This article in QSR provides a technical description of how card-to-token mapping is implemented. After showing that it is unlikely tokens will enable consumers to be tracked, it indicates the benefits of a customer loyalty solution as a replacement.
“Restaurant operators have a large selection of technologies to choose from today to help gain valuable customer insights that can further drive business. One option is tokenization, which may be viable in place of, or supplemental to a more traditional loyalty program.
At its simplest level, tokenization is the process of changing a credit card primary account number, or PAN, into a serialized “token” number that can be used for financial transactions in place of the PAN. Payment Tokens are surrogates for the real PAN data that allow for the secure execution of the transaction, yet if stolen or otherwise exposed, become basically useless to a thief or third party.
Some tokens can be used as proxies for the individual PAN, allowing operators or banks to track the behavior of the cardholder/PAN that the token identifies. Additionally, there are several different types of tokens that are virtually useless for tracking (such as single use transactional tokens) complicating matters further.
When trying to use tokens for marketing or guest intelligence purposes, it is important to understand the source of the tokens you are attempting to track. A transactional token is useless for tracking as it is obsolete and effectively discarded after use, other than for refund or chargeback uses.
Durable Tokens can be more useful. At the simplest level, a durable token is generated against the Cardholder PAN, acting as a surrogate or proxy serial number for the PAN. These durable tokens live on after the transaction so they can be monitored over time for the tracking of usage. However, it is important to understand that these tokens do not cross payment ecosystem boundaries. A PAN that is in your Apple Wallet will have a different token than the PAN that is in your Samsung Pay wallet.
Tokens are assigned to the PAN by a Token Service Provider. Different operators and their banking relationships use different Token Service Providers and will generate different tokens for the same PAN, but the tokens may stay the same within the PAN to Wallet to Operator/Bank payment path. The Operator to Bank link is where the token generation, linkage, storage, control and database live.”
Obviously the above indicates that tokens have broken the ability for merchants to track consumers in their store. No mention is made, however, of the payment networks halfhearted fix for this problem, a standard out of EMVCo called the Payment Account Reference (PAR). This little know and rarely implemented standard was designed to provide a unique reference number for each PAN that would be consistent regardless of the token delivered by the mobile wallet. The problem is that the standard is extremely difficult for merchants and acquirers to implement. Six months ago Mercator was unable to identify an acquirer that was implementing PAR, even those supporting the very largest and most innovative merchants that required that support.
So without PAR merchants need to deploy loyalty programs and a loyalty program won’t work unless it offers a meaningful benefit to the consumer, so now merchants will need to pay to get the same information they once received for free.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group