Card-on-File Tokenization Considerations, Including Debit Routing
Publication Date: April 2021
The payments industry continues to invest in payment solutions that can minimize risk and increase data security. As the payments ecosystem migrates away from storing primary account numbers (PANs) due to the risk potential, the use of ‘tokens’ provides increased security.
Tokens are essentially replacement PANs used either at rest (i.e., stored) or in transit, with values that can mask and protect cardholder information. Tokens can be utilized at various points within the transaction life cycle. Payments industry stakeholders need to understand tokenization implementation considerations, including debit routing, for card-on-file environments. To assess stakeholder impact, the implementation environments and the tokenization process for each card on file with a PAN must be considered. The impact may differ depending on a particular tokenization solution.
This white paper provides a brief overview of different card-on-file tokenization solution options and stakeholder considerations for each, including debit routing. These options and considerations take into account the perspective of each payments industry stakeholder: acquirers, issuers, merchants, and payment networks. The options discussed in the white paper include:
- Card-on-file (with PAN)
- Merchant tokenization
- Merchant service provider/vendor tokenization
- EMV® payment tokenization
- Combination of card-on-file (with PAN) and EMV payment tokenization
- Combination of multiple EMV payment tokenization solutions
Other options not included in this paper may be or may become available.
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.