Tokenisation is the process of replacing sensitive account and card information with an alternate code, i.e., a "token," which must be unique for each card, token requestor, and device combination.
What exactly is a Token?
To put it simply, tokens are randomized values that serve as placeholders for important information such as a person's social security number. Meanwhile, the original sensitive data is securely stored outside of the company's internal systems.
Tokens can be viewed similarly to poker chips, which is an intriguing way to understand this. Instead of a large pile of cash on the table, players use poker chips. These chips cannot be used as money in the real world if they are stolen; they can only be used when exchanged for their representative value. Tokenisation is the process of removing valuable data from your current environment (similar to removing cash from the poker table), storing it in a secure cloud environment separate from your business systems (the chip dealer), and replacing it with tokens (gives players poker chips instead).
How Merchants can use Tokenisation
Most merchants store sensitive data on their systems, such as personal information, credit card information, and so on. Tokenisation relieves merchants of the burden of dealing with the compliance requirements and risks associated with storing such sensitive data internally. Tokenised payments are thus implemented by merchants as a secure method of payment through an online payment gateway that prevents data breaches and fraudsters from obtaining this data.
Tokenized payments are often confused with encrypted payments. The main distinction between the two is that, unlike encrypted data, tokenized data is neither reversible nor decipherable. This is what makes tokenized payments so secure: there is no logical relationship between the original data and the token that replaced it. As a result, tokens cannot be converted back to their original state unless additional data is stored outside of the merchant's internal operations.
Tokenisation has advantages beyond just data protection; it can also be used for one-click payments, a type of tokenized payment that provides returning customers with a significantly faster and safer checkout experience. Merchants can use one-click payments to save their regular customers from having to re-enter their credit card information for each purchase. After the first purchase, the card details are immediately tokenized, protecting them from unauthorized access and fraud. When the customer clicks pay on the app/website, subsequent payments can be made without further authentication.
De-tokenisation Defined
De-tokenisation, as the name implies, is the reverse process of tokenisation in which tokens are exchanged for the original data. This process is exclusive to the original tokenisation system and is not in the hands of merchants.
Types of Tokenisation Solutions
The parties involved in or carrying out the tokenised payments (merchants, acquirers, issuers, or card networks) distinguish different types of tokenisation solutions.
Acquirer Tokenisation
Acquirer Tokenisation (or Security Tokenisation) entails the merchant's acquiring bank tokenizing each customer's card details and storing them in a digital vault specific to their processor. This is a more traditional tokenisation solution that assists merchants in protecting sensitive data while adhering to PCI (payment card industry) standards and regulations.
Network Tokenisation
Tokenisation solutions have evolved over time, giving way to Network Tokenisation (also known as Payment Tokenisation). In 2014, EMVCo created network tokenisation solutions for the first time. This tokenisation solution is interoperable and secure because it involves multiple parties and overcomes the limitations associated with acquirer tokenisation.
Network/Payment Tokenisation Benefits
Easier to update
Because this protocol involves both the card issuer and the network, Network Tokenisation solutions allow payment tokens to be updated more quickly with new card information. When the issuer initiates updates, the card network automatically updates each merchant-specific network token. Customers benefit from Payment Tokenisation because their transactions are never declined due to expired account credentials. For subscription-based merchants, they never need to enter new account credentials.
Falls out of the PCI scope
Tokens never need to be revealed or transmitted to any party during a transaction because these tokenisation solutions are interoperable. Because tokenised transactions are authenticated using only merchant-specific credentials, PCI regulations do not apply to network tokenisation. As a result, Payment Tokenisation benefits merchants by removing any risk of a breach because the token is rendered completely useless without merchant-specific authentications for each transaction.
No opportunity for loss of PAN data
The end-to-end interoperability provided by network tokenisation ensures that security data is never lost. While security tokenization can help merchants reduce PCI scope, security tokens are not accepted by all entities in a payment flow through the best online payment gateway. To process a transaction, banks require the original PAN. As a result, in order to complete a transaction using Security Tokenisation solutions, de-tokenisation is frequently required at the merchant, service provider, or gateway level. This de-tokenisation procedure exposes one to potentially sensitive data leaks during transmission. The PAN is no longer relevant with a Network Tokenisation solution because network tokens are interoperable at every level, effectively eliminating the risk of leakage.
Improved authorization success
According to a Visa study, using network tokens increased average authorisation rates by 3.2 percent when compared to using PAN. This is due to the elimination of a large portion of declines caused by expired or lost credentials, as well as fraud. Network tokens are never suspended due to fraud and do not require cardholder updates. This is due to the fact that fraud from a PAN transaction or another type of token has no effect on any other tokens in the ecosystem. Because each network token is domain-restricted to the merchant, issuing banks can continue to support transactions for cardholders whose accounts may have been suspended due to fraud with confidence. In this case, payment tokenisation benefits both merchants and customers.
Significantly improved checkout for customers
According to the 2021 Riskefied Studies, 28 percent of customers will abandon a purchase after a payment decline, and another 14 percent will shop with a competitor. Because customer credentials never expire and never need to be updated after the first transaction, Network Tokenisation reduces checkout friction. The additional friction of authentication is also transferred from the customer to the merchant – customers no longer need to enter their CVV or any other form of verification.
In conclusion
Overall, payment tokenisation benefits all parties involved, and as a result, payment providers should consider implementing this payment security solution at the gateway level.