Insert One: Credit Card Tokenization

CoreCommerce is proud to announce a new partnership with best-in-class payment services provider, CardConnect. What makes CardConnect different from all the other payment services providers? As anyone who has been involved in eCommerce knows, the customer experience and customer convenience are extremely important in closing sales online. And a huge part of customer convenience is simplifying and expediting the checkout process. 

CardConnect offers a patented “card on file” feature, which allows customers to store a credit card for future use in your online stores. The next time your customer places an order, he won’t be bogged down by having to run and get the credit card.  He can simply select the saved credit card (which will be identified by the last four digits of the credit card number in his shopping cart) and confirm his order. 

As a result, the checkout process (especially on mobile devices) is simpler and quicker than ever before! But, what about PCI compliance? What about security? CardConnect’s “card on file” technology is powered by a process called “tokenization.” Curious to learn more about tokenization? Alycia Gilbert answers all your questions below in her blog post, “Insert One: Credit Card Tokenization.” Interested in learning how you can sell more and grow your business with the “card on file” feature from CardConnect? Simply give us a call at (615)550-5513 or fill out the request for more information below.


Insert One: Credit Card Tokenization

When credit cards are mentioned in online retail, you’ve probably heard “tokenization” and “data encryption” thrown around. And like any intimidating words involving money, they seem to blur into the same half-intuitive, half-jargonny concept. So when you have to decide how your online store will handle sensitive information like credit card numbers, it’s easy to be intimidated. If there’s one thing you want to protect as an online company, it’s your customers’ bank accounts. And what’s the big difference between tokenization and encryption? Isn’t this a case of potato/potahto?

Screen_Shot_2016-08-19_at_9.40.07_AM.pngBritney Spears, contemplating the process of data encryption.

As it turns out, tokenization and encryption are two entirely different processes. And going into an important decision like this, you should know how to make the best choice for your company. We’re prepared to make a bang-up argument that’s pro tokenization. But we’ll cover both before we start playing favorites, don’t worry.

Let’s start with the PCI.

PCI.png Don’t let that VBS-friendly font fool you, the PCI is serious business

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that must be fulfilled by all companies that handle credit card information in any way. There are two solutions that fulfill these PCI standards: data encryption and credit card tokenization.


Data encryption uses an algorithm (we’re not sending you back to high school math class, we promise, just stick with us for a bit) to translate credit card information into ciphertext, which is text that isn’t readable—a string of nonsense. An encryption key is then used to convert that ciphertext into a usable form—back to a credit card number. It’s effective, and it’s used throughout the Internet, both by companies with their own built-in operating systems and by people who use third parties. 

Screen_Shot_2016-08-19_at_9.43.33_AM.pngIn this image, plain text=credit card number. The credit card # goes in, becomes jibberish, and then is turned back into a credit card #

There’s a major downside: if the key used to decrypt the data is leaked or stolen, it’s down with the ship. Everything that was secured through that key can be decrypted, and the proverbial credit card cat is out of the bag. All of those credit card numbers are ready for the taking. So it’s recommended that decryption keys are rotated frequently to prevent the keys from getting into the wrong hands. The threat of hackers still looms, but these preventative measures make it far less likely for successful theft to occur.

So what’s up with credit card tokenization, and why does it sound like a grown up version of Chuckie Cheese’s?


Well, it’s not quite as fun as Ski-Ball, but tokenization is a clever and highly recommended solution to the credit card conundrum. The International Data Group describes tokenization this way:

“With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant’s payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.”


That’s a lot of words. To put it simply, tokenization replaces your customer’s credit card number with a token piece of data—a random string of numbers, letters, etc.—that can then be decrypted by your company’s payment processor into the actual information needed for the transaction. It’s that last bit of the description from the IDG that’s important; since the credit card number is immediately turned into a token, data thieves can’t use it.  There’s no key to steal. There’s no way for them to connect that token to a specific credit card.

So why do we think that tokenization is a better choice?

While both tokenization and encryption have some drawbacks, tokenization is a better fit for smaller companies. And if you’re here reading this, you’re probably not Walmart or BestBuy in middle-to-small-market disguise (if you are: welcome). The biggest drawback to tokenization is outsourcing, which requires some trust. For bigger companies with a lot of sensitive information, it can be a lot more tempting to rely on your own resources and stay within your own business. For smaller companies, outsourcing transfers a lot of the responsibility for security to someone else. And since small and mid sized companies are less likely to have the same electronic manpower as a big market business, it can be helpful, even necessary, to outsource on credit card security.

The outsourcing bit does mean that you’ll need to find a company that’s able to provide tokenization services.  CoreCommerce is proud to announce that we are partnering with CardConnect, a best-in-class payment processing provider. CardConnect securely stores the consumer’s card number and expiration number then issues a token associated with that card. CoreCommerce stores that token on your website so when your customer checks out, they see the last four (4) digits of a previously used card number – it looks like this “XXXX-1234”. The customer just chooses that tokenized card to pay.

Which brings us to another point for tokenization: token storage. The Payment Card Industry doesn’t allow actual credit card numbers to be stored on a retailer’s online store. Thank God. I wouldn’t want one impulse buy on Amazon to leave a doorway to my bank account for any MIT dropout to hack their way through. But when you have an account set up with a company’s website, you expect that you’ll get to bypass the annoying process of typing in your credit card information every single time you want to make a purchase. Tokenization allows for indefinite token storage, which means that your business can offer an easier checkout experience for your customers.

Finally and most importantly, tokenization also means that the actual credit card information itself isn’t ever transmitted after the actual transaction. Again, it’s just safer.  In fact, there’s even been a push toward tokenization because of its safety benefits.

You don’t need a decoder ring or a decryption key to see what our stance is on tokenization for small and mid-market businesses. But now that you’ve heard a bit about it, why not send a piece of data our way? Tell us whether or not you think tokenization’s best for your company in the comments below!



CardConnect’s mission is to make payments simple and secure. Everyday, more than 60,000 businesses, ranging from Fortune 500 companies to youthful startups, use CardConnect to securely process and manage their transactions. On Nasdaq: “CCN”

Please follow & like us!

Leave a Comment

You must be logged in to post a comment.