The Role of Tokenisation in Payments

With the drastic shift towards a cashless economy, card payments and digital wallets have witnessed an unprecedented surge in usage. Today, we can conduct transactions using mobile devices and even smartwatches, making the payment experience incredibly convenient. However, concerns especially among the older generation, have been frequently voiced regarding the security behind these systems.

The apprehension is understandable as safeguarding personal data should be a top priority for everyone. Let’s face it – who wants to lose their hard-earned money simply because they choose a cashless payment method? 

What many might not realise though is that modern payment systems have implemented complex security measures to address these concerns. One such measure is known as tokenisation.

What is Tokenisation?

In very simple terms, at its core, tokenisation is the process of replacing sensitive data with temporary or proxy information. 

Imagine a security company whose primary role is to investigate high-profile individuals for unlawful activities. To protect the identities of its employees, rather than storing their ID card number, it generates unique numbers that have nothing to do with their actual ID card numbers. This is done through a one-way algorithm.

These generated unique numbers are used in all communications and within the company’s systems, thus ensuring that employees’ identities remain confidential at all times.

Tokenisation is very similar to the example described above – it involves the generation of a number that bears no relationship with the card/PAN number but can be traced back to it as the mapping is stored in a secured database.

How do Tokenisation work?

Example: Tokens generated by the bank.

Imagine you are at your favourite boutique, ready to make a purchase using your Android mobile device through NFC (Near Field Communication). 

1. As soon as you tap the terminal with your phone, the phone passes your PAN (primary account number) to Google.
2. Google establishes communication with your bank, requesting a token to be used for your device’s interaction with the merchant.
3. The bank generates a unique token and sends it back to Google.
4. Google relays the token back to your mobile, which is then transmitted to the merchant using NFC.
5. The merchant, in this case your favourite boutique, shares this token with the Acquirer which subsequently sends the token back to the bank.
6. The bank looks at it ‘security vault’, which is basically where it stores the mapping of tokens with PANs and matches the token with the real PAN. If it matches, the bank will then process the transaction, otherwise the transaction is automatically rejected.
7. The bank notifies the Acquirer if the transaction was successful, which in turn informs the terminal.
8. Your mobile device receives a prompt from the terminal and displays a message, confirming the payments has been successfully processed.

This approach ensures that no sensitive information is passed throughout the entire payment experience as the merchant never gains access to personal information. All details remain securely stored within the bank, with only ‘random’ numbers being utilised throughout the payment process.

Example: Tokens generated by Card Schemes

In contrast to the previous example where the token was generated by the bank, let’s explore another situation where the token is generated by the Card Scheme, such as Visa and Mastercard. 

1. When you add your payment card to your Google Pay digital wallet, the digital wallet application asks the card scheme to create a token.
2. The card scheme generates the token, associating it with your device and wallet, thereby linking it to your account for future transactions.
3. The card scheme sends the token back to your digital wallet where it is securely stored.
4. Upon tapping your mobile phone on the boutique’s terminal, a payment is initiated through the digital wallet. At this stage, the token (rather than your card details) is transmitted to the merchant and payment processor.
5. The token is forwarded to the card scheme, which performs authorisation checks including the validation of the token’s authenticity. 
6. Following these checks, the card scheme responds to the merchant and payment processor with an authorisation response.
7. If the transaction is approved, the payment processor proceeds with the final authorisation, which may include additional checks such as those aimed at fraud prevention. The transaction is processed if all checks are successfully cleared.
8. The terminal receives the transaction status (i.e. whether it was successfully processed), prompting your mobile device to display the payment status. 

I have intentionally simplified certain aspects of the flow to offer newcomers in this field a foundational understanding of tokenisation. In reality, technical details and parties involved may vary based on the payment ecosystem, regulations, and the specific digital wallet platform.

In today’s digital age, where the security of sensitive payment information is paramount, tokenisation has emerged as a game-changer in the world of payment processing. The use of non-card details throughout the entire payment eco-system has drastically reduced fraud, prompting card schemes like Visa to lower interchange fees for merchants utilising card-not-present network token transactions. This resulted in cost savings for merchants.

Additionally, in instances of repeated purchases such as memberships, tokenisation has reduced the challenge of merchants having to notify customers to update their card payment details when the card expires.  This is because the merchant (e.g. an e-commerce site) does not store and use your card details, but instead utilising your generated token which does not change with a renewal of the physical card. 

By prioritising the implementation of tokenisation, banks can, not only protect sensitive data but also unlock opportunities for growth, fraud prevention, and enhanced customer satisfaction in today’s dynamic and interconnected world of commerce.