Sometimes we read certain words and have only a vague notion of what they mean but, not willing to invest the time necessary to understand their full import, we gloss over them. Personally, I know I do this while reading industry publications for background research. I'll encounter a word and just zip by it without fully understanding the context or implications of what the author is trying to say.
The term "tokenization" has become exactly this type of buzzword, and it stands at the intersection of several important industries. It is an important term for both investors and consumers to learn. There are few concepts more important today than tokenization when it comes to protecting sensitive data like our personal identification information and credit card numbers.
What is tokenization?
Put simply, tokenization is the process of substituting an important and sensitive piece of data with a non-sensitive equivalent. The new non-sensitive data now being used in the sensitive data's place is the "token". The token is usually a randomly or algorithmically generated alphanumeric code. Retail and payment industry businesses are turning to tokenization to protect important pieces of information like your credit card's primary account number (PAN), because it offers important advantages over other protective techniques like encryption.
Tokenization is especially valuable considering the number of data breaches that have occurred at businesses and banks in recent years. If a hacker breaks into a company's database where your credit card information is stored, the thief will be able to use your information to make all kinds of purchases. Even worse, the crook can sell your information on the web to other fraudsters. However, if the same hackers break into a database and only find tokens instead of credit card numbers, they are worthless to the thieves and your personal data is still safe.
Consider this over-simplified illustration: Imagine a thief breaking into a Chuck E. Cheese location and stealing a bag full of tokens. It would be absolutely pointless! The tokens are worthless outside of the establishment's location and can't be used to purchase goods or services anywhere else. The same is true with tokenization. The tokens stored in a database representing your PAN or other piece of sensitive data, are worthless to anyone else.
This diagram, provided by Square Inc and reproduced here with permission, also illustrates the concept well:
The advantages of tokenization
With data encryption, this same kind of protection isn't available. Even with end-to-end encryption, there are several places within the system where data has to be de-encrypted and reencrypted. These data transfer points are all susceptible to a system hack. There is also a possibility with encryption that the cryptogram key could be compromised, leaving all encrypted data vulnerable to being stolen.
Tokenization also makes it much cheaper and easier for retailers to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a standard established and maintained by the major payment networks including American Express, Discover, JCB International, Mastercard, and Visa. The standard was created to expand the acceptance of credit cards and decrease fraud. Any merchant wishing to accept card payments must meet this standard. However, since no card or bank account data is stored by retailers with tokenization, not all the regulations apply.
Finally, tokenization can be universally used with any type of payment, technology, or piece of information. So it not only works when credit cards are swiped or inserted at the point-of-sale, but can also be used with NFC payments like Apple's Apple Pay and Alphabet's Android Pay, gift cards, and ACH payments.
Applications of tokenization
There are several ways merchants and consumers use tokenization today to make transactions more secure. For instance, when a credit card is loaded into either Apple Pay or Android Pay, Apple or Google sends the information to the issuing bank or payment network to ensure the card is legitimate. The payment network or card issuer then send Apple or Google back the token in place of your credit card's PAN. Once this takes place, the fraudster cannot use the information stored on the app for fraudulent purposes.
Merchants can also use tokenization for online purchases. If your credit card is stored on a retailer's website, and that website suffers a data breach, no information can be compromised and then fraudulently used if only tokens were kept by the retailer in place of the actual credit card information. Furthermore, if this were to happen, the consumer would not have to order a replacement card because their card was never compromised.
Tokenization is becoming an increasingly important tool to prevent fraud and materially affects companies spread out across the retail, payments, and financial industries. No one wants to be a shareholder in a company when it becomes the latest example on the nightly news of a corporation that didn't take the proper safeguards to protect its customers' data. As consumers, its important to know how the companies we conduct business with plan to secure our important personal information. That's why understanding what tokenization means and how it works can help us become better investors and consumers.