By Mariana Almeida Marques
Tokenisation may seem like a complicated topic, but it is certainly worth being aware of its meaning and how it is used. As mobile payments become more popular, there is a pressing need for extra security in payment processing. In this article, we will discuss all things payment tokenisation, including how it works and how it can help merchants and customers.
Tokenisation is the process of substituting sensitive data for a randomly generated number called a token. Tokenisation can be used in multiple industry for a variety of data, including addresses, passport numbers or social security numbers. The main purpose of tokenisation is to protect this sensitive data and prevent it from being stolen. Data protection is a highly relevant topic nowadays and a huge focus for companies that deal with sensitive data on a regular basis, whether that be banks, public institutions or healthcare organisations, amongst others.
In payments, tokenisation means substituting customers’ card details by a token. This token will pass through all the payment players (networks, gateway and processors) so that the payment can be processed. Customers avoid getting their bank details stolen or replicated because these details won’t actually be shown at any point during the payment process- only the token is shown. The actual card details are stored in a digital token vault. This brings us the next question:
The world “vault” says it all: a token vault is a secure and centralised server used to store all the customers’ information, including all the tokens and the card details they represent. This vault is monitored by a TSP, or Token Service Provider, who is also responsible for maintaining all the security measures necessary to protect the data and for complying with standard regulations.
TSPs can be fully independent, or they can be integrated with gateways, PSPs or card networks. Choosing to integrate and manage a token vault inhouse requires large financial investments as well as a lot of resources, though it helps you avoid tokenisation fees down the line. However, besides the initial investment, there is also a long-term responsibility of storing card details and ensuring full compliance with financial regulations.
The payment tokenisation process happens right in the beginning of payment processing. If you are interested in knowing more about how payment processing works, click to see our previous article. Essentially, this process has three main stages: the verification, the authorisation and the settlement.
When a customer initiates a payment in an ecommerce app, for instance, he will submit his card details. This sensitive data is transmitted to Token Service Provider, who substitutes it by a token. His card details won’t actually be passed through the payment network, and nobody will have access to it. Instead, the payment players can only access the token.
The most obvious benefit of payment tokenisation is online security. Mobile payment technologies seem to be the future of payments, and hackers are becoming increasingly good at stealing information online. Tokens cannot be decrypted, which means that even if hackers managed to access it, there is no direct link between the token and your actual card details, so having the tokens would be useless. This protects customers and merchants from having their details stolen and potentially losing money.
It also makes customers feel safer when they purchase products online, knowing that their details won’t be accessible to anyone. Tokenisation is also a mandatory process for companies to have in place in order to comply with regulations, particularly PCI DSS. If merchants choose to outsource this process to a payment gateway or processor, they eliminate some of the responsibility to comply with PCI regulations, as this responsibility would fall onto the third-party they chose to partner with.
Another great benefit of payment tokenisation is the possibility for one-click checkouts. Tokenisation allows customers to safely store their card details in an ecommerce site, so they can later make other purchases without having to insert their details again. This naturally creates a much faster and easier payment experience for the customer, who is more likely to go back and purchase more items from the same shop. Long checkout experiences are known to prevent customer retention, as they leave customers dissatisfied with their experience and eager to abandon the site to shop somewhere else. Tokenisation effectively solves this issue.
Both tokenisation and encryption processes have the same goal of protecting customers and merchants’ information online. However, they work quite differently. Encryption involves transforming a readable number or text into unreadable data using a cryptographic key. Keys can be public or private, and both the customer, merchant and payment players will have access to it. The encryption is done based on mathematical values. Because the data is unreadable at first sight, the encryption seems random. However, anybody that gains access to the key can decrypt the data and turn it back into the original data.
Tokenisation, on the other hand, doesn’t involve any mathematical process. Tokens are always generated at random and have no link to the actual card details whatsoever, so they can’t be decrypted. The only link to the actual card details is stored in the token vault. The two main differences between tokenisation and encryption is that tokenisation is generated at random, whilst encryption is generated through a key that uses mathematical algorithms. Tokenisation is irreversible, whilst encryption is not.
Imburse offers connectivity to the entire payments ecosystem. By connecting to Imburse, companies have access to all payment providers, tools and technologies available in any market. They can integrate any provider or technology they want into their existing systems in a matter of just a few weeks, effectively saving time, money and resources. With Imburse, companies can enjoy the flexibility to quickly adapt to changes in the industry and in customer demand, whilst gaining access to all the tools and features they need to continue to exceed customers’ expectations.