Tokenisation, when applied to data security, is the process of
substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no
extrinsic or exploitable meaning or value.
The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenisation system. The mapping from original data to a token uses methods which render tokens infeasible to reverse in the absence of the Tokenisation system, for example using tokens created from random numbers.
The Tokenisation system must be secured and validated using security best practices applicable to
- Sensitive data protection,
- Secure storage,
- Audit,
- Authentication &
- Authorization.
The Tokenisation system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.
Tokenisation in Payments
Tokenisation is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. In other words, a traditional primary account number (PAN) is replaced by unique identification symbols to create a ‘token’.
To tokenise a payment transaction, the PAN is sent to a centralised and highly secure server called a ‘vault’ where it is stored in a PCI-compliant environment provided by a payment service provider (such as a payment system). Immediately after authorisation from the card issuer, a unique, token number (with its expiration date) is generated and returned to the merchant’s systems for use instead of the PAN.
While payment tokens are reversible and can be ‘mapped’ back to the traditional PAN by authorised parties, this is a highly complex process. The token is therefore meaningless if someone gained malicious and unauthorised access to the data.
How are tokens used?
A token is generated for one time use within a given and pre-defined environment, such as to purchase goods from an online retailer. In most circumstances, it will perform just like the original PAN for business functions such as returns, sales reports, marketing analysis, recurring payments etc. It cannot, however, be used to conduct a transaction outside of that merchant’s environment.
The data only has meaning within the pre-defined environment for which it was created.
For this reason, tokenisation offers a real alternative payment solution that could significantly reduce fraudulent activities. In this way, tokenisation can retain all the essential customer data without compromising its security.
The standardisation of payment tokenisation systems will promote credibility of this payment solution and encourage market interoperability. The framework provides different models and potential flows for several identified tokenisation scenarios, enabling suppliers to map existing solutions against these and develop new ones ready to meet new token service provider needs.
PCI Standards
PCI standards do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who supplies a tokenisation facility. The service provider then handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down, for which they require industry proven secure solutions.
With Softwares which is available in the payments market, Banks and merchants can also become their own in-house service provider to manage their own mobile and e-commerce EMV payments solutions including tokenisation
The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenisation system. The mapping from original data to a token uses methods which render tokens infeasible to reverse in the absence of the Tokenisation system, for example using tokens created from random numbers.
The Tokenisation system must be secured and validated using security best practices applicable to
- Sensitive data protection,
- Secure storage,
- Audit,
- Authentication &
- Authorization.
The Tokenisation system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.
Tokenisation in Payments
Tokenisation is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. In other words, a traditional primary account number (PAN) is replaced by unique identification symbols to create a ‘token’.
To tokenise a payment transaction, the PAN is sent to a centralised and highly secure server called a ‘vault’ where it is stored in a PCI-compliant environment provided by a payment service provider (such as a payment system). Immediately after authorisation from the card issuer, a unique, token number (with its expiration date) is generated and returned to the merchant’s systems for use instead of the PAN.
While payment tokens are reversible and can be ‘mapped’ back to the traditional PAN by authorised parties, this is a highly complex process. The token is therefore meaningless if someone gained malicious and unauthorised access to the data.
How are tokens used?
A token is generated for one time use within a given and pre-defined environment, such as to purchase goods from an online retailer. In most circumstances, it will perform just like the original PAN for business functions such as returns, sales reports, marketing analysis, recurring payments etc. It cannot, however, be used to conduct a transaction outside of that merchant’s environment.
The data only has meaning within the pre-defined environment for which it was created.
What is the aim of tokenisation?
The process removes traditional PAN information from environments where data can be vulnerable and, if stolen, used for illegal purposes. Tokenisation completely and quickly disconnects the real PAN and replaces with a token, while maintaining backwards compatibility with existing business processes.For this reason, tokenisation offers a real alternative payment solution that could significantly reduce fraudulent activities. In this way, tokenisation can retain all the essential customer data without compromising its security.
So, what is new?
The standardisation of payment tokenisation systems will promote credibility of this payment solution and encourage market interoperability. The framework provides different models and potential flows for several identified tokenisation scenarios, enabling suppliers to map existing solutions against these and develop new ones ready to meet new token service provider needs.
PCI Standards
PCI standards do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who supplies a tokenisation facility. The service provider then handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down, for which they require industry proven secure solutions.
With Softwares which is available in the payments market, Banks and merchants can also become their own in-house service provider to manage their own mobile and e-commerce EMV payments solutions including tokenisation
