Advertiser Disclosure

Credit Card Tokenization: Here’s What You Need to Know

Oct. 13, 2014
Credit Card Basics, Credit Cards
At NerdWallet, we strive to help you make financial decisions with confidence. To do this, many or all of the products featured here are from our partners. However, this doesn’t influence our evaluations. Our opinions are our own.

The way we pay for our stuff is likely to change significantly in the next five years. With the U.S. transition to EMV already underway and the expected rise in the popularity of mobile payment systems, the plastic transactions we make today will soon be a distant memory.

As a result, we all need to get knowledgeable about what’s new. For example, one point of confusion for many folks is tokenization. What is it, and how will it improve payment security? Don’t worry, the Nerds are here with everything you need to know.

1. What is tokenization?

In general, to “tokenize” something means to turn it into something else. This new thing represents the original thing, but is unrecognizable or unusable outside of a certain context.

Think about when you go to a fair and purchase tokens to play the games. The token represents your money. You can use the tokens for corn hole, ski ball or perhaps buy a funnel cake, but you can’t use them once you leave the fair. The tokens have no value outside of that specific event.

2. How does tokenization work when it comes to my credit card?

When used in credit card transactions, tokens are created to replace your card number. The token in this case would be a string of seemingly nonsensical letters and numbers, which represent your 16-digit account number. The token, rather than your actual credit card number, would be used to complete the purchases you’re making with your card.

This improves payment security immensely. In a typical credit card transaction, there are lots of opportunities for your account number to be exposed – one nefarious worker at the point of sale could see your credit card number, memorize it, then use it to go on a shopping spree. Likewise, a hacker could skim your data at some point while it’s being processed, then sell it on an underground market.

But if a token – rather than your account number – is passing through all the systems involved in authorizing your transaction, your payment information stays safe. The token can only be “unlocked” when it has reached its final destination, the payment processor. Until then, it’s meaningless to anyone who might encounter it.

Again, it’s kind of like the tokens at the fair. If you’re carrying around leftover tokens at the mall and one gets stolen from you, the thief can’t use it to pay for a new outfit. It has no meaning or value outside of the fair.

3. Who will benefit from credit card tokenization?

In short – everyone.

Let’s start by looking at consumers. Aside from the relief that comes with knowing your payment data is less likely to get hacked in the first place, there’s also a convenience factor involved if a theft, loss or data breach occurs. This stems from the fact that multiple tokens can be issued for the same payment card.

Right now, if your credit card gets stolen, you have to cancel it with your issuer, wait for a new one to arrive, then update your payment information with every entity where you have the card’s data on file. Your automatic bill payments, your Amazon, Netflix and Uber accounts – it all has to be changed.

But let’s say tokenization was the standard and you’re using a mobile wallet to pay for all your stuff. If your phone gets lost or stolen, you’ll just need to cancel the token that’s representing your credit card number on the device. There’s no need to cancel the tokens that are linked to all your other accounts, because they’re different from the one that’s gone missing.

From the standpoint of merchants, credit card issuers and payment networks, the decreases in data theft and fraud will decrease the cost of doing business in the long run. Breaches are expensive, and many retailers and banks have experienced huge profit losses as a result of hackings. Tokenization will help minimize this.

» MORE: How to dispute fraudulent credit card charges

4. When can I expect credit card tokenization to become the norm?

It’s hard to say. In October 2013, Visa, MasterCard and American Express introduced an outline for a global security standard for online payments. A key element in the standard is payment card tokenization.

But as with the adoption of EMV technology, merchants, banks, payment networks and consumers all need to be on board. Because moving to tokenization would require some parties (merchants and banks) to make expensive upgrades to their hardware and software, some have resisted.

However, it’s likely that tokenization will become the norm for both online and in-store credit card transactions soon.

5. Where can I find examples of credit card tokenization today?

Apple Pay. If you purchase an iPhone 6 or iPhone 6 Plus and load your credit card information onto the device, each of your credit card numbers will be tokenized and stored on the phone’s secure element. When you make purchases with it, the token will be used in place of your card number. This is just one reason that Apple Pay is expected to become one of the safest ways to use your credit card.

Tokens image via Shutterstock