Card tokenization is the process of protecting sensitive data by replacing it with secure, surrogate data, called a token. To insert a payment card into a digital wallet, the card's sensitive data (i.e., the PAN, CVV2, and expiration date) must be replaced with a token that serves as a reference to the card. When a digital wallet uses a card for a payment, it only provides the token, without exposing any of the original card details.
There are several paradigms for implementing card tokenization, depending on which entity generates the tokens and stores the card data on behalf of the digital wallet. The Marqeta platform supports network tokenization, which means that the card network (e.g., Visa or Mastercard) generates the tokens.
Benefits of digital wallets and card tokenization
Key advantages of supporting payments with digital wallets include:
- Broad acceptance – Tokenized cards are valid at any merchant who accepts that digital wallet.
- Increased security – Fewer systems have access to sensitive data, and the card network can implement tight controls and validations.
For security reasons, each network token is exclusive to both a digital wallet and a device (phone, laptop, etc.). For example, a network token requested by Apple Pay on an iPhone cannot be used by a Google Pay digital wallet or by an Apple Watch. The token can be used only by Apple Pay on the particular iPhone on which it was requested.
These are the key participants in network tokenization:
- Card Network – (e.g., Visa or Mastercard) provides services for creating, storing, and managing tokens.
- Issuer-Processor – (Marqeta) issues the payment card from which the token is derived, and must approve each request to provision tokens for these cards. This approval process requires integration and certification with tokenization services at the card network.
- Digital Wallet – (e.g., Apple Pay or Google Pay) requests and stores tokens for payment cards. Digital wallets undergo certification in order to utilize network tokenization services, allowing them to request and make purchases with tokens.
- Card holder – owns the card that will be or has been tokenized. Card holders provide their card data to a digital wallet, which then contacts the card network and requests a token for the card.
Marqeta platform objects
To support digital wallet tokens, the Marqeta platform models card holders as user objects, cards (both physical and virtual) as card objects, and network tokens as digital_wallet_token objects. A user object can be associated with multiple card objects (the number of cards that can be simultaneously active depends on your program settings). A card object can be associated with multiple digital_wallet_token objects, any number of which can be active. Each digital_wallet_token is associated with only one card. This design allows card holders to add the same card to multiple digital wallets and devices.