Tokenisation in Payments

A simple, beginner’s explanation.

I have been at Visa for 6 months now and Tokenisation is a concept that everyone talks about here. But it is admittedly not something very easy to understand, and I have spent a significant part of the last few months to understand the basics. This is my attempt to simplify how tokenisation works in payments.

Tokenisation is a term which is often used in the world of payments. Simply put, tokenisation is the process of substituting valuable / sensitive information with a “token” which is then used instead of the underlying sensitive information. In case the token is lost or is accessed by a fraudster, they can do nothing with this randomly generated token as it means nothing. This process is different than “encryption” where the data is converted into a code, which can be decoded using a decryption key. Encryption is used extensively in modern communication systems, such as email, instant messaging, and online transactions, to protect sensitive information from unauthorized access. It is also used to secure data on devices such as computers, smartphones, and USB drives. While encrypted data is hard to decode, it is possible for fraudsters and hackers to decode it and get access to the sensitive information.

Introduction to tokenisation in payments

As mentioned above, tokenisation is a process of substituting sensitive payment information with a unique identifier that represents the original data. In the context of payments, tokenisation is used to enhance security by replacing sensitive payment details like credit card numbers, bank account numbers, or other payment credentials with a randomly generated token. The token is then used to complete the payment transaction instead of the actual payment information.

Tokenisation is a widely used security technique in the payment industry. It is commonly used by payment processors, merchants, and financial institutions to secure payment information, reduce fraud, and enhance customer trust. We will explore the concept of tokenisation in payments, its benefits, and its implementation.

As payments technology is evolving, we find ourselves using the physical card less and less. With methods such as Apple Pay, Google Pay, contactless payment devices, card details stored online with merchants, browsers and devices, gaining prominence, tokenisation helps improve the safety and reliability of the payment infrastructure.

Before we get into implementation, let’s understand what are the benefits of tokenisation.

Benefits

In any card based payment system there are 5 main players. I have written about it here. Each of these players benefit from the tokenisation process in different ways.

1. Cardholder
1. Increased security. Tokens are often secured through biometric / facial recognition (think Apple pay face ID before you pay) or an additional level of security such as device information(more on that in a bit) which means no can easily use your payment methods now. If someone steals your phone, the thief can’t use saved cards on your phone. And you can disable them instantly as well.
2. Frictionless UX: If you have ever used Apple Pay / Google Pay, you know how easy it is to pay for things. Apple Pay is the pioneer in tokenising transactions and all companies are trying to build a UX which is comparable.
1. Additional benefits like: not having to update card credentials after expiry or adding newly issued cards to wallets seamlessly is a benefit of tokenisation.
2. Acquirer
1. Higher approval rates: When transactions are tokenised, they are more likely to be approved. This means less failed transactions, which is good because every failed transaction is a cost to the system. The acquirer benefits by seeing higher approval rates.
2. Reduced fraud: Because of security, there is less fraud and which means Acquirer doesnt have to deal with fraud claims and resolutions. Reduced costs and greater efficiency.
3. Reduced data security costs: Acquirers need to store PAN (Primary Account Number - the 16 digit card number) details to pass through the system. Which means they need to comply with regulations (PCIDSS), which means additional data security costs. Tokenised transactions helps reduce that cost.
3. Issuer
1. Higher approval rates: Because of the way issuers make money, higher approval rates means more transactions going through, meaning more money. If the issuer is happy about the security of the transaction, it approves it.
2. Reduced fraud: Lower fraud due to higher security means lower costs dealing with claims and resolutions.
3. Faster issuing of cards: With lost or expired cards, issuers can easily update the credentials and make it available to the consumer to add it to their wallets. This enables more transactions, hence issuers make more money.
4. Payment network
1. Network benefits when the ecosystem benefits. More successful transactions going through, means more people preferring the method. More secure and seamless the transaction, more preferred it is by issuers and payment service providers.
2. Network fees: Whether it is a token or a PAN. the payment network makes money by transmitting information.
3. Token service provider: Visa (where I work) and other payment networks provide token services and related services as well, and charge for it. So additional money!
5. Merchant
1. Higher sales: With tokenisation, the frictionless UX and ease of payment enables higher sales. Pay with Apple pay, boop! payment done! No need to enter pin, wait for internet etc. Or a saved card on file - Netflix- save your card credentials with the merchant and not worry about payments.
2. Lower frauds: Merchants have to worry less about fraudulent transactions.

So as is evident, tokenising payments is a really useful thing to do and it improves the ecosystem by reducing fraud and making things easier to pay for.

The tokenisation process introduces three “new” players in this ecosystem. However, in most cases, the existing players just take up these roles.

1. Token requester (TR): Has the direct relationship with consumer. This role is mostly played by the merchant. So for all practical purposes this is the merchant.
2. Token Service provider (TSP): This is usually the network. So Visa, MasterCard, Amex etc.
3. Token Requester - Token Service Provider (TR -TSP): This is usually the acquirer. They become the conduit between the TR and the TSP and facilitate the tokenisation of transactions.

