Using a Mastercard to buy online? Here’s how tokenization works

If you own a Mastercard and you use it to make purchases online, there’s a whole process that goes on to secure the card in the form of tokenization.

It may be a mystery for some, but tokenization looks to be of greater importance as the technology continues to propagate. At its core, it’s a way to secure payment credentials. In its broadest form, it’s anonymizing those credentials with one-time numbers that otherwise make no sense. The result is supposed to be a user-friendly method of paying for things online without having to worry about a breach.

During a trip to the United States at a Mastercard facility outside St. Louis, MobileSyrup got to speak with personnel who broke down how the company actually does this.

How it works

Tokenization is based on Chip-Enabled Card Acceptance technology, better known as EMV — the same concept as chips on a credit or debit card. The idea is that every transaction is unique and personalized, masking the card number in a way where it can’t be hacked.

In other words, if you have a card in your phone for contactless payments, your card number isn’t in there, it’s a token. Apple Pay, Google Pay, Samsung Pay — all of them fall under that standard. Pull up your Apple Wallet on your iPhone and you will see a card number and ‘device account number.’ The latter is the token Apple Pay uses for transactions.

“A lot of what we talk about is trust, and with that comes the basic assumption that security and privacy come with it,” said Mark Weisman, senior vice president of security and decision products at Mastercard. “If you ask most people about Apple Pay, they probably won’t know the security behind it, and just adopted it for the convenience.”

The caveat is that not all types of merchants use the technology yet. Paying with a chip card or phone for contactless at a point-of-sale is one thing. The chip-and-PIN or contactless methods are designed to protect you in those cases.

Online purchases are different because those methods don’t apply the same way. Despite that, tokens can hide credit and debit card numbers after they’ve been added to an online retailer using the feature.

Amazon is a good example, where it uses payment processors utilizing tokenization. Your card is on file in your account, but the actual number is never used for a transaction. Ever notice they don’t ask for the CVV? There’s no need when the token takes care of it, according to Mastercard.

“When the tokens run through the network, at some point, that token gets translated back to the real card number,” explained Weisman. “If you were to call your bank, for example, and say you lost your physical card, they would change the mapping of that token to the real card so you can continue to use the same token. If you lost your phone and you were concerned, you call your bank, they can shut the token off without affecting the physical card.”

The concept of a token is the same, irrespective of OS, despite the functional differences and capabilities inherent in iOS and Android. The cryptography is the same behind the scenes, Weisman said.

Transactions with merchants

Merchants do have to pay fees to utilize these services, which might explain why they’re not omnipresent yet. And they’re not paying banks to use them, they’re paying the payment processors. That means money going to Mastercard, Visa and American Express, for instance.

But the process itself is interesting. Assuming you, as a consumer, want to do business with a specific merchant, you would be assigned a personalized token after entering your card information. Mastercard knows that token goes to that merchant, but doesn’t know your name as the cardholder. All it knows is that the token links to the card’s 16 digits.

When Mastercard communicates with your bank to confirm the transaction, the bank doesn’t know the token, but because it matches with your card, the charge goes through.

Going to another online retailer creates a different token, so each one is essentially specific between that merchant and cardholder. Further, the card issuer, retailer and cardholder don’t see it.

“Merchants may know things you provided, like an email and physical address, but they don’t have to hold the scary thing, which is the card’s full 16-digit number,” said Ron Green, executive vice president and chief security officer at Mastercard.

Large data breaches of the recent past, like those with Target, Home Depot, Sony PlayStation Network and Adobe, among others, were all the more significant because of the card data they stored that was ultimately stolen. Tokenization could help negate that because merchants wouldn’t need to store it all, he added.

Technically, this doesn’t stop someone from using a website account to make fraudulent purchases. For example, if someone got your login information for your Amazon account, they could use any payment method you have to order things. At that point, the token doesn’t change anything. It’s still there, but as far as Mastercard and your bank are concerned, you were the one looking at the screen to make the purchase — until you report it, of course.

The key in that scenario is that the hacker logged into the account with the retailer like normal. They wouldn’t need to use a stolen card to make payments. Nor would they need to steal card information from the site itself.

“Merchants keep track of what their customers are buying online, so really unusual spending might trigger a red flag,” he said. “Fraud controls vary by merchant. For Mastercard, a specific token — let’s call it ‘token 1,’ for instance — only works with that one merchant.”

‘The password has to die’

From Mastercard’s perspective, the fact all of this runs in the background is proof that it works well. It’s designed to be a seamless experience that’s convenient for both sides of the transaction, they say.

Brick-and-mortar retailers may have noted the benefit of tap-to-pay, but tokenization also works with app-based transactions. Use Apple Pay when ordering an Uber or Lyft and it’s the same thing. Neither company would have any clue what your actual credit card number is.


Two-factor, or even multi-factor, authentication may figure into this, too. It already does, given that you have to use biometrics — a fingerprint, face recognition — or PIN to approve using the payment method on a phone anyway.

“The password has to die. Security officers have people working on 8-12 character passwords requiring an upper case letter, number, symbol, and to change it every 60 days,” said Green. “That can be an annoying experience, not to mention lead to complacency. Any other method of authentication, who you are or what you have, as in we know it’s your phone and in the context we need, maybe we use that as the authenticator.”

It may take time before we consider cash and cards obsolete, but as security continues to feel convenient with every in-person or online checkout, tokens may be the invisible currency in every transaction.

Image credit: Mastercard