Merchants worldwide have grown increasingly mindful of keeping customers’ sensitive data, such as payment card details, out of their own environments – and tokens seem to be the go-to tool to fill the gap. Processes such as reservations, returns, reporting and rewards typically require confidential data. However, incidents of high-profile data breaches have brought this topic to the fore, highlighting the need to keep sensitive customer data under lock and key.

Yet, with merchants relying on this sensitive data in order to execute a myriad of basic functions, how can tokens be a substitute for the real deal?

Defining the token

For many of us, the word ‘token’ takes us back to when we’d receive them at fairgrounds or the pier arcade, using them to redeem toys and win at claw machines.

These tokens represented money, but only had value within certain environments — We couldn’t use them for purchases outside of the arcade.

In much the same way, in the context of payments, a ‘token’ typically refers to a payment tool within a defined environment. The PCI Security Standards Council outlines tokenisation as "a process by which the primary account number (PAN) is replaced with a surrogate value called a token. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value."

From this definition, it is clear that a token cannot be traced back to an actual card or reveal the card number of the person who holds them, as tokens are not encrypted card numbers.

Are all tokens equal?

In short, no. There are a range of different types of tokens and it is crucial to know the difference:

Acquirer tokens are produced by acquirers when cardholder transaction requests are processed on behalf of merchants and they return the token in the transaction response. However, these tokens are highly dependent on acquirers.

Merchant tokens are generated specifically for a merchant by the provider they choose. These tokens are produced when a cardholder tenders their card for transaction processing but they are owned by the merchant. This gives merchants a stronger degree of comfort in terms of ownership.

Issuer tokens are generated by card issuers and schemes for specific use cases, including mobile payment applications like Apple Pay, Google Pay and Samsung Pay. They are usually given directly to a cardholders’ mobile wallet, card chip or app. They have a much broader scope and can be used to pay for products and services across multiple merchants.

Payment tokens are newer than the other tokens mentioned. They are generated in a framework known as Token Program on behalf of at least one card issuer. These tokens are requested based on specific use cases, on behalf of merchants and cardholders. They enable end to end payments from merchants to issuers without needing to translate them into a card number. These can also be used to pay multiple merchants during their lifespan.

How do merchants retain control and flexibility?

The gap left by eliminating card numbers from retail environments can be filled by merchant and acquirer tokens, as these are the most practical tokens that are fit for the job. Merchant tokens are much more popular, given the ability for merchants to handle these within their own environments, define the formats and the usage of these tokens, and migrate them to another provider. This independence nurtures innovation and integration of both internal and external systems in the merchant’s own environment.

The emergence of an omni-token approach

Merchants can generate merchant tokens by engaging a payment platform that can provide them with omni-tokens. When their payment provider generates the tokens, the merchant will receive these tokens to use internally, while the provider is responsible for translating said tokens into actual card numbers for external payment-related processes. These include fraud checks, settlement, and authorisations.

Omni-tokens can be used across the merchant’s range of payment channels. And this is useful for merchants that interact with cardholders through various channels, such as mobile apps, physical stores, call centres and pop-up stores.

For instance, when a fashion retailer receives an omni-token for a customer’s card number on their website, the merchant could use the same token to identify the customer if they came into the store to make a purchase. Staff can be alerted of this customer’s recent purchase through their website, opening up new opportunities for customer engagement.

Going further, the same omni-token can be sent to the merchant’s loyalty provider which can be used to reward the customer with points, coupons and discounts. If the customer were to return the item, omni-tokens can facilitate processing refunds seamlessly.

The use of tokens opens many doors for retailers who want to avoid storing card details in their own environments. It is key for businesses to be aware of the various types of tokens that are available to them and to select one that aligns with their business needs to take advantage of the benefits of using tokens.