Tuesday, September 30, 2014

What is Payment Tokenisation?

Tokenisation, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.

The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenisation system. The mapping from original data to a token uses methods which render tokens infeasible to reverse in the absence of the Tokenisation system, for example using tokens created from random numbers.

The Tokenisation system must be secured and validated using security best practices applicable to

- Sensitive data protection,
- Secure storage,
- Audit,
- Authentication &
- Authorization.

The Tokenisation system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.

Tokenisation in Payments

Tokenisation is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. In other words, a traditional primary account number (PAN) is replaced by unique identification symbols to create a ‘token’.

To tokenise a payment transaction, the PAN is sent to a centralised and highly secure server called a ‘vault’ where it is stored in a PCI-compliant environment provided by a payment service provider (such as a payment system). Immediately after authorisation from the card issuer, a unique, token number (with its expiration date) is generated and returned to the merchant’s systems for use instead of the PAN.


While payment tokens are reversible and can be ‘mapped’ back to the traditional PAN by authorised parties, this is a highly complex process. The token is therefore meaningless if someone gained malicious and unauthorised access to the data.


How are tokens used?

A token is generated for one time use within a given and pre-defined environment, such as to purchase goods from an online retailer. In most circumstances, it will perform just like the original PAN for business functions such as returns, sales reports, marketing analysis, recurring payments etc. It cannot, however, be used to conduct a transaction outside of that merchant’s environment.
The data only has meaning within the pre-defined environment for which it was created.

What is the aim of tokenisation?

The process removes traditional PAN information from environments where data can be vulnerable and, if stolen, used for illegal purposes. Tokenisation completely and quickly disconnects the real PAN and replaces with a token, while maintaining backwards compatibility with existing business processes.
For this reason, tokenisation offers a real alternative payment solution that could significantly reduce fraudulent activities.  In this way, tokenisation can retain all the essential customer data without compromising its security.

So, what is new?


The standardisation of payment tokenisation systems will promote credibility of this payment solution and encourage market interoperability. The framework provides different models and potential flows for several identified tokenisation scenarios, enabling suppliers to map existing solutions against these and develop new ones ready to meet new token service provider needs.

PCI Standards

PCI standards do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who supplies a tokenisation facility. The service provider then handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down, for which they require industry proven secure solutions.

With Softwares which is available in the payments market, Banks and merchants can also become their own in-house service provider to manage their own mobile and e-commerce EMV payments solutions including tokenisation

Sunday, September 14, 2014

Parties Involved in the Dutch(Netherlands) Payments System

The payment system plays a pivotal role in the Dutch economy.

Millions of payments are processed each day, by debit card and giro, both nationally and internationally. 

Different payment methods and rules exist in the Dutch and international payment systems. The payment market features many parties, each making stringent demands with regard to the quality of daily payments. It is a market that benefits from continuous innovation of products and services.

The Payments Association organizes the collective tasks in the national payment system for its members. Within its role, the Payments Association consults with numerous parties on behalf of its members. These parties include enterprise and consumer umbrella organizations, social interest groups, parties involved in infrastructure, brand owners and regulators.

Supply side

The members of the Payments Association are providers in the payment system. They are payment services providers that offer end products on the market (to both businesses and private individuals) independently. In other words: banks, electronic money institutions and payment institutions. The Payments Association works closely with its members and consults with them regularly on developments and activities.

Demand side

The demand side includes the end users of payment services, both business owners and consumers. The Payments Association is committed to actively involving representatives of end users in its activities. In this way, the Payments Association fulfils its social role in the payment system.

Legislation and supervision

The payment system must comply with various laws and rules, both nationally and internationally. The Payments Association consequently deals with government authorities such as the Ministry of Finance, regulatory bodies such as the Dutch Central Bank (Nederlandsche Bank, DNB) and the Netherlands Competition Authority (Nederlandse Mededingingsautoriteit, NMa), the European Commission and other organisations that monitor legislation and regulations.

Regulations and standards

Regulations concerning payment products are necessary in order to clarify which roles and activities parties in the payment market may carry out for a particular payment product. An example of such a regulation is the stipulation that transaction processors and banks must ensure that a merchant will receive the amount of a PIN transaction in his bank account within 24 hours on business days.
Standards help to enable the different parties and links in the payment chain to work together properly. For example, there is a standard that prescribes how cash register systems and POS terminals are to be linked together to ensure that devices made by different manufacturers can be connected properly. There are also standards for giro-based transactions.
The Payments Association keeps track of national and international rules and standards that are relevant to its members and stakeholders, provides detailed information on how those rules and standards can be applied and helps its members to develop their own rules and standards.

Infrastructure

The processing of electronic and giro-based payments requires hardware, software, communication links and communication networks. Parties involved in this include: document processors, debit card suppliers, transaction processors, data communication providers, POS terminal suppliers, cash register suppliers and software suppliers. The Payments Association administers rules and requirements for these parties in the payment system and certifies hardware such as POS terminals and data communication lines. It also monitors compliance with rules and agreements in order to ensure and further improve the security and reliability of the payment system.


Payments ECO System - Between Consumers and Merchants