Tokenization Moves Beyond Payments to Personal Privacy

In 2014, Visa introduced its tokenization service, allowing customers to pay for goods and services without giving away their credit card details.

A decade later, the shift to tokenization has become a great success. The company has issued more than 10 billion tokens, which typically replace a card number in a digital wallet, such as Apple Pay or Google Pay. These tokens — fueled more than $40 billion in e-commerce transactions in the past year, according to Visa, accounting for 29% of all transactions processed by the financial giant. Perhaps even more significantly, tokens see 60% less fraud, leading to the prevention of more than $650 million in fraud in the past year, the company said.

The success is driven by the security technology's ease of use, with digital wallets playing host for most consumers' tokens, says Mark Nelsen, senior vice president and head of consumer platform products for Visa.

"Merchants like it because you get less abandonment, you get higher conversion rate, and, oh, you get lower fraud at the same time," he says. "It seems simple in theory, but there's a lot of technology — as you can imagine — behind the scenes that makes it work at scale."

The tokenization of digital payments has arguably been the greatest success to date for the pseudonymous technology. But the future holds new applications, including the increase of user privacy and the decrease of data loss in case of breach.

What's Accelerating Tokenization

In 2020, Visa marked the issuance of its 1 billionth token, a milestone that took six years to reach. Social distancing during the pandemic and consumers' greater comfort with the technology accelerated adoption, leading to 9 billion more tokens created for payment cards in the past four years, according to the financial giant.

The next great push for tokenization will be to improve privacy and data quality, Nelsen says. Passkeys are essentially a tokenization technology that replaces a password with an authentication process using a user's device and, typically, a biometric.

In the future, Visa aims to make tokenization even more widespread, replacing more user data with tokens. The upcoming Visa Token Service can be used to protect nearly any data, including sensitive data, and gives consumers full control over with whom they share their data. At any point in time, the consumer could log into their issuer's banking app, see all of the places where they have shared their data, and revoke some of those permission, Nelsen says.

"Because it's tokenized, they now have life cycle management, and so they could say to the bank, 'Hey, I want to disable or revoke access to my data for these merchants because they don't need to have access to my data anymore,'" he says. "We think it creates a really nice framework for how we could manage data going forward."

The company plans to launch its first Visa Token Service pilots later this year.

How Tokenization Hides Data

While tokenization of nonpayment data has gradually grown in popularity, especially as the discipline of data science has taken off over the past decade, managing the process is often complex.

Unlike encryption, tokens can directly replace sensitive data, adhering to the data format so that legacy systems can store the data. Financial institutions, for example, can use tokens to replace credit cards because a 16-digit token can be generated and stored in the place of the 16-digit account number.

A combination of tokenization and encryption can help companies comply with regulations and protect sensitive data, says Brent Johnson, CISO at Bluefin, a data security firm.

"Without an authenticated API to 'detokenize' the data and decode the token, the token is useless to hackers," he says.

Vaulted or Vaultless Tokenization?

Most businesses are data pack rats — throwing away perfectly good data is antithesis to their strategy. Yet keeping data around poses risks in the case of a data breach. So companies typically use one of two methods of tokenization: Vaulted systems store the mapping of tokens to data in a vault but allow employees to use the tokenized version, while vaultless systems use an encryption-like mapping that can restore data for authorized users.

There is no reason for companies to leave nontokenized data around, says Todd Moore, global head of data security products at Thales, a data protection firm.

"Tokenization should be a part of an organization's overall security strategy, [but] encryption and associated key management remains the best way to protect long-term sensitive data," he says. "Many global privacy regulations recognize the combination of using encryption and tokenization, like pseudonymization, as an adequate form of data protection."

Tokenization should not just be used for databases but also to mask privacy-regulated data with tokenization, which can help companies retain some use of the information while meeting their regulatory obligations, says Bluefin's Johnson.

In fact, by pushing tokenization out to the user's machine, companies can make their data life cycles more secure, he says.

"Companies should ... use tokenization to immediately tokenize data upon entry into a Web form or e-commerce page, further extending its use beyond protecting data in storage," Johnson says. "Vaultless tokenization provides the easiest way to secure an organization's data as most of the organization's systems will never see the original data strings, and only a very few, limited, heavily controlled systems are allowed to transform tokens back to sensitive data."