All you need to know about Tokenisation
Tokenisation refers to replacing sensitive account and card information with an alternate code, i.e., a “token”, which shall be unique for a combination of card, token requestor, and device.
What is a Token?
To put it simply, tokens are randomised values that stand in for important pieces of information like a person’s social security number. All the while, the original sensitive data is stored safely outside the business’ internal systems.
An interesting way to understand this is by viewing tokens similarly to poker chips. Instead of having a ton of cash piled up on a table, players use poker chips. If stolen, these chips can’t be used as money in the real world; they can only be used when exchanged for their representative value. Tokenisation removes the valuable data from your current environment (like removing cash from the poker table), stores it in a secure cloud environment separate from your business systems (the chip dealer), and replaces it with tokens (gives players poker chips instead).
How Merchants can use Tokenisation
Most merchants hold sensitive data on their systems, like personal info, credit card info, etc. This solution saves merchants the hassle of dealing with the compliance requirements or risks that come with storing such sensitive data internally. Merchants hence implement tokenised payments as a secure method of payment that precludes data breaches and prevents fraudsters from obtaining this data.
One may confuse tokenized payments with encrypted payments. However, the key difference between the two is that, unlike encrypted data, tokenized data isn’t reversible nor decipherable. This is the difference that makes tokenized payments so secure – there is no logical relationship between the original data and the token that replaced it. Hence, tokens can’t be converted to their original form without additional data stored outside of the merchant’s internal operations.
This solution also has benefits beyond just protecting data – it can be used for one-click payments, a form of tokenised payments, giving returning customers a significantly faster and safer checkout experience. One-click payments allow merchants to save their regular customers the hassle of re-entering their card details for every purchase. The card details are immediately tokenised after the first purchase, thus, protecting them from unauthorised access and fraud. The subsequent payments can then be made without additional authentication whenever the customer clicks pay on the app/website.
As the name suggests, de-tokenisation is the reverse process of tokenisation that exchanges tokens for the original data. This process can only be done by the original tokenisation system and isn’t in the hands of the merchants.
Types of Tokenisation Solutions
The distinction between different types of tokenisation solutions is the parties (merchants, acquirers, issuers, or card networks) involved in or carrying out the tokenised payments.
Acquirer or Security Tokenisation involves the merchant’s acquiring bank using their specified token format to tokenise the card details of every customer and store them in a digital vault specific to their processor. This is a more traditional solution that helps merchants protect sensitive data and meet PCI (payment card industry) standards and regulations.
Over time we have witnessed an evolution in tokenisation solutions, giving way to Network Tokenisation (also known as Payment Tokenisation). The EMVCo first developed network Tokenisation solutions in 2014. With multiple parties and overcoming limitations associated with acquirer tokenisation, this solution is interoperable and secure.
Network/Payment Tokenisation Benefits
Easier to update
Network Tokenisation solutions allow payment tokens to be more quickly updated with new card information, as this protocol involves both the card issuer as well as the network. As the issuer first initiates updates, the card network automatically makes the changes to each merchant-specific network token. Hence, Payment Tokenisation benefits customers since their transactions are never declined due to expired account credentials. They never need to enter new account credentials for subscription-based merchants.
Falls out of the PCI scope
Since these tokenisation solutions are interoperable, tokens never need to be revealed or transmitted to any party during a transaction. PCI regulations do not apply to network tokenisation since these tokenised transactions are authenticated using only merchant-specific credentials. Hence, Payment Tokenisation benefits merchants by eliminating any risk of a breach as the token is rendered entirely useless without the performance of merchant-specific authentications for each transaction.
No opportunity for loss of PAN data
The end-to-end interoperability that network solution provides ensures there is never an opportunity for loss of security data. While Security Tokenisation can help reduce merchant PCI scope, security tokens are not accepted across all entities in a payment flow. Banks need the original PAN to process a transaction. Hence, with Security Tokenisation solutions, de-tokenisation is often required at the merchant, service provider, or gateway level to complete a transaction. This de-tokenisation process opens one up to possibly sensitive data leakages during transmission. With a Network Tokenisation solution, the PAN is no longer relevant since network tokens are interoperable at every level- thus successfully eliminating the risk of leakage.
Improved authorization success
According to a study carried out by Visa, transacting with network tokens provided a 3.2% average authorisation rate lift compared to using PAN. This is due to eliminating a large chunk of declines related to expired or lost credentials and fraud. Network tokens are never suspended due to fraud and don’t require updates by the cardholder. This is because fraud from a PAN transaction or another type of token does not affect any other token in the ecosystem. Since each network token is domain-restricted to the merchant, this enables issuing banks to confidently continue supporting transactions for cardholders whose accounts may have been suspended due to fraud. Thus, payment tokenisation benefits both merchants as well as their customers in this case.
Significantly improved checkout for customers
According to the 2021 Riskefied Studies 28% of customers will completely abandon a purchase after experiencing a payment decline, and another 14% will shop with a competitor. Network Tokenisation reduces checkout friction as customer credentials never expire and never need to be updated after the first transaction. The added friction of authentication is also transferred from customer to merchant – customers no longer need to enter their CVV or any other form of verification.
All things considered, payment tokenisation benefits all parties involved, and hence payment providers should consider implementing this payment security solution at the gateway level. Partner with WLPayments’ trusted platform to implement payment tokenisation and dynamically improve your merchant’s authorization rates, simplify fraud management, update payment methods in real-time, ensure card credentials are always up-to-date, and reduce checkout friction.