Indue Indue
Indue Connect
  • Home
  • Our Story
    • The Indue Difference
    • Our Clients
    • Industry Representation & Partners
    • Regulatory Disclosures
    • Corporate Responsibility and Giving Back
  • Our Markets
    • Fintechs
    • Retailers
    • Banking
    • Religious Charitable Development Funds
    • Mutuals
    • Mortgage Originators
    • Program Managers
    • Government
  • Our Solutions
    • New Payments Platform (NPP)
    • Orion Financial Crimes Service
    • Prepaid & Gift Card Programs | Indue
    • Mobile Payments
    • Nucleus Card Platform
      • Credit Cards
      • Debit Cards
    • Bureau Service
    • Payment Services
  • Our People
    • Our Culture
      • Join The Team
      • Life At Indue
    • Our Leadership
      • Our Board Members
      • Our Executive & Senior Leadership Team
  • News & Events
  • Media Centre
  • Contact Us
  • Call
Indue Indue
  • Home
  • Our Story
    • The Indue Difference
    • Our Clients
    • Industry Representation & Partners
    • Regulatory Disclosures
    • Corporate Responsibility and Giving Back
  • Our Markets
    • Fintechs
    • Retailers
    • Banking
    • Religious Charitable Development Funds
    • Mutuals
    • Mortgage Originators
    • Program Managers
    • Government
  • Our Solutions
    • New Payments Platform (NPP)
    • Orion Financial Crimes Service
    • Prepaid & Gift Card Programs | Indue
    • Mobile Payments
    • Nucleus Card Platform
      • Credit Cards
      • Debit Cards
    • Bureau Service
    • Payment Services
  • Our People
    • Our Culture
      • Join The Team
      • Life At Indue
    • Our Leadership
      • Our Board Members
      • Our Executive & Senior Leadership Team
  • News & Events
  • Media Centre
  • Contact Us
  • Call
  • Indue Latest Industry News and Events
Mar 24

Tokenisation – What is it and can it beat payment fraud?

  • March 24, 2020
  • Financial Crimes, Industry News, Mobile Payments, Technology

Tokenisation – What is it and can it beat payment fraud?

Tokenisation seems to be one of the key buzzwords in the payment industry at the moment. However, what does this concept really mean and how does it benefit payments made today?

Tokenisation payments data protection mobile wallet

What is Tokenisation?

Tokenisation is a method of protecting sensitive data by replacing it with an algorithmically-generated number referred to as a ‘token’. In the payments world, tokenisation is commonly used to replace debit and credit card numbers in an attempt to prevent card fraud.

Under this form of tokenisation, a cardholder’s Primary Account Number (PAN) is replaced by a random number that is not linked to the card number prior to processing a transaction through the payments network. This process assists in mitigating the risk of exposing sensitive card data to unauthorised individuals or software that could potentially exploit the data by fraudulently duplicating the card details. It also prevents merchants from storing the PAN in databases, which are targets for hackers. Tokens cannot be decrypted or reverse-engineered. The only relationship between the original card number and its associated token number resides within the Token Service Provider.

What is a Token Service Provider?

A Token Service Provider (TSP) is a service provider that issues tokens, manages the lifecycle of tokens and stores the payment credentials associated with the tokens. TSPs can be an independent third party from the payment network or can be the actual card scheme (i.e. Visa, MasterCard, eftpos). TSPs must conform to strict security and privacy specifications defined by the global payment schemes and fall within the PCI-DSS compliance requirements.

Tokenisation in the Industry

Tokenisation takes many forms within the payments industry. One of the most prevalent uses of tokenisation is within the Mobile Payments space. When a cardholder provisions their payment card within an Apple or Google mobile wallet, the request is sent to the appropriate TSP to tokenise the card number. The token is then sent back to the mobile wallet for activation. The cardholder’s actual card number is never stored on the mobile device and as such cannot be extracted for misuse. All subsequent mobile transactions will use the token number as the payment credentials.

Tokenisation for in-app purchases is also on the rise due to its convenience.  Some in-app purchases leverage the mobile payment functionality whereby the token stored on the mobile wallet is used to make a purchase within the phone application.  An example of this would include purchasing tickets on the Ticketek app and instead of inputting credit card details, the user is able to select the Apple Pay option, which references the credentials stored within the mobile wallet.  Not only does this option provide an easy streamlined purchase journey, it also removes any sensitive data from the transaction.

Tokenisation for card-on-file online purchases is also becoming more common given the recent occurrences of global data breaches.  Wawa, a popular convenience store chain in the United States, confirmed in late 2019 the discovery of malware on their payment processing servers.  The malware captured credit and debit card numbers, cardholder names and expiration dates.   Card-on-file tokenisation protects a cardholder’s card credentials stored at online merchants with whom the cardholder frequently make purchases.  Netflix holds the card credentials of all its customers for the purpose of charging the monthly subscription fees.  The streaming service provider has recently undertaken a significant exercise of tokenising as much of its database as possible as a means to mitigate the risk of data breaches.  As more online merchants migrate to tokenisation, the prevalence of card data breaches will hopefully decrease as well.  Given that a new unique token is generated for each retailer, a security breach at one retailer will not compromise the security of the token data at another retailer.

Payment Account Reference – Providing a holistic view

Although the use of tokenisation enhances the security of digital payments, it also presents a challenge.  If a cardholder’s card credentials are tokenised for use within Google Pay on an android phone, Apple Pay for an iPad and Netflix for monthly subscription payments, it becomes a one to many relationship.  One single PAN is now linked to several tokens across different systems and platforms.

As only the TSP has the original data linking the PAN to the multiple tokens, the lack of visibility makes it difficult for other parties such as merchants to have a consolidated view of all transactions performed by the cardholder and subsequently provide value-add and compliance services.  An example of this is the provision of fraud and anti-money laundering monitoring services.  To provide the most effective service, there is a need to identify transactions on an aggregate card level to better assess customer behaviour and payment trends.

As a means to provide a consolidated view, some card schemes have introduced the use of a Payment Account Reference (PAR).  According to a recent white paper published by EMVCo, a global entity facilitating worldwide interoperability of secure payment transactions, a PAR is a ‘non-financial reference assigned to each unique PAN and used to link a Payment Account represented by that PAN to affiliated Payment Tokens’.  PAR is passed in the transaction message to the merchant so that they can reference this field when performing customer level analysis.

EMVCo affirms that this is a long term solution that will solve the issue by linking together disparate card-based and token-based transactions without compromising on security.  Although this is the recommendation of EMVCo, it is the responsibility of the card payment schemes to adopt this concept and implement it into their respective payment ecosystems.  eftpos is introducing support for PAR in the near future.

Resources: 

EMVCo’s White Paper on Payment Account Reference (PAR)

  • Facebook
  • Twitter
  • LinkedIn
  • E-Mail

Related Posts

  • AusPayNet 2020 Payment Fraud Report – Fraud Statistics Jul 19 – Jun 20December 7, 2020
  • IBM Safer Payments – Indue’s fraud monitoring platform wins AwardOctober 1, 2020
  • AusPayNet 2020 Payment Fraud Report ReleasedAugust 31, 2020
  • Multi-Channel Real Time AI Fraud SolutionDecember 2, 2019

Leave a reply Cancel reply

Your email address will not be published. Required fields are marked *

CATEGORIES

  • Artificial Intelligence (AI)
  • Events
  • Financial Crimes
  • Fintech
  • Indue
  • Industry News
  • Mobile Payments
  • NPP
  • Open Banking
  • Prepaid
  • Technology
  • Webinar

Subscribe to Indue News

Our Story

The Indue Difference

Our Clients

Industry Representation & Partners

Regulatory Disclosures

Our Markets

Fintechs

Retailers

Banking

Religious Charitable Development Funds

Mutuals

Mortgage Originators

Program Managers

Government

Our Solutions

New Payments Platform (NPP)

Orion Financial Crimes Service

Prepaid & Gift Card Programs

Mobile Payments

Nucleus Card Platform

Payment Services

Connect With Us

Enquire Online

LinkedIn

Twitter

YouTube

© Copyright 2018 Indue Ltd | ABN 97 087 822 464 | AFSL No 320204 Legal, Privacy Policy & CookiesFinancial Claims Scheme

Please fill in your details below and you will be redirected to The Orion Financial Crimes brochure after submiting the form.

 

  • This field is for validation purposes and should be left unchanged.
Please fill in your details below and you will be redirected to The Orion Financial Crimes brochure after submiting the form.

 

Contact Indue
  • This field is for validation purposes and should be left unchanged.