Card tokenisation explained: How does tokenisation work in payments?
Tokenisation is a secure way of paying that involves swapping out a customer’s sensitive financial information with non-sensitive information; a token.
For a payment token example, say a customer is about to purchase something online with their debit or credit card, the tokenisation payment algorithm will replace the card’s Primary Account Number (PAN) with a unique string of numbers called a token (also sometimes known as an ‘identifier’).
The token is then transmitted between the payment gateway and the payment processor, while the real card number is stored in a token vault. Therefore, credit card tokenisation protects the customer’s details at every step.
This tokenisation payment process — which can happen online or at a brick-and-mortar store if you have a digital wallet — takes place automatically and in real-time.
A customer will then pay with the token and not with their card details. The customer’s PAN is not transmitted during the payment process and is not at risk of interception by fraudsters.
This is what makes tokenisation for payments very safe. And because tokens are so difficult to interpret, they are almost impossible to use by criminals, even if there is a data breach.
Who generates the tokens?
‘Token Service Providers’ (TSPs) are what generate the tokens. TSPs can be varied. The major credit and debit card associations — such as Mastercard and Visa for example — are TSPs, as they issue their own. And so do digital wallets. Nowadays almost all major alternative payment methods use tokenisation. Apple Pay, Google Pay and Alipay are all also examples of TSPs.
Payment processors, such as ourselves, also provide tokenisation services. These tokens can then be utilised by the merchant to charge the customer for their purchase.
Which businesses are tokenisation best suited to?
Subscription-based or recurring digital payments
If you have a business model that relies on a steady stream of repeat business from customers, such as a subscription-based or recurring payments model, you will likely benefit from tokenisation.
This is because tokens can safely be stored away, so that the customer can regularly be charged according to the agreed schedule. The customer then doesn’t need to continuously provide their details after they’ve set up the first payment.
E-Wallets such as Apple Pay, Google Pay and PayPal are on the rise in a realm of contactless payments, but the technology behind them goes far beyond NFC chips and Fingerprint ID when it comes to protecting the consumer.
E-Wallets rely on tokenisation in order to create a digital replica of your debit or credit card – that is unique to your smartphone or device.
Mobile payments & in-app purchases
Apps on your phone will utilise the information connected to tokenised accounts (for example as we mentioned above, with Google and Apple Pay) in order to securely fulfil orders without ever needing to request or access your issuing bank’s details.
Tokenisation quickly provides a broad spectrum of apps with safe and convenient access to your mobile wallet. With all the shipping and billing information and with the additional biometric confirmation typically needed to complete a purchase.
With tokenisation in place, a customer’s card can be stored safely on a website as part of a ‘remember me’ system. This is very useful for returning customers; they can set-up an account on your website and rather than manually fill in their card details every time they return, they can benefit from a one-click checkout – a great way to increase loyalty! In addition to this, if your website ever did experience a potential data breach, then the card number information of your customers will not be exposed.
The benefits of tokenisation
There are many benefits of payment tokenisation to merchants. Here are the key ones:
- It’s easier to stay PCI compliant — Especially if you get help from an online payments company such as ourselves. At Total Processing, we will manage all of your customers’ cardholder data in a secure way that’s compliant with the Payment Card Industry. PCI-compliant legislation can be tricky to grasp without expert help, and if you fail to keep up to date you could be at risk of losing your merchant account.
- Tokens are very secure — Even if a fraudster steals your token, they won’t be able to use them to buy things online as they won’t be able to trace the customer’s real payment information that’s linked to the token.
- Great for recurring payment models — Tokenisation makes it easy to store customer payment details safely, enabling businesses to keep them on file and to take recurring payments.
- Enables a smoother, quicker checkout experience — With tokenisation in place, merchants can offer shoppers one-click (or even zero-click) payments on their website, with the possibility to save their payment details securely for future transactions. One and zero-click payments reduce the barriers to conversion and make it much easier for customers to buy products in a safe way — making you more money.
- Saves you money and time — Getting a payments processor who provide tokenisation and can manage all of the data and meet compliance requirements will save you time, money and stress.
Downsides of tokenisation
That being said, tokenisation is not perfect. There are a few downsides that you should be aware of:
- It can sometimes hinder the functionality of your software — If tokenisation isn’t integrated properly, it can upset and sometimes conflict with the various software tools you are using.
- Not all payment processors support tokenisation — If you’re a merchant and your online payments solution isn’t compatible with tokenisation, you may have to look for an alternative solution. Or risk being stuck with limited options.
Tokenisation and PCI compliance
Because tokenisation is a robust and secure payment technology, it naturally meets many of the security measures of the Payment Card Industry Data Security Standards (PCI DSS) framework.
But tokenisation does not replace the need to comply with PCI DSS on its own. There are other steps that you’ll need to continually take to stay compliant.
- Regularly checking the token validation effectiveness, to make sure that hackers cannot retrieve the PAN number.
- Implementing an effective risk analysis of the tokenisation implementation process, including but not limited to: deployment models, de-tokenisation methods and the encryption process itself.
- Check the card verification process; card-not-present transactions need to be secure before tokenisation takes place to make sure a fraudster isn’t using the card.
As the provider of your online payments, we’ll make sure that your tokenisation is PCI DSS compliant — so you won’t have to.
Finding the right tokenisation software.
There are plenty of online payment companies out there that can offer tokenisation software as a service (including ourselves).
The biggest names in the business are probably Adyen and Stripe — and they certainly are respectable companies with many happy customers. But if you’re looking for a unified solution with a customer-focused approach, then Total Processing could be the answer.
Our tokenisation service comes alongside a whole host of perks: 24/7 support, guidance throughout the whole integration process and a customisable payments package, including a payment gateway, merchant account, transaction management and more.
Why not get in touch with one of experts to find out how our tokensiation software and other payment solutions can benefit your business.
- How is payment tokenisation different from encryption?
Encryption alters the original data into something else. Whereas tokenisation removes this sensitive data from the process entirely — swapping it out with a token.
Tokenisation is also more secure. Encryption can be reversed in order to uncover the original data with a decryption key. But because a token itself does not contain any sensitive information, it cannot be deciphered. Instead, the sensitive information is kept separately in a safe token vault that is only accessible to those with permission.
- Is tokenised data reversible?
No. Tokenised data cannot be deciphered or reversed — because there is no real relationship between the token and its original number. The PAN number is swapped out and replaced with a random alphanumeric ID.
- Does using tokenisation make me PCI-compliant?
Yes and no. The process itself is PCI-compliant. But you will need to take extra precautions in order to remain fully compliant, such as regularly checking the effectiveness of your token validation, and carrying out risk analyses.
Conclusion: How tokenisation can help your business
To sum up, tokenisation is a great way to protect sensitive payment data — both yours and that of your customers. All of the big banks and many alternative payment methods are embracing tokenisation, and it’s a great way to make your business more attractive when it comes to accepting payments.
But without the right online payments company, you could end up with an inefficient tokenisation process that is not PCI compliant, and that conflicts with existing computer software.
Take care when shopping for a payments provider that offers tokenisation, as each business has its own perks and benefits — and bigger doesn’t always mean better.
Ready To Start
Total Processing joins forces with NomuPay
Empowering growth and customer-centricity We are thrilled to share the exciting news of Total Pro
Preparing your business for chargeback season
Ah, the holiday season—a time of joy, celebration and, unfortunately, the lurking challenge of cha