Who Cares About Tokenization?

In Insights, Mobile Solutions, Tokenization by Neil Livingston

There’s been a lot of recent press coverage about tokenization. But what is it, how does it work, and who stands to benefit?


Carta recently launched its new tokenization platform. Tokenization has become big news in the world of payments, but what does it actually mean?

Above all, it enables enhanced security and convenience.


Plastic payment cards typically have a 16–19-digit card number—or PAN (Personal Account Number)—printed on the front. Tokenization substitutes an alternative number—or token PAN—for use during a transaction. The two PANs are linked by a Tokenization Platform. Tokenized credentials act as a proxy, in place of actual consumer payment card credentials, so real credentials are never exposed during payment transaction processing.

How does it work?

In line with the EMVCo Payment Tokenization Specification Technical Framework, our platform creates, issues and processes tokenized card credentials.

Acting as Token Service Provider (TSP), Carta’s platform allows card issuers, merchants, wallet service providers and other payment service enablers to request tokenized card credentials, for use in place of consumer payment card credentials. Those credentials can be deployed both to mobile devices that rely on a hardware Secure Element (SIM or embedded SE), and to devices supporting cloud-based payments with Host Card Emulation (HCE).

The platform integrates with the major payment networks to process the credentials—performing cryptogram validation, fraud management, and finally de-tokenization to recover the original payment card credentials which are sent on to the payment card issuer for account-level validation.

Carta has developed a mobile payment application SDK to make it easy for Issuers and wallet service providers to develop their own mobile payment applications that leverage our Tokenization Platform.


Why tokenize?

Cardholders have been using their plastic card credentials to pay for things for decades now. So why introduce tokenization?

Tokenization offers many benefits compared to the traditional use of original payment card credentials, including additional layers of security and convenience over and above plastic card PANs.

For example:

The original plastic card PAN is never stored in a device, so if a handset is lost or stolen, or if those proxy credentials are somehow compromised, that tokenized PAN can quickly and easily be suspended. There’s no impact on the original plastic card PAN or any other devices that map back to the same card.

The same plastic card can be tokenized any number of times, for any number of devices. Users can switch tokenized credentials on and off, update them, and keep different tokenized PANs on each device.

For added security, token PANs can be limited, by design, in terms of where and how they can be used. For example, it’s possible to limit a token to a particular device, location, merchant or payment channel (online only, NFC only, etc), or to specify spend thresholds. These constraints can be checked and validated during the payment transaction, to mitigate against fraudulent use.

Who benefits from Tokenization?

Tokenization gives consumers the obvious benefits of convenience and data security. But lots of players across the payment process stand to gain from Carta’s Tokenization Platform, including:

  • Issuers looking to mobilize payment card portfolios into their own branded mobile payment services. Carta’s Tokenization Platform makes it simple to develop and deliver mobile payment services to end-users, without heavy financial investment or technical complexity normally associated with legacy mobile enablement models.
  • Wallet Service Providers looking to mobilize payment cards on behalf of issuers.Our Tokenization Platform makes it easy for WSPs to request and provision tokenized card credentials to wallet applications, but also simplifies development of the mobile wallet application itself.
  • Merchants looking to simplify data security compliance. Merchants can update their card-on-file databases, replacing payment card details with tokenized card credentials—greatly reducing the compliance hurdles arising from PCI DSS.
  • Merchants looking to drive payments through merchant-branded payment services. Carta’s Tokenization Platform allows merchants to easily develop their own branded mobile payment apps and securely mobilize their card-on-file lists.

Interested in learning more about how Carta’s Tokenization Platform can support your payment product? Talk to us.