What is tokenisation in payments?
Tokenisation can help make card payments more secure and offer additional functionality to merchants. So how does it work, and what are the alternatives?
Tokenisation plays a crucial role in card and mobile wallet payments. By replacing a customer’s card number with a randomly generated alpha-numerical code, it protects customers from fraud and data breaches. As a result, it’s become an effective way to make payments more secure and reduce the Payment Card Industry Data Security Standard (PCI DSS) burden for merchants.But what is tokenisation? What benefits does it offer, and what are the alternatives? In this blog post, we’ll walk through the basics on tokenisation and show how it relates to card and mobile wallet payments.
What is tokenisation?Tokenisation is a way to safeguard sensitive information. In payments, this involves the use of an algorithm to create a “token,” a random string of numbers that stands in for the customer’s account number.As a result, tokenisation allows businesses to initiate payments in a secure way. For example, when processing transactions such as recurring payments, merchants need to store customer details securely to use again in the future. While this information is encrypted, hackers can still reverse that process, leaving customers vulnerable to fraud.Tokenised payments offer an added layer of security. Since tokens have no assigned value, they are completely unrelated to a customer’s details. They also don’t refer back to sensitive information and cannot be reversed, allowing them to be stored or transferred with minimal risk.
What is a token?A token is a unique substitute for sensitive data, in this case a card number. It takes the form of an algorithmically generated string of numbers. Since tokens are irreversible and don’t refer back to original account numbers, they allow merchants to store sensitive details securely.Tokens play a major role in several types of online payments such as card-on-file and subscription transactions. Mobile wallets also use tokens to facilitate card payments. Rather than referring back to card or account details, wallet providers will request tokens from their payment providers (acquirers, gateways and/or orchestration platforms) or separate specialised token technology providers. The token can then be used to initiate payments from the cards stored in the mobile wallet.
Why is tokenisation important?Tokenisation is important because it lets businesses use and transfer customer information in a safer way. When it comes to ecommerce, security remains a major concern for both merchants and customers: payment card fraud cost consumers £524 million in 2021, with card-not-present fraud accounting for about 78% of those losses.Unfortunately, recurring payments such as card-on-file transactions require merchants to store customer details to initiate payments. This leaves them vulnerable to data breaches, as hackers can retrieve sensitive information even in an encrypted state. By storing tokens instead of customer data, companies can initiate payments without having to store or transfer customer data itself, decreasing the risk that sensitive details get stolen. For example, Visa reports that tokenised payments reduced fraud by 26% over a three-month period compared to payments that used card numbers.
How does tokenisation work?The tokenisation process varies depending on the payment method used. Generally, it begins when a customer enters their payment details on the merchant’s payment pages. From there, it proceeds as follows:
- In most cases, the information goes to a payment gateway or a specialised independent token service provider (TSP). In recent years, card schemes have started providing tokenisation services as well, which are then labelled “network tokens”.
- If the merchant uses their gateway’s own token service, they generate a token and store the customer’s sensitive information in a token vault. At the same time, the payment gateway transmits the raw card data to the merchant’s acquirer (if it’s a separate entity), which then passes it on to the respective card scheme.
- The transaction then goes to the customer’s issuing bank, which approves or declines the request depending on a variety of different factors, including but not limited to whether the account has sufficient funds, the card is still valid, was sent through the correct strong customer authentication (SCA) flow and more.
- Once authorised, the approval goes back down the chain and the response is returned to the merchant together with the originally created token (instead of the raw card data) The reason the gateway, acquirer, schemes and issuers can share raw card data between them is that they all have to abide by PCI standards.