Tokenization simply means that the client's account information is replaced by a secure series of randomly-generated numbers (the token) that can only be used by the merchant's location. The token cannot be reverse engineered, decrypted, or stolen by a hacker or a rogue employee. The token is designed to keep digital theft from occurring such as the Home Depot Data Breach.
The token is sent to the processing gateway. The gateway company makes sure that the token is correct, the card is correct and send the information to the processing company. After that the processing continues as normal. The approval or decline comes back and the transaction is completed.
Tokenization allows a merchant to keep a client's card on file in a secure manner without any of the technical concerns involved with encryption. Merchants who tokenize a client's card for recurring memberships have the option to allow the card to be used On File. This means the stored token can be used to pay for register transactions in the salon. Security can be set to limit the employee access to this payment method. By default it is not activated.
While token are highly secure, there are some restrictions with working with them imposed by the processing system.
- The same processing location cannot process the same amount on a card within a certain time frame. This is controlled by the credit card issuer and can be anywhere from 30 minutes to 24 hours. To get around this, the next charge can be discounted a penny or an additional .01 cents in prepaid can be charged to the same card.
A different card can be used.
- Some cards cannot be tokenized such as pre-paid cards. Some credit unions will restrict tokenization by default requiring the client to authorize the card to be tokenized.
- Tokenized credit card must be a chip enabled card card through the chip reader. The processing account can be set up to allow manual entry. In those cases the billing zip code and CVV code must be entered. This is a security requirement to help reduce fraud.
- Cards with chips require the chip to be used in a chip reader. The swipe can normally only be used after 3 failed chip insertions.
- The more secure SalonTouch will only work with stored tokens.