Token is an app that allows you to create alternative account numbers, or “tokens” to shop online without sharing your actual credit card information. Here’s how it works.
If all the recent data breaches make you pause before shopping online, a new app aims to solve your problems.
Token uses a combination of tokenization, encryption and two-factor authentication to shield card numbers from criminals.
“Token is really saying this is a problem: Data hacks are not stopping, and customers really like digital [shopping],” says Krista Tedder, director of payments for Javelin Strategy & Research.
If you are interested in giving the app a try or are already a user, here’s everything you need to know about Token.
See related: How to protect yourself against data breaches
A 19-step guide to Token
- What is Token?
- How do you set up Token?
- How does Token work?
- How old is Token?
- What happens if the token is stolen?
- Can you use Token with cards for recurring transactions?
- What kind of cards can be used with Token?
- Can you use one Token app for the whole family or does each user need their own?
- Can Token replace any other personal data?
- How does Token interact with points or miles cards when it comes to rewards?
- Do card issuers or retailers have to participate for me to use Token?
- How much does it cost? And how does Token make its money?
- What security measures does Token take with regard to card information?
- How does Token verify that a particular card is yours to use?
- How does the use of Token affect chargeback rights?
- Is the money transacted through Token protected against loss, fraud and theft?
- How do consumers contact Token directly, if they need help?
- Does Token offer its own cards?
- Do I need extra security?
What is Token?
Token is an app that substitutes an alternate number for your credit card, debit card or bank account number when you shop online, says Zohar Steinberg, founder and CEO of Token.
The goal: If the retailer is ever breached or if someone steals the virtual card number, what they gain is worthless, Steinberg says.
“Data can’t be stolen if you don’t share it in the first place,” he says.
How do you set up Token?
- Download the app – available for iPhone and Android.
- Verify your identity by providing Token with a combination of personal information, including your mobile number, a government issued photo ID (with address, full name, date of birth) and a debit or credit card with your listed billing address.
- Enter your card information and the app will store substitute card numbers (tokens) for use with different retailers.
- As far as the card issuer is concerned, each time you buy, you’re making a transaction with Token. As far as retailers are concerned, the card bank is Token.
When you want to shop using Token, you’ll need to shop from that same device. Token will verify your identity with two-factor authentication each time you shop with it.
A beta version of Token’s Chrome extension – which will allow consumers to shop from their other devices – will soon be also available, says Sam Grossman, growth marketing analyst for Token.
How does Token work?
- You link your credit card on the app one time. Then every time you make a purchase at a different merchant, you generate a new virtual card with an alternate number to use.
- You can use the same token repeatedly with the same retailer.
- Or you can ditch the token at any time after you’ve used it.
“We never store your payment information,” says Grossman. “Any payment data that you put into Token is immediately tokenized. The hash [a unique code generated on tokenization] is then sent to our payment processor who can complete the payment by matching the hash with a different unique hash in their system. Ultimately what this means is that your actual payment data is not accessible during the payment process.”
If you have concerns about a specific merchant or its database security, you can freeze the token or cancel it on the app.
How old is Token?
The app was launched in September 2018. It’s been available in a beta version since September 2017.
What happens if the virtual card is stolen?
In the event of a data breach, what happens if the virtual card is stolen instead of the card number? Why can’t thieves use it?
- Token doesn’t store your personal information on your device and it doesn’t keep your card information, says Steinberg.
- Each virtual card is valid with only one retailer, he says.
Typically, thieves who steal numbers sell or use them at third-party retailers. But whoever wanted to use the virtual card would also have to beat the two-factor authentication to use it at the one retailer where it’s valid.
Can you use Token with cards for recurring transactions?
See related: 6 free tools to stop recurring card charges
What kind of cards can be used with Token?
“Any U.S. bank account, credit card or debit card.”
Can you use one Token app for the whole family or does each user need their own?
Token is set up so that one app per device accommodates one person, says Steinberg. That person can use it with as many cards or accounts as they like.
“Token can only be connected to one device at a time,” says Grossman. This works to prevent someone from accessing your account with stolen login information.
However, there’s “a Chrome extension which can be paired to your mobile device and allows you to shop both on your computer and mobile device with the same account,” he says.
This extension is available only on request, according to the company.
Can Token replace any other personal data?
Yes, Steinberg says. It will also allow you to sub in another name, so you don’t get bombarded with spam and marketing.
How does Token interact with points or miles cards when it comes to rewards?
“Right now, it depends on the loyalty program you have,” says Steinberg. If the credit card you use pays a flat rate for all purchases, you’ll get the full reward amount.
The way Token works is that it subs in for the merchant. This means your card issuer won’t see transactions with a particular retailer. Instead, what it sees is a transaction with Token.
If your card rewards program pays different rates for certain retailers or retail categories, such as grocery stores, gas stations or restaurants, you’ll get reimbursed at the card issuer’s lowest rewards rate.
See related: Best flat-rate credit cards
Do card issuers or retailers have to participate for me to use Token?
No – and merchants won’t know you’re using it.
How much does it cost? And how does Token make its money?
The app and service are free. Token gets a percentage of the interchange fee, (which is the charge that retailers pay every time you pay with a credit card), says Steinberg.
What security measures does Token take with regard to card information?
- The app first verifies your identity when you create your account.
- Then it uses two-factor authentication each time you use Token.
- It also encrypts payment transactions.
- And neither the app nor Token store your card data.
In addition, you can create a new number each time you shop or use an existing number that is good with one retailer only. And you can also temporarily “freeze” those numbers at any time, says Steinberg.
See related: How to protect your cards and accounts online
How does Token verify that a particular card is yours to use?
“Whenever someone signs up for Token, they go through a stringent identity verification process,” says Grossman. “When you connect one of your personal debit or credit cards, the information is instantly verified with your bank.”
And Token requires two-factor authentication each time someone uses the app.
How does the use of Token affect chargeback rights?
If you have a credit or debit card dispute, Token asks that you contact its customer service team so they can help. If necessary, the site states, they’ll file a dispute on your behalf. That’s because if you file, your bank will dispute the transaction with the merchant. And, as far as the bank knows, Token is the merchant.
But consumers have legal dispute rights (from the Fair Credit Billing Act and the Electronic Fund Transfer Act), in case of billing errors, as well as theft or fraud – provided they report losses to the card issuer by specific deadlines. Miss the deadline, and they lose the legal right to dispute the charges or be reimbursed by their card issuer.
What’s the smart consumer move with disputed charges when you have a middleman in the transaction, such as in the case of Token?
“I would recommend that consumers dispute directly with their bank,” says Chi Chi Wu, staff attorney with the National Consumer Law Center, a consumer advocacy group.
“That is how they preserve their rights, especially to challenge billing errors under the Fair Credit Billing Act, which requires a written notice from the ‘obligor’ [consumer], within 60 days of the statement,” she says. “It’s unclear whether a dispute from a third party on behalf of the consumer would be effective.”
Is the money transacted through Token protected against loss, fraud and theft?
When you use a credit card, you have protections under the Fair Credit Billing Act – you have 60 days after the bill was mailed to you to report any billing errors on your card statement.
If you use a debit card, the Electronic Fund Transfer Act (Regulation E), protects all but the first $50 of losses from theft or fraud. But you could be out the missing money while the bank investigates, and the investigation must confirm that this is theft or fraud. (Another good reason to always opt for credit cards instead of debit cards online.)
Grossman says that won’t be an issue for their users. “With Token you are never going to experience the kind of fraud and theft that you see happening all the time when people shop online with their real credit card information,” he says. “However, if this were to theoretically happen, consumers would be able to dispute the fraudulent charges with us and the money would be returned to their account, just as it would be if they were using a standard credit or debit card.”
How do consumers contact Token directly, if they need help?
Consumers can send a message within the app itself or email firstname.lastname@example.org.
Does Token offer its own cards?
Not yet, but it will soon, says Steinberg. Token is “developing a card for in-store [purchases], but that will be for later this year.”
Do I need extra security?
Token is yet another layer of security for online shopping. But if you shop from a device, you want to use multiple security measures, as well as smart shopping habits.
“You want to be careful of connecting on public Wi-Fi,” says Jim Van Dyke, CEO and inventor of Breach Clarity, which helps consumers navigate security measures after a data breach.
- Use anti-malware software and keep that and your operating system up to date.
- Opt for credit cards over debit cards for online shopping.
- Use device locks and strong passwords, so that the device itself is secure.
- If you use merchant apps to shop, always delete your personal information before you delete the app, says Tedder.
People erroneously “believe that deleting an app deletes the payment information – but it doesn’t,” she says. “The app is just the merchant display.”
Most important, if you get a notice of a breach, take it seriously and contact your bank immediately.
“Act like you’re on a boat and someone says there’s a leak,” says Van Dyke. “You need to treat that like an urgent situation and take appropriate steps.”