Payment Card Tokenization and Token Application in Merchant Networks Modern Electronic Payment Security Technologies In-App provisioning - ApplePay Learn more Push provisioning - GooglePay Learn more Overview of Payment Card Tokenization Technology Card tokenization is the process of replacing sensitive bank card data (card number (PAN), expiration date, CVV code) with a unique digital code — a token. This way, card data is not stored in the merchant's or payment provider's system. Instead, a unique token is used, which cannot be used to recover the original card data. Important: A token cannot be used for fraudulent activities because it does not contain actual card information and cannot be used in real payment schemes. If card data is not protected or tokenized, an attacker can gain access to complete card data and misuse it for fraudulent operations. Attempts to penetrate retailer databases, online stores to obtain card data become pointless for fraudsters. The most common wallets are digital wallets such as Apple Pay, Google Pay, Samsung Wallet. They have essentially become global wallets and the standard for secure and convenient payments. VISA and Mastercard payment card tokenization services are handled by specialized services. In Mastercard International Payment System (IPS), it is called Mastercard Digital Enablement Service (MDES), and in Visa – Visa Token Service (VTS). The main difference between VTS and MDES is that payers' confidential data is stored in the IPS itself, which bears responsibility for it. For each specific merchant, the payment system issues its own token (called network token). Ukraine Statistics for 2024: The number of contactless active payment cards increased by 14% to 35 million cards The number of tokenized cards increased by 33% to 16.5 million Every fourth active payment card is tokenized 95% of cashless transactions are made through NFC technologies VISA and Mastercard payment systems continuously develop and improve the payment industry, implementing advanced payment technologies that provide enhanced protection against unauthorized account use and other forms of fraud. Customers are already accustomed to using multiple channels for transactions, and accordingly merchants offer payment for goods and services through mobile devices, mobile tablets, stationary tablet kiosks, internet commerce. To describe tokenization processes, it is necessary to define new entities used in the tokenization technological process, and also clarify tasks regarding already known entities that play an important role in the tokenization process. FPAN financial card number, including expiration date. DPAN unique device token that replaces FPAN for merchants and acquirer bank. Token Requestor (TR) digital wallet providers, online stores (services). Token requestors can be both traditional payment industry participants and new participants offering various innovations. Token requestors must be registered participants in the tokenization technological process with payment systems. Digital Wallet Provider (DWP) digital wallet and financial service providers ApplePay, GooglePay, Samsung Pay. DWP supports card tokenization technology and token payment technology via NFC in the payment card and wearable device acceptance network with tokens. Token Service (TS) payment system tokenization service, the service ensures the security of unique tokens and token correspondence to actual bank cards. OTP (one-time password) 4 digits, used to authenticate the customer who initiated the card tokenization process. Bank Issuer issuing banks ensure relationships with cardholders, and also perform customer authentication and verification, manage risks. Issuers maintain a communication channel with the tokenization service and independently control requests for providing tokens. Bank Acquirer acquirer bank does not participate in the tokenization process, but it processes transactions with tokens the same way as card numbers. Transaction processing includes authorization, clearing, settlements and other operations. Merchants, e-Commerce Land-based retail networks and Internet commerce, as payment infrastructure, remain unchanged. Tokens are processed the same way as actual cards. POS terminals support transactions made from mobile devices via NFC interface. Internet merchants can be both token requestors and accept tokens for payment through integration with e-commerce providers. Tokenization Process The tokenization technological scheme involves: customer, issuer bank, tokenization service, wallet provider or internet merchant. Each participant plays a key role in ensuring security and availability of token payments. Two most common tokenization schemes: Tokenization in digital wallet; Tokenization on platform for online store. A. Tokenization in digital wallet. Main participants in digital wallet tokenization process: Cardholder (Customer) payment card holder has a digital wallet (Apple, Google) that initiates tokenization of their own card through the interface in the digital wallet mobile application or issuer bank application. Digital Wallet Provider DWP (Apple, Google) and other digital services Digital wallet provider that supports card tokenization technology. Provides interface with customer through mobile application. Tokenization Service service that replaces actual card data (FPAN) with a unique token (DPAN) using secure network gateway and encryption. Issuer Bank confirms the possibility of tokenizing a payment card according to request from Tokenization Service and is responsible for confirming card activity and customer authentication. Digital wallet tokenization stages: Cardholder enters their card data in the wallet application; Wallet provider ST executes request with card data to tokenization service ST; Tokenization service receives this data and sends request to issuer bank to confirm the possibility of tokenizing the card. Then final checks of card activity are performed; Then a one-time code is formed to verify the customer (customer authentication by sending them a one-time code (OTP) via SMS); OTP code is sent to issuer bank; Customer receives OTP code from issuer bank, after which they must enter it in the digital wallet mobile application interface; OTP code is sent to tokenization service and compared with the code received from the bank; After successful OTP confirmation, tokenization service creates (activates) unique token DPAN and sends confirmation to issuer bank; Digital wallet receives unique token for future payments using the unique token. Fig. Tokenization for digital wallets B. Tokenization on platform for online store. Main participants in online store tokenization process: Cardholder (Customer) payment card holder has a digital wallet (Apple, Google) that initiates tokenization of their card through mobile interface in the application. Digital Wallet Provider DWP (Apple, Google) and other digital services Digital wallet provider that supports card tokenization technology. Provides interface with customer through mobile application. Provides NFC interface with POS terminals. Tokenization Service service that replaces actual card data (FPAN) with a unique token (DPAN) using secure network gateway and encryption. Issuer Bank confirms the possibility of tokenizing a payment card according to request from tokenization service and is responsible for confirming card activity and customer authentication. Fig. Tokenization for online store. Online store tokenization stages: Cardholder enters their card data on the store website; Online store forms tokenization request to Token Service TS; Token Service forwards request to issuer bank to confirm the possibility of tokenizing the card; Issuer bank confirms the possibility of tokenizing the card; Tokenization service creates unique token DPAN; Issuer bank receives information about the token, token status and which Token Requestor requested the token; Online store receives unique token DPAN. After this, transaction processing can occur in IPS payment service and issuer bank to confirm payment. Payment Process Using Token The process of paying for a purchase or service using a token begins with the first stage of transmitting the unique token to the merchant. An online store or POS terminal can act as a trading platform. The most common option is a POS terminal used in retail networks to accept payments using physical cards (actual card number) or digital wallets (digital wallets, watches, rings, etc.). Digital wallets are the most common for token payment in retail networks. The token is securely transmitted to the seller in one tap using NFC interface between digital wallet and POS terminal. We are already familiar with the main participants in the tokenization process, but new participants also take part in this process. Participants in token payment process: Cardholder (Customer) payment card holder who already has a tokenized card in Google Pay digital wallet. Digital Wallet Provider DWP (GooglePay) digital wallet provider that supports card tokenization technology and token payment technology in the payment card acceptance network. Merchant retail platform store where POS terminal is used to accept payments. Tokenization Service payment system tokenization service that ensures storage of actual data (FPAN) and corresponding unique token (DPAN). Processes all interaction requests between token vault (where token-to-PAN mapping is stored) and guarantees who requests the token. Online Payment and Settlement Service in IPS VisaNet (VISA), Banknet (Mastercard) are global processing networks that ensure execution and authorization of electronic card payments, combining technologies, infrastructure and innovations for fast and secure transactions between banks, merchants and cardholders worldwide. Issuer Bank bank that issues various card products, supporting card tokenization technology. Issuer bank responds to authorization requests from IPS to customer accounts regarding purchase operations to confirm availability of funds on card account and debit transaction amount from account. Acquirer Bank provides businesses (retail networks) with acquiring service, allowing merchants to accept cashless payments from buyers using bank cards or other electronic payment methods (digital wallets, wearable gadgets). Acquirer connects necessary equipment (e.g., POS terminals), processes transactions, requests authorization from card issuer bank and credits money to merchant's settlement account. Token payment process stages: Fig. Purchase payment at POS terminal using digital wallet. Token transmission to merchant POS terminal: Instead of FPAN card data, merchant receives DPAN token, which is used for subsequent transactions. Payment processing by acquirer bank: With each payment, merchant transmits token to acquirer bank Processing. Then Acquirer Bank transmits transaction to IPS payment system. IPS VisaNet, Banknet: Payment system determines that DPAN is used in purchase transaction, transmits de-tokenization request to Tokenization Service. After receiving FPAN, initiates request with actual card number for fund debiting to issuer bank. Tokenization service: Tokenization service de-tokenizes DPAN into actual FPAN card data and returns it to IPS. Issuer bank: Issuer bank receives request from IPS with FPAN, after successful transaction completion bank confirms payment, and customer receives notification of successful purchase. Tokenization Features (card information transmission) Digital wallet providers have improved the card entry procedure into digital wallet over several years. Several card transmission options are now applied. The main goal of such changes is to minimize input errors, speed up the card information transmission process, simplify for the customer and most importantly, eliminate certain stages in the tokenization process. 1 Manual card entry manual entry of card number in digital wallet interface. Customers often make mistakes during entry, forget which phone number they registered as financial number at issuer bank. After entering card number, customer verification and authentication procedure at issuer bank follows. 2 Push \In App Provisioning entry through issuer bank application. Card data preparation function in bank application allows payment card issuers to provide data to digital wallets directly from issuer application to DWP application through smartphone operating systems for iOS and Android. Customers find this transmission method very convenient as it avoids errors during manual entry. And issuers consider in-app provisioning an effective component of DWP interaction. For the customer, tokenization process through application looks very simple. Customer must press "Add to Apple Wallet" or "Add to Google wallet" button, and process begins. Since process starts and ends in application, it ensures error-free operation. User receives ready result without additional authentication parameters and risk parameter analysis, since customer has already passed authentication in issuer bank application. 3 Tap to Card Add Card reading via NFC. Tap-to-Add Card feature is a new solution allowing cardholder to contactlessly tap card to their mobile device to transmit card data to digital wallet. In addition to simplifying payment process and eliminating manual entry errors, Tap-to-Add Card feature generates one-time code included in card addition request message and can be verified by TS. This procedure exists in Visa. 4 Multi Device provisioning Creating token from existing token. Visa Multi-Device Provisioning Solution (MDPS) provides users with simpler way to link different devices with card saved in digital wallet to new and/or additional device. This solution addresses the problem of high failure rate when cardholders attempt to link cards to updated devices or add cards to additional devices. In this tokenization variant, CVV2 verification stage is skipped, linking process is simplified. Will allow issuers to increase token usage and penetration into digital wallets, which may lead to increased number of active tokens and cards in more devices. Customer Identification and Authentication In IPS, this cardholder identification and authentication procedure is called Identity & Verification (ID&V). This procedure is mandatory and included in card tokenization process and performed before token generation. Several authentication options are used: SMS (OTP) to customer's phone, customer call to issuer bank or confirmation in issuer bank mobile application. Additionally, usually biometrics (Face ID, fingerprint) is used on smartphone. It is considered that such scheme provides multi-level protection. Currently Token Service supports the following step-by-step instruction processing methods: Call center: issuer provides phone number displayed in token-requesting solution user interface. Cardholder is prompted to contact issuer to activate token. After successful ID&V cardholder verification, issuer notifies TS about need to activate token through token lifecycle management system or other existing interfaces. Mobile banking application authentication: issuers can implement this method by integrating special specification into issuer's mobile banking application. Cardholders who installed issuer's mobile banking application can authenticate by logging into issuer's mobile banking application. After successful authentication, issuer sends lifecycle request or encrypted payload for token activation. Upon confirmation TS activates token and sends message to requesting party's mobile wallet for device activation. One-time password (OTP): one-time password is generated by TS and transmitted to issuer. Issuer sends one-time password to cardholder using communication method (email or SMS message to mobile phone number). After receiving one-time password, cardholder enters one-time password in digital wallet user interface. Then DWP transmits one-time password (OTP) to tokenization service TS. If one-time password matches initial value generated by TS, token is activated. Main goal of identification procedure is to be confident that it is the cardholder who requested the token who initiates the tokenization request. To confirm card and account information (PAN active card, ExpData current card, CVV2 — does security code match) identification procedure is used — to be confident that itis the cardholder who requested the token who initiates the tokenization request. Within this process, Tokenization Service connects with issuer bank (or issuer processor) in one of two ways: through existing ISO connection with issuer bank and its authorization system; through API interface with issuer bank and its authorization system. In case of positive identification and verification parameter check result, transition to token generation stage occurs. Additionally, ID&V process includes use of risk management tool that allows issuers to apply rules and make risk decisions when processing token provision requests. Risk management procedure evaluates data provided by Token Requestor to determine risk associated with each request. Issuers create and manage their card tokenization possibility rules taking into account risks to assess probability that customer attempting to tokenize card to digital wallet is indeed the cardholder. Issuer banks are required to support step-by-step authentication methods that will be applied when provisioning rules applied taking into account risk require additional authentication. Bank may have financial risk parameters or apply other risk assessment rules. Based on these indicators may request additional authentication. Issuer banks are required to support at least two different step-by-step access authentication options: one primary and one (or several) additional. One option must be call center. Primary option is always displayed to cardholder during activation, typically SMS/OTP to one of customer's phones. Interface will display last 4 digits of phone, if there are several. Customer must choose one. Token Lifecycle Support Token lifecycle management tool or other LCM interface manages token in Visa Token Vault storage (in requesting party's solution (e.g., in mobile application on consumer device in case of mobile wallet). After Visa Token Service has issued token, requesting party and issuer must maintain token lifecycle management. Changes in account (PAN) or token require lifecycle management events. Token lifecycle management events include: Token activation (Activate): some token types may be pre-provisioned before successful cardholder verification completion, but allows notifying TS about need for token activation after cardholder verification. Delete: issuer can initiate DELETE operation on behalf of consumer (e.g., in case of device loss) or for internal risk protection and customer protection purposes. This action permanently blocks token to PAN mapping. Cardholder can DELETE token directly through user interface of application that requested token. Token requestor initiates deletion on behalf of cardholder. Issuer receives token deletion notification from TS. Suspend: Issuer can initiate suspension to temporarily deactivate token (e.g., in case of customer travel or suspicious activity). This action does not permanently delete token. Mobile application can also initiate suspension based on internal service interaction. Resume: Issuer can initiate token resumption (after SUSPEND event) so account parameters become available for payment and top-up. Update PAN Expiration: When tokenized PAN expiration date changes, issuer is required to provide TS with new expiration date. TS updates date in token vault to extend token and PAN combination validity period. Update PAN: when issuer changes underlying PAN associated with active token, issuer must notify Visa about new PAN information. Then Visa updates token and PAN mapping in Visa token vault. This allows mapping new PAN with existing token, relieving cardholder from need to delete and re-register active token. Issuer banks can also use additional lifecycle management requests: Token Inquiry: Issuer requests list of all tokens for specific PAN or PAN identifier. Token Inquiry Detail: Issuer requests token details for specific token. Lifecycle management is performed using Token Lifecycle Management (TLCM) tool, ISO messages sent through issuer's existing connection with TS, or other API interfaces that may be supported by TS. Issuers must support at least one interface and must execute all lifecycle requests. What events are usually associated with token lifecycle management commands? smartphone theft; smartphone replacement; card loss; planned period of not using card; smartphone repair; suspicious payment activities; adding card to stop-list; bank account closure. Security and Risk Control Main advantage of tokens is protection from card data leakage: token cannot be used outside specific portable device or digital wallet. Tokens are used for secure storage and repeated use of payment data, for example, for lists or payments in e-commerce. This increases security and convenience of online payments. Customer doesn't need to enter card data, they simply indicate token reference. Payment systems apply cryptography, suspicious transaction monitoring and require compliance with PCI DSS, PCI SSS standards. Token Payment Applications Today Tokens are already actively used today in various service schemes, such as: POS terminals and NFC: for contactless payment in stores with smartphone or smartwatch, making transaction more secure and very fast. Mobile applications and online stores: instead of entering card data into service, token is substituted, which is unique for specific application or merchant, reducing risk of data leakage. Wearable devices: smartwatches, bracelets and even fitness trackers allow paying for purchases without card and phone, all thanks to built-in tokenization. Tokenization Benefits for Participants Overall, main tokenization benefit for all participants is combination of security and convenience, which simultaneously reduces risks and opens new opportunities for payments in various spheres. Cardholder (Customer): Personal data protection — card number is not transmitted to merchant. Reduced risk of fraud and data theft. Convenience: payment with smartphone, watch, bracelet or other device. Ability to use unique token only on specific device or with specific merchant. Merchant: Lower risk of card data leakage, therefore - lower security costs. Reduction in fraudulent transactions and chargebacks. Increased customer trust and payment conversion. Simplified recurring payment management for online platforms (subscriptions, services). Issuer Bank and Payment Systems: Reduced fraud level. Increased customer loyalty through convenience and security. Ability to offer new products (tokenization for IoT, cars, subscriptions). Technology Providers (Visa, Mastercard, Apple, Google): Ecosystem expansion and penetration into new segments (IoT, cars). Creating additional tokenization-based services. Current Trends and Future of Tokenization In perspective, tokens will go beyond classic payments and be used in new spheres. In cars, built-in payment services will allow securely paying for fuel, parking, bridge tolls and toll roads. In Internet of Things world, household appliances, smart devices will be able to automatically place orders and make payments. Also tokens will become key tool for managing subscriptions and recurring services, ensuring secure payment for streaming platforms, delivery and other regular services. Tokenization is gradually transforming from card protection tool into universal technology for use in wide range of industries where customer (person) is connected with need for payment. In perspective we can expect token connection with digital currencies (CBDC, stablecoins). This all may become reality very soon.