What is tokenisation in payments?

Matthew Blenkarn, Content Writer
11 Nov 2022
Hand holding a bank card with liquid texture behind it

Tokenisation plays a crucial role in card and mobile wallet payments. By replacing a customer’s card number with a randomly generated alpha-numerical code, it protects customers from fraud and data breaches. As a result, it’s become an effective way to make payments more secure and reduce the Payment Card Industry Data Security Standard (PCI DSS) burden for merchants.

But what is tokenisation? What benefits does it offer, and what are the alternatives? In this blog post, we’ll walk through the basics on tokenisation and show how it relates to card and mobile wallet payments.

What is tokenisation?

Tokenisation is a way to safeguard sensitive information. In payments, this involves the use of an algorithm to create a “token,” a random string of numbers that stands in for the customer’s account number.

As a result, tokenisation allows businesses to initiate payments in a secure way. For example, when processing transactions such as recurring payments, merchants need to store customer details securely to use again in the future. While this information is encrypted, hackers can still reverse that process, leaving customers vulnerable to fraud.

Tokenised payments offer an added layer of security. Since tokens have no assigned value, they are completely unrelated to a customer’s details. They also don’t refer back to sensitive information and cannot be reversed, allowing them to be stored or transferred with minimal risk.

What is a token?

A token is a unique substitute for sensitive data, in this case a card number. It takes the form of an algorithmically generated string of numbers. Since tokens are irreversible and don’t refer back to original account numbers, they allow merchants to store sensitive details securely.

Tokens play a major role in several types of online payments such as card-on-file and subscription transactions. Mobile wallets also use tokens to facilitate card payments. Rather than referring back to card or account details, wallet providers will request tokens from their payment providers (acquirers, gateways and/or orchestration platforms) or separate specialised token technology providers. The token can then be used to initiate payments from the cards stored in the mobile wallet.

Why is tokenisation important?

Tokenisation is important because it lets businesses use and transfer customer information in a safer way. When it comes to ecommerce, security remains a major concern for both merchants and customers: payment card fraud cost consumers £524 million in 2021, with card-not-present fraud accounting for about 78% of those losses.

Unfortunately, recurring payments such as card-on-file transactions require merchants to store customer details to initiate payments. This leaves them vulnerable to data breaches, as hackers can retrieve sensitive information even in an encrypted state. 

By storing tokens instead of customer data, companies can initiate payments without having to store or transfer customer data itself, decreasing the risk that sensitive details get stolen. For example, Visa reports that tokenised payments reduced fraud by 26% over a three-month period compared to payments that used card numbers. 

How does tokenisation work?

The tokenisation process varies depending on the payment method used. Generally, it begins when a customer enters their payment details on the merchant’s payment pages. From there, it proceeds as follows:

  1. In most cases, the information goes to a payment gateway or a specialised independent token service provider (TSP). In recent years, card schemes have started providing tokenisation services as well, which are then labelled “network tokens”.

  2. If the merchant uses their gateway’s own token service, they generate a token and store the customer’s sensitive information in a token vault. At the same time, the payment gateway transmits the raw card data to the merchant’s acquirer (if it’s a separate entity), which then passes it on to the respective card scheme.

  3. The transaction then goes to the customer’s issuing bank, which approves or declines the request depending on a variety of different factors, including but not limited to whether the account has sufficient funds, the card is still valid, was sent through the correct strong customer authentication (SCA) flow and more.

  4. Once authorised, the approval goes back down the chain and the response is returned to the merchant together with the originally created token (instead of the raw card data) The reason the gateway, acquirer, schemes and issuers can share raw card data between them is that they all have to abide by PCI standards.

For any subsequent transactions, whether it’s for a consumer-initiated one-click payments or a merchant-initiated recurring payment, all the merchant needs to do is send the token to their provider again to trigger the same chain of events.

What’s the difference between tokenisation and encryption?

The difference between tokenisation and encryption largely comes down to each method’s approach to customer data. 

Encryption is an end-to-end encoding process: a sender uses an algorithm to convert an account number into a new form called a ciphertext. The sender then transmits that data along with an encryption key to a receiver, who uses the key to decrypt the information. 

While this process is effective at protecting information, it is still reversible. Anyone with access to the encryption algorithm can decode the data and return it to its original state. 

Tokenisation replaces sensitive information with randomly generated numbers or letters. Unlike encryption, this method is essentially unreadable. It has no relation to the customer’s card number and cannot be decoded with a key or an algorithm. As a result, it provides an extra degree of security in data storage or transfer.

What are the benefits of tokenisation?

Tokenisation offers a range of business benefits, from streamlining compliance operations to increasing customer trust and more.

One of tokenisation’s biggest benefits, as described above, is that it lets companies avoid the difficult process of obtaining Payment Card Industry (PCI) accreditation. When organisations accept card payments, they must adhere to the Data Security Standards (PCI DSS), a set of regulations around data storage issued by the major card schemes. 

With tokenisation, businesses can let their payment provider handle card details by simply referring them to a token when needed. The provider then assumes responsibility for meeting these standards, reducing the burden on the company itself.

Companies can also use tokenisation to reassure their customers that their payment processes are safe. The added security of tokenised payments ensures that consumers are less likely to fall victim to fraud. By protecting their customers’ details, businesses can generate loyalty from their customer base.

What are the alternatives to tokenisation?

While payment tokenisation can help increase the security of card transactions, it still has its drawbacks. 

Although it may protect customer data, tokenisation fails to address payment cards’ other drawbacks. It doesn’t alleviate slow settlement speeds for smaller merchants, nor variable success rates depending on the merchant’s vertical and their issuer’s risk appetite. It’s still vulnerable to expired cards and lost and stolen details. And it can even add to already high merchant costs.

Open banking solves for these issues, allowing customers to make data-rich payments directly from their bank accounts without sharing payment details. This eliminates the need to replace card details in the event of loss, theft or expiry. Not only are open banking payments secure, but also fast, reliable and cost effective.

Open banking payments don’t require customers to share credentials and they have strong customer authentication baked in, preventing fraud and chargebacks. Transactions settle immediately when instant payment rails are available, and failure rates are less than 5%. Open banking payments also lack the multitude of fees associated with card processing, offering companies a more efficient and economical way to do business.

Visit our payments page to learn more about the benefits of open banking

Insights straight to your inbox
Join 10,000+ subscribers getting the latest open banking news.
19 Jun 2024

What is authorised push payment fraud?

When should you consider adding open banking payments to your checkout_Header
14 Jun 2024

Open banking’s path to dominance in UK ecommerce | TrueLayer

Own Your Own Payments
29 May 2024

Your funniest, wackiest payment stories

Categories to explore