Tokenization has become a widely-used mechanism for processing payment transactions securely. In a typical tokenization scheme, sensitive data such as financial instrument data, is replaced with a randomly generated unique identifier called a ‘token’. During a payment transaction, this unique token is used instead of the financial instrument data. This new level of indirection prevents unauthorized parties from reverse engineering or guessing the details of the financial instrument utilized in a payment transaction. Even if the token is compromised, in many cases, it can only be utilized by a fraudster in a limited fashion, thus reducing the adverse consequences of such an exposure. For example, in case of a financial instrument such as a Credit or a Debit Card, the cardholder's primary account number (PAN) is replaced with a unique token that may retain many of the required transactional properties of the original data but not include the elements that expose a risk of potential compromise.
In typical implementations, tokens are generated by authorized entities called Token Service Providers (TSPs) often at the request of entities called Token Requestors (TR). TSPs maintain the highest levels of security and are primary facilitators of this secure ecosystem by managing token generation as well as token encrypting and decrypting services. Consequently, tokenization minimizes Payment Card Industry (PCI) compliance obligations because a merchant does not have to manage consumer financial account information and the risks associated with losing that data. Thus, tokenization increases overall security and integrity of the payment ecosystem. With the increasing acceptance of tokenization, a new problem has emerged with regard to managing reward and loyalty program in payment systems.