Here's what payments professionals need to know about card-on-file tokenization

As the payments industry continues to explore ways to minimise risk and increase security of payment data, there has been a substantial migration away from storing primary account numbers (PANs), as they can significantly surge business security risk and are included in the PCI DSS compliance scope. 

This migration has stimulated increased interest in tokenization as an alternative. Tokens mask and protect cardholder data with a non-sensitive replacement value, used at various points in the transaction lifecycle to provide enhanced security. If the payment environment were to be compromised, a token would not reveal any cardholder information, rendering it valueless to threat actors. This is why tokenization has become more prevalent in the payments industry. 

The robust security that tokenization can add to payment data both at rest and in transit can be a useful addition for card-on-file credential management. As with any security measure for payments, there are many considerations to utilising tokenization solutions for cards on file, and industry stakeholders should evaluate the differences among their options, as well as how the solutions can meet their business objectives and resource constraints. 

Considerations for tokenizing cards-on-file 

First and foremost, when evaluating options for tokenizing cards-on-file, merchants or their technology providers must consider the changes and upgrades they may need to make for implementation. Tokenized card-on-file solutions require participants to conform to specific technical requirements to obtain, use, and manage tokens over their lifecycles. As such, merchants may need to modify and certify their systems to support each specific tokenized solution they choose. 

The chosen solution should also be evaluated based on the transparency of data. Token formatting is an important consideration, as merchants may need to adapt their systems for tokens that do not conform to traditional card numbering standards. For customers, who are not generally aware of the token value, card-on-file credentials should be presented on the merchant website in a manner familiar to the customer. And for back-office processes, such as handling merchandise returns and managing loyalty programmes, merchants should involve their acquirers and technology providers early in the process and frequently throughout to ensure that the final implementation meets their expectations. 

For some merchants, tokenizing cards-on-file can also be beneficial in reducing their PCI obligations related to storing highly sensitive data including payment credentials. Some card-on-file tokenization solutions enforce transactional security measures to reduce the risk that a token, if compromised, can be used at unrelated merchants. For example, token use may be limited to only those merchants that originally requested the token or may use a transaction-specific cryptogram for validation during the authorisation process to identify potentially fraudulent transactions.

Once tokens have been provisioned, the state of tokens and their associated PANs must be maintained. Depending on the type of change, either the issuer or the merchant creates the initiating event that results in a lifecycle management change. The most common issuer-initiated lifecycle management events include PAN change, expiration date change, and account closures. Depending on the type of change, the Token Service Provider (TSP) may make a corresponding modification to any associated card-on-file tokens and notify the token requestor to update their information accordingly.

The most common merchant-initiated lifecycle management event occurs when a customer chooses to delete a stored credential from their merchant profile. In cases where the token type is a merchant- or acquirer-generated token, lifecycle management updates generally occur as the result of optional network-based account updater and real-time account updater services. 

The decision to use one or more card-on-file tokenization solutions may be influenced by applicable TSP business requirements, including debit routing. For example, for a TSP solution, related security features or support may only be available if tokenized transactions are routed to a specific network. It’s important for acquirers and merchants to adjust business processes and practices to identify tokens and determine where transactions can be routed before implementing a tokenized card-on-file strategy.

Identifying solutions that meet business needs

Tokenization for card-on-file credential management can be an excellent way to provide better payment security, and industry stakeholders have many options for solutions. These options can be analysed with regards to how they can best meet business needs. 

When it comes to tokenization for card-on-file, it is important to keep in mind all the considerations for implementation. These include technology changes, data transparency, lifecycle management, PCI scope, and debit routing support. There is no one best solution, but there are many solutions that, with proper evaluation, can meet a determined set of business goals.

Portions of this article were excerpted from, ‘Card-on-File Tokenization Considerations, Including Debit Routing’, a white paper developed by the Debit Routing Working Committee at the U.S. Payments Forum. As well, this article is part of the Payment Methods Report 2021 – Latest Trends in Payment Preferences, a comprehensive overview of the payment methods in scope for 2021, as well as best practices for checkout optimisation and customer conversion by addressing digital transformation, security, and localisation.

About Jason Bohrer

Jason Bohrer has served as the Executive Director for the Secure Technology Alliance and the U.S. Payments Forum since December 2020. Prior to joining the Alliance and the Forum, Mr. Bohrer cultivated a successful 27-year career in domestic and global roles focused on sales, operations and product innovation at companies such as: CPI Card Group, HID Global and Motorola, Inc. He has been actively involved with several key technology transitions across multiple industries including the contact and contactless EMV transitions in the U.S. payments industry and the adoption of smart card and mobile technologies in the global access and identity market. 

About U.S. Payments Forum

The U.S. Payments Forum is a cross-industry body focused on supporting the introduction and implementation of emerging technologies that protect the security of, and enhance opportunities for payment transactions within the US. Topic areas the Forum engages in include EMV implementation, tokenization, card-not-present transactions, encryption, and mobile and contactless payments.