Tokenisation in the Payments Industry – Providing Security, Compliance, and Convenience

Tokenisation is a simple process, in theory, although the complexities of the various implementations can increase its sophistication. Tokenisation entails the breaking up of a piece of information, or assets, into a series of mathematical tokens and including them as a dynamic component with each transaction. In the payments industry, it is the customer’s primary account number (PAN), which is tokenised by replacing it with a series of random digits or alphanumeric characters. These are the tokens. The tokens act as an abstraction on top of the data itself so that the underlying sensitive information does not get exposed when an online payment transaction takes place. Tokenisation has many benefits.

Tokenisation in the Payments Industry

Tokenisation is not a new concept in the payments industry, having been around for quite some time. More recently, the whole concept of cryptocurrencies and distributed ledger technology has been essentially founded on tokenisation. Tokenisation, which is integral to the payments industry benefits it in the following ways:

Data Security – A token is sent over the internet, instead of sensitive data, during a payment transaction. Any hackers listening in to the transaction will not be able to ascertain the nature of the sensitive data involved in the transaction. This enables safe point of sale transactions as well as secure storage of card details, in mobile wallets and eCommerce platforms. A new token is generated for each online retailer that stores cardholder data, adding yet another layer of security.

Regulatory Compliance – Regulators are tightening up on online merchants who store credit card information. This is primarily due to the recent number of high-level compromises by major outlets. Merchants must adhere to the Payment Card Industry Data Security Standard (PCI DSS) and ensure that they are keeping cardholder information secure. Tokenisation helps with this to a large degree and also helps to reduce expenses, as without tokenisation the merchant would have to look at other ways to comply with the standards.

Convenience – Thanks to tokenisation, consumers only have to input their details into an online platform once. Additionally, because the customer’s real information is not stored on the merchant servers, there is less risk and added convenience. This is especially useful for recurring payments, where tokens remove the need to manually enter sensitive information for each and every transaction.

Tokenisation Mechanisms

There are two main types of tokens, single, use transaction specific tokens and those which can be used for a variety of purposes. This is the basic distinction, however, there are many other classifications of tokens, such as reversible or non-reversible, verifiable or non-verifiable, high value or low value, etc.

Various credit card providers have their own tokenisation mechanisms. Two of the most well-known are the Visa Token Service (VTS) and Mastercard’s Digital Enablement Service (MDES). The VTS and MDES generate many of the typical benefits expected with tokenisation for card payments. Sensitive information is replaced with a token to be used by online vendors and the implementation features to support online, in-store, and mobile application purchases. In terms of mobile applications, the role of tokenisation becomes more important, given that these purchases tend to be more vulnerable to fraud in comparison to online or in-store transactions.

Visa and Mastercard’s token services are compatible with all of the latest standards and protocols, such as the ongoing implementation of 3-D Secure 2 (3DS2). 3DS2 is set to increase security and lower costs for online purchases, and make the transaction process easier for mobile shoppers. Taken together, 3DS2 and tokenisation should serve to really enhance the checkout experience for the new era of online shopping with more security and fewer inconveniences.

Tokenisation has yet to be brought to widespread use by online merchants, however, both Visa and Mastercard provide sandbox environments for merchant developers to register with and access. With the internet of things, eCommerce solutions, QR payments, contactless payments, and other novel ways to facilitate transactions, developers need to work with credit card networks and merchants to provide secure solutions build around the accepted tokenisation standards.

Tokenisation Regulatory Standards

The main guidelines that merchants have to adhere to in terms of storing credit card information are prescribed by  the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS is administered by the Payment Card Industry Security Standards Council. Validation of compliance is performed annually or quarterly by either an external Qualified Security Assessor (QSA) or by a firm-specific Internal Security Assessor (ISA).

Any organisation that stores, processes, or transmits user credit card data must follow the practices set out in these standards. Tokenisation provides the easiest way to do this. It is a low-cost way of meeting the regulatory burden. This is because the sensitive data is, for all intents and purposes, not being stored by the merchant.

PCI DSS compliance levels are determined by the total transaction volume over a 12 month period. Merchants are divided into 4 levels for the purposes of compliance. Level 1 has the highest standards of regulatory compliance and consists of merchants processing up to 6 million transactions per year, regardless of the payment channel. Level 4 has the lowest compliance standards, consisting of merchants of less than 20,000 eCommerce transactions or fewer than 1 million transactions of any type of payment channel. For a merchant, partnering with a PCI compliant payment processor is the easiest way to ensure that standards are met.

Other well-known data storage regulations include HIPAA-HITECH, GLBA, ITAR, and the recently introduced GDPR. Though these do not specifically relate to the payments industry, they will all use the best technologies (encryption or tokenisation) to safeguard sensitive customer data.

Encryption vs Tokenisation

The most common way to meet PCI standards is through encryption, where the values are stored and encrypted for security. When a credit card transaction takes place at a commercial retail outlet, point to point encryption (P2PE) usually takes place. The decryption key is typically held in an isolated hardware security model (HSM). There are a variety of other safeguards in place. For example, many online outlets often required the CVV number on the back of the card to be input during checkout. This ensures that even if hackers have the card number, they will not be able to make an illegal purchase.

Tokenisation has a number of advantages over encryption when it comes to the storage of sensitive information. Encryption is mathematically reversible, is more expensive, places a larger burden on PCI compliance, and is not as flexible for payments in the 21st century. Tokenisation eliminates a lot of the additional security requirements currently placed on customers.

If current trends continue, tokenisation is most likely going to replace encryption as the primary means of complying with security standards. It offers the benefits of additional security, convenience, compliance, and lower costs overall.