Providing your customers with a simple and convenient way to make online purchases is of course essential in today's ever-expanding eCommerce marketplace.

But just as important is ensuring that the credit card information your customers provide during the payment process is as safely protected from bad actors as possible. That's where tokenization technology comes in.

Tokenization is added security that you owe both to yourself and more importantly to your customers, and will also help reduce PCI scope for PCI DSS compliance certification. This service is typically offered by third-party software, usually a PCI DSS Level 1 certified payment gateway. Meaning that you will not have access to the full credit card data, only the token.

With tokenization, sensitive credit card data is replaced with a series of randomly generated numbers—called tokens—that can be passed back and forth between a merchant and their processor during the course of a payment transaction. Typically the token will be stored with the last 4 of the credit card number and the expiration date. This data, rather than the token is displayed to the consumer during checkout to confirm the payment option selection.

Unlike data that is simply encrypted, tokens are not mathematically reversible. That's because they are created randomly. They are not produced via an algorithm as is the case with most encryption technologies. In other words, with tokenization, there is no code, as such, for a hacker to break in order to gain access to customer credit card data.

Instead, when a consumer enters a credit card number either manually or via a card reader at the point of a purchase, the card number is passed into the third-party service, who is responsible for creating and communicating the token to you. The token is stored in a payment, token or customer vault. The token in a sense will now stand in for the customer's card during the payment process.

The great advantage of tokens is they enable the payment process to proceed without the sensitive information associated with a credit card from ever being exposed. Rather, actual details like bank account numbers are safely held in the token vault, and the only person who has access to the token is you, the merchant. The third-party tokenization service takes care of encrypting and storing the credit card data securely. An important reminder: when selecting a third-party vendor, check to see if you can retrieve your data if you decide to leave and move your business to another vendor.

Think of the tokens used at an arcade.

In many ways, tokenization mimics the use of tokens in an arcade. Players in an arcade exchange something of real value—money—for something that has no real value outside the arcade—a token.

The token allows players to play games within the confines of the arcade. But once a player leaves the arcade venue, the token is of no use. It can't be exchanged for anything else of real worth.

Likewise, tokenization disguises sensitive credit card data as it is passed between a customer and a merchant's payment system. But this disguised data can't be applied to any other purpose outside of the merchant's processing platform. A hacker, for example, who would get his hands on such tokenized data would have no place to exchange it for something else. It's worthless except for its ability to facilitate secure transactions within the merchant's processing system.