Tokenization

Electronic transactions can be tokenized for selected electronic payment gateways.

Tokenization is used most commonly for automatic payments, such as installment billing or payments, or recurring gifts. In a tokenized solution, the initial authorization of a credit card has netFORUM sending the credit card number to the payment gateway (over TLS). If the authorization is successful, the gateway stores the customer's credit card number or account number in the gateway (sometimes described as a vault) and returns to netFORUM a token which references that particular card or ACH account. Supposing that the customer intended for that same card or account to be used to make installment payments, then netFORUM can make subsequent payments to the gateway by using the token that was returned in the initial authorization. This means that netFORUM does not need to store the credit card or the account number, even in an encrypted format.

Note: netFORUM does save and display the routing number for ACH accounts, but not the account number. For credit cards, netFORUM saves and displays the only masked credit card number.

If tokenization is not enabled, then in the sequence of steps described above, netFORUM must store the credit card number in an encrypted format. An end user will never be able to see the complete card number in clear text, because the application never decrypts the number in the user interface (although netFORUM also stores a masked card number of easy reference, such as 44XX-XXXX-XXX-7864). In the non-tokenized solution, when an installment is paid automatically through netFORUM, the application decrypts the encrypted credit card number and makes a new authorization and capture to the payment gateway with that credit card number.

For a good overview of how tokenization works generally, with a helpful diagram, see Tokenization – Secure Payment Data. In the diagram, you'll see boxes for Application Server and Database -- these would represent netFORUM. The Customer icon represents the user who enters the credit card number into the application in iWeb, eWeb or via an xWeb integration.

What is a Token?

A token, also known as a reference transaction, enables an application like netFORUM to store a reference to a credit card or an ACH account instead of needing to store the actual credit card number, or account number in an encrypted format in the application's database. Using tokens reduces the liability of the application to theft of this sensitive data.

The token is usually an alphanumeric string. The token format in netFORUM is a 36-character guid.

Implementing tokenization

Selected payment gateways in netFORUM support tokenization. See PaymentAPI_iWeb for a list of those that do. Once you enable the system option to select the gateway that supports tokenization, then you may begin using tokens.

See Credit Card Vault for information about creating saved tokenized payments in netFORUM.

Switching Payment Gateways

If you use tokens with one gateway, and want to switch to a different gateways, the tokens issues by the first gateway will generally not be recognizable or transferable to the new gateway. Check with your gateway representative to be sure.

FAQ

Q: When will you support reference transactions with PayPal?

A: As of 9/27/2013, we are working with an implementation partner on the finishing touches of PayPal reference transactions. When that is complete and tested, we bring it into baseline netFORUM. We do not have a firm date on this but we anticipate early 2014.

Q: Why doesn't my gateway support tokenization?

A: Some gateways support tokens, and some do not.

Some netFORUM gateway integrations with payment gateways that do support tokens have not been coded yet in netFORUM to implement the gateway's token feature. We are working to convert existing payment gateway integrations to use a tokenized solution if the payment gateway offers it.

Q: What is the difference between tokens, reference transactions and vaults?

A: A token is the code that a payment gateway provides a payment application like netFORUM as a way to reference a stored credit card in that gateway. A token is a secure way of interacting with the gateway because if the value of that token is ever compromised, the token is basically of no value to the thief because that token can only be used against the particular merchant account and gateway in which that token was generated. A thief cannot use that token to buy anything anywhere else. The token is typically a scrambled string of letters and numbers.

A reference transaction is a financial transaction from which subsequent transactions can be derived. This is a term that PayPal uses.

A vault is a generic term that is often used to describe the gateway's repository of tokens. For example, one might say, "The Acme gateway is a vaulted solution that uses tokens."

See Also

PCI Compliance

Tokenization in Wikipedia