Tokenisation is a system that replaces sensitive data with unique identification symbols that store the same information in a safer way.
The Payment Card Industry (PCI) Council
, a global organisation overseeing payments security, defines tokenisation as "a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokensation is the reverse process of redeeming a token for its associated PAN value."
The PCI now requires merchants to fully secure payment data. Previously it could be stored by the merchant and used for marketing strategies.
Tokenisation helps organisations to keep financial transaction data safe whilst still adhering to government and industry compliance requirements in a cost effective way.
The way tokenisation works
Unlike encryption, tokenisation does not rely on a mathematical algorithm to turn the data into a token. Instead it puts the data into a secure database where it is encrypted, providing a token to be used. An index links the data to the token and the index can only give out the original data if the token is presented to it.
For instance, with Apple Pay, the user is identified using a fingerprint scan, the app then sends the card token and a cryptogram to the merchant’s terminal and onto the card network. The network authorises the token and the cryptogram and sends them to the bank that issued the payment card.
The bank then decrypts the token, checks its authenticity, links it to your account number and finally authorises the transaction. The merchant then receives payment and the buyer’s account is debited.
Tokenisation hides or replaces data so there is no data to breach. When you make an online purchase, the system transforms your card number into a random number which is then used for the transaction in the same way that the card number would be.
Benefits of tokenisation
The company converts credit card numbers into unique tokens and safely stores the data. The tokens give no information that can be used outside of the specific transaction. The data is meaningless to someone who gets access to it who shouldn’t.
Tokenisation provides a cost effective way to comply with financial regulations and makes it difficult for cybercriminals to get cardholders data as it’s stored in secure databases and not freely exchanged over networks.
Rob Macmillan, VP Marketing, Digital Payments at Proxama said in an October 2015 interview with PYMNTS.com, “If we look at the evolution of the international payment schemes, most recently with EMV standardization across the world, it is evident that standardization is needed to achieve interoperability and ensure that systems talk to each other.”
Tokens are generated using methods that only allow the process to be reversed with the permission of the owners.
Systems should be secured using data protection best practice to ensure that there is no way for the tokens to be reversed back to live data except by the owners.
A token cannot be turned back into the real data if the token is stolen. A thief would have to access the secure token vault, protected by further encryption, to access the real data.
Apple Pay, Samsung Pay and Android Pay use a form of tokenisation.
The use of tokenisation is rising, partly as a result of high profile security breaches. The fact that Apple and other major brands are using it will also help its use rise. Recently American Express announced that tokens can be used in the US for online transactions. Visa and Mastercard also have plans afoot which suggests tokenisation use will increase in the industry.
Primarily, tokenisation has been used for card-not-present transactions, to improve security for online payment systems because the actual card number is not being put through the payment system.
Rob Macmillan concludes: “There is clearly a need for tokenisation as a general mechanism for protecting cardholder data. The security breaches that have happened in the past illustrate how important this is.
“It’s no surprise, given the evolution of our industry, that things will continue to change; but now is definitely the time to get on board with tokenisation.”
This article represents the views and opinions of the author and do not necessarily reflect the opinions of BPAY.
Published by BPAY Pty Ltd. BPAY is offered by over 150 Financial Institutions. Contact your Financial Institution to see if it offers BPAY and to get the terms and conditions. This is general advice – before using BPAY please review the terms and conditions and consider whether BPAY is appropriate for your personal circumstances.