Now, how does it work?

Tokens are commonly used when you use Apple Pay (or any other Phone based wallet - Samsung Pay, Google Pay) or sometimes the merchant you shop with say Netflix or Amazon(where you have stored your card details for any future payment or recurring payments). As mentioned the benefits are across the ecosystem, which is why tokenised payment methods are preferred.

As mentioned before, the cardholder, almost never knows that this process of tokenisation is happening.

Apple Pay is the pioneer in this ecosystem, as a payment method, and is by far the best for user experience. Other Pays also provide a similar user experience with some differences.

The above schematic represents the first time the token is being created and stored.

1. User enters their card details. This could be on Netflix or enrolling the card for the first time on Apple Pay
2. Apple Pay / Netflix sends the the card details to the acquirer (Ex: Strip or Adyen) with a request to tokenise the card credentials
3. The acquirer sends all this information to the Token Service with a request to tokenise. Depending on who is the network for the card, the request to tokenise goes to that network. For Visa cards, the tokenisation request goes to Visa.
4. Visa Token Service will check all details that come through (merchant details, device information, location and so many other things for security purposes) and then will assign a random 16 digit token to the Card. Only Visa knows the mapping between the Token and the Card Credential. And this mapping is stored in a super secure vault.
1. After assigning the Token, Visa tell the issuer - Hey we are tokenising this card credential, just want to tell you this. If you are okay with all information, please approve this request.
5. Issuer confirms this request. Issuer wants to make sure that this is not a fraudulent request. That is, the person whose details are on the card is also the person who is doing this request. In this step the issuer will ask to go their own app, or using a OTP password confirm the Identity of the person.
6. Once you confirm on the bank (issuer) app that it is really you who requested to add their card to Apple pay (Netflix), Issuer tells Visa Token Service everything is good and verified.
7. Visa now sends the positive confirmation of the request to the acquirer and sends the Token.
8. Acquirer sends the Token to Apple Pay / Netflix to be stored.

This token is secure because additional data like device information, who is the token requestor, location, timing, and verification by the issuer is all stored in the Token without revealing any sensitive information to anyone outside of the system.

Every time now you pay with you Apple Pay using your phone or your watch, Apple pay just sends the Token. No card credentials are being shared across the ecosystem. when this Token reaches Visa, Visa Detokenises the Token, and sends this information to the issuer. When all of this matches what was stored in the Vault, the issuer has a lot of confidence that there is a very low chance this is a fraudulent transaction and approves the transaction. Thereby, tokenisation makes the whole payment infrastructure more secure.

So instead of using PAN (Card credentials) to pay for anything. A token is being used, which contains no sensitive financial information.

When you are paying for anything, Apple Pay sends the token to the merchant (which was stored earlier). Merchant sends the token and the bill amount and other details to the acquirer. Acquirer sends it Visa / MasterCard to detokenise and check if everything is okay. Visa detokenises, retrieves the underlying Card Credentials, and sends all of that information to the issuer. The issuer is convinced this transaction is good, and sends back a confirmation of approval. and transaction confirmation is sent to the merchant through the acquirer.

Types of Tokens (technologies)

Very broadly speaking there are 3 kinds of tokens that exist:

1. Secure Element: Secure Element tokens are physical chips embedded in mobile devices or smart cards that are designed to store and protect sensitive information, such as payment credentials. These tokens are highly secure and can only be accessed by authorized parties. This is used by Apple Pay as Apple devices have this piece of hardware in all their devices and which makes them extra secure, because its device specific.
2. HCE (Host Card Emulation): HCE Tokens are a software-based token technology that enables mobile devices to “emulate” the functionality of a physical payment card. HCE tokens are stored in the cloud and can be accessed through a mobile app. This technology is device agnostic, and is what Google and Samsung Pay use in the phones they are compatible with. Because its a cloud based service, it is slightly less secure than secure element. HCE tokens are more convenient than SE tokens since they do not require specialized hardware. HCE tokens are also easier to implement and can be used on a wider range of mobile devices.
3. E-commerce Tokens / Cloud Tokens: Software tokens are digital tokens that are stored on a device or server. They are typically used in online payments, providing an extra layer of security by replacing sensitive payment information with a randomly generated token. This is the type used by Online merchants like Netflix or Amazon. This is device agnostic, and canbe implemented easily with the help of the token service provider. Cloud Tokens can also be reinforced with additional data like device information, and other information about the user to make them more secure.

Conclusion

Tokenisation is an innovative technology that improves the security and efficiency of payments, reducing fraud and associated risks with data breaches. It is becoming an essential part of the payments ecosystem and will lead to an increase in mobile and online payments, providing a more convenient and seamless experience for customers.

See all posts & videos