should take advantage of card-based tokenization
  3. Shopping for a tokenization solution
  4. Can Tokens Be Out of Scope? PCI Council Releases Guidance
  5. Devaluing your data with tokens
Better Related Posts Plugin

Tagged as: , , , , ,

Write a Comment