How Tokenization Works

In a non-tokenized environment, multiple parties handle and store customer data, including the card/Direct Debit account number, for each transaction. From a merchant standpoint, they receive the information, store it in their own database, and transmit it to their processor with the transaction request, as shown in Figure 1-5 for card information. While the access and transmission of the data may occur a single time, as in the case of a Sale transaction, frequently data transmission occurs multiple times in order to complete a single sale, as in the case of an Auth followed by a Capture or several partial Captures. The local storage and repeated transmission of the information creates additional possible breach points, where a malicious third party could compromise the information.

FIGURE 1-5 Card Information Flow in Non-Token Environment

In a tokenized environment transmission of customer data ideally occurs a single time and the merchant never stores it locally, as shown in Figure 1-6 for card data. Once account number registration occurs, using either a registerTokenRequest or by submitting the account number (or low value token, when using eProtect) with any supported transaction, Worldpay returns a (high value) token. You store the token locally and use it for all future transactions concerning that account. Worldpay takes responsibility for storing and safeguarding the account information.

The difference between card data flow and Direct Debit data flow is that the entities upstream of Worldpay are different. The operation remains the same from a merchant standpoint.

FIGURE 1-6 Card Information Flow in Tokenized Environment