Tokenisation – What is it and can it beat payment fraud?
Tokenisation seems to be one of the key buzzwords in the payment industry at the moment. However, what does this concept really mean and how does it benefit payments made today?
What is Tokenisation?
Tokenisation is a method of protecting sensitive data by replacing it with an algorithmically-generated number referred to as a ‘token’. In the payments world, tokenisation is commonly used to replace debit and credit card numbers in an attempt to prevent card fraud.
Under this form of tokenisation, a cardholder’s Primary Account Number (PAN) is replaced by a random number that is not linked to the card number prior to processing a transaction through the payments network. This process assists in mitigating the risk of exposing sensitive card data to unauthorised individuals or software that could potentially exploit the data by fraudulently duplicating the card details. It also prevents merchants from storing the PAN in databases, which are targets for hackers. Tokens cannot be decrypted or reverse-engineered. The only relationship between the original card number and its associated token number resides within the Token Service Provider.
What is a Token Service Provider?
A Token Service Provider (TSP) is a service provider that issues tokens, manages the lifecycle of tokens and stores the payment credentials associated with the tokens. TSPs can be an independent third party from the payment network or can be the actual card scheme (i.e. Visa, MasterCard, eftpos). TSPs must conform to strict security and privacy specifications defined by the global payment schemes and fall within the PCI-DSS compliance requirements.
Tokenisation in the Industry
Tokenisation takes many forms within the payments industry. One of the most prevalent uses of tokenisation is within the Mobile Payments space. When a cardholder provisions their payment card within an Apple or Google mobile wallet, the request is sent to the appropriate TSP to tokenise the card number. The token is then sent back to the mobile wallet for activation. The cardholder’s actual card number is never stored on the mobile device and as such cannot be extracted for misuse. All subsequent mobile transactions will use the token number as the payment credentials.
Tokenisation for in-app purchases is also on the rise due to its convenience. Some in-app purchases leverage the mobile payment functionality whereby the token stored on the mobile wallet is used to make a purchase within the phone application. An example of this would include purchasing tickets on the Ticketek app and instead of inputting credit card details, the user is able to select the Apple Pay option, which references the credentials stored within the mobile wallet. Not only does this option provide an easy streamlined purchase journey, it also removes any sensitive data from the transaction.
Tokenisation for card-on-file online purchases is also becoming more common given the recent occurrences of global data breaches. Wawa, a popular convenience store chain in the United States, confirmed in late 2019 the discovery of malware on their payment processing servers. The malware captured credit and debit card numbers, cardholder names and expiration dates. Card-on-file tokenisation protects a cardholder’s card credentials stored at online merchants with whom the cardholder frequently make purchases. Netflix holds the card credentials of all its customers for the purpose of charging the monthly subscription fees. The streaming service provider has recently undertaken a significant exercise of tokenising as much of its database as possible as a means to mitigate the risk of data breaches. As more online merchants migrate to tokenisation, the prevalence of card data breaches will hopefully decrease as well. Given that a new unique token is generated for each retailer, a security breach at one retailer will not compromise the security of the token data at another retailer.
Payment Account Reference – Providing a holistic view
Although the use of tokenisation enhances the security of digital payments, it also presents a challenge. If a cardholder’s card credentials are tokenised for use within Google Pay on an android phone, Apple Pay for an iPad and Netflix for monthly subscription payments, it becomes a one to many relationship. One single PAN is now linked to several tokens across different systems and platforms.
As only the TSP has the original data linking the PAN to the multiple tokens, the lack of visibility makes it difficult for other parties such as merchants to have a consolidated view of all transactions performed by the cardholder and subsequently provide value-add and compliance services. An example of this is the provision of fraud and anti-money laundering monitoring services. To provide the most effective service, there is a need to identify transactions on an aggregate card level to better assess customer behaviour and payment trends.
As a means to provide a consolidated view, some card schemes have introduced the use of a Payment Account Reference (PAR). According to a recent white paper published by EMVCo, a global entity facilitating worldwide interoperability of secure payment transactions, a PAR is a ‘non-financial reference assigned to each unique PAN and used to link a Payment Account represented by that PAN to affiliated Payment Tokens’. PAR is passed in the transaction message to the merchant so that they can reference this field when performing customer level analysis.
EMVCo affirms that this is a long term solution that will solve the issue by linking together disparate card-based and token-based transactions without compromising on security. Although this is the recommendation of EMVCo, it is the responsibility of the card payment schemes to adopt this concept and implement it into their respective payment ecosystems. eftpos is introducing support for PAR in the near future.