Tokenization Explained

  • In news: RBI issues guidelines for tokenisation of card transactions.
  • RBI has given permission to offer tokenised card transactions services to all channels such as near field communication (NFC), magnetic secure transmission (MST) based contactless transactions, in-app payments, QR code-based payments or token storage mechanisms, including cloud, secure element and trusted execution environment.
  • Tokenisation and de-tokenisation shall be performed only by the authorised card network and recovery of original Primary Account Number (PAN) should be feasible for the authorised card network only, the release said.

What is tokenization?

  • Tokenization is the process of protecting sensitive data by replacing it with an algorithmically generated number called a token.
  • Often times tokenization is used to prevent credit card fraud.
  • In credit card tokenization, the customer’s primary account number (PAN) is replaced with a series of randomly-generated numbers, which is called the “token.”
  • These tokens can then been passed through the internet or the various wireless networks needed to process the payment without actual bank details being exposed.
  • The actual bank account number is held safe in a secure token vault.

How does it work?

  • Typical consumer credit/Debit cards come with names, 16-digit personal account numbers (PANs), expiration dates and security codes — any of which can be “tokenized.”
  • Let’s use the 16-digit PAN (4321-1234-5678-8765) as an example. When a merchant swipes a customer’s  card, the PAN is automatically replaced with a randomly generated alphanumeric ID (“token”).
  • 4321-1234-5678-8765 becomes something like a7f6%gf83fhAu on the merchant’s end the original PAN never enters the merchant’s payment system. Only the token ID does. The merchant can use this special token ID to keep records of the customer (i.e. a7f6%gf83fhAu = John Smith).
  • This token then gets transmitted to the payment processor who de-tokenizes the ID and authorizes payment.
  • a7f6%gf83fhAu becomes 4321-1234-5678-8765 on the processor’s end
  • This token is only readable by the payment processor — it is meaningless to any other party (including the merchant). Someone who manages to get his hands on this ID has no way of linking the token back to the original personal account number.
  • Moreover, this randomly generated token is only valid with that single merchant. The ID can never be used to initiate payment with another retailer.
How are tokens generated?
  • Tokens can be generated through mathematically reversible algorithms, one-way non-reversible cryptographic functions, or static tables mapped to randomly generated token values

Advantages of tokenization :

  • The biggest benefit to all involved is that payment card numbers are no longer used or saved where unauthorized access can occur