Payments security 101: Explaining payment tokenization | Reap

Payments security 101: Explaining payment tokenization


3 min read

We recently talked about how PCI (with the help and influence from different monetary authorities) govern the security standards related to the processing, transmission, and/or storage of credit card data. Next, we want to dive a bit further on the security implications of tokenization for online payments specifically.

Payments security 101: Explaining payment tokenization

As you can imagine, the process of transmitting payments data in a completely digital environment without physical interaction presents both opportunities and challenges when it comes to privacy and security. We’ll try to provide some high-level context on a few trendy, buzz-wordy topics below. We’ll most likely do a deep dive on specific topics in the future so if there are any specific areas you’d like to learn more about, please email us any time!

What is credit card tokenization?

We, and most other ecommerce stores, use a process called tokenization to capture your credit card information and ensure it is processed in a secure and compliant manner. Tokenization adds an extra level of security and ensures that no sensitive credit card details ever touch our servers. On our side, your card details are never fully revealed and we only see basic information like the last 4 digits of your credit card, expiration date and card brand. Your primary account number (PAN) is automatically replaced with a series of randomly-generated numbers called the token. These random tokens (unique to each card) are used for processing the actual payment as the actual card number is held safely in a secure token vault.

With tokenization, your credit card information is safe even in the presence of a security breach (knock on wood!). If you are shopping on HKTV Mall or Lazada, your personal credit card information is safe even if their internal system is hacked. As with Reap, the retailer may never actually see or store the entire raw credit credit card number so if the system is attacked by a hacker, (which may happen even for larger companies like in the Home Depot breach, for example), all the culprit would see are randomly-generated tokens. In case you were wondering, tokens are also unique on a merchant by merchant perspective — this means that even if one merchant has a security, you would need to disable your card on Reap as you’ll have a different token in all of the different places you’ve made a payment to.

A few commonly asked questions around tokenization

How does it work for recurring payments?

If you’re a subscriber to common consumer apps like Netflix or Spotify, you should be familiar with subscription payments. Similar to one-off purchases, online platforms can also reference the same token for future recurring transactions as well. One a customer’s card details are tokenized, they’ll be referenced and the card would be charged automatically in the next billing cycle.

How do you ensure that data is passed securely?

To reduce the risk of your credit card details being compromised during the transmission process, Reap’s payment pages are secured using Transport Layer Security (TLS). Next time when you log into your favourite website, check the website URL for “HTTPS” instead of just “HTTP”. This is how you know that the website is securely transmitting data from the app/browser to their server.

What’s the difference between tokenization and encryption?

Tokenization is typically used for online ecommerce transactions (including those on Reap!) and replaces sensitive credit card details with a randomly generated token. Encryption is applicable for in-person physical retail (ie. coffee shop, Apple store) transactions and as the name suggests encrypts credit card details when it is swiped through the POS terminal.

Both methods are typically used by merchants to reduce the scope of PCI compliance.
Tokenization can be a pretty complicated topic, but given the widespread adoption of this security measure in the payment industry, it raises the baseline security measurements related to the processing of payments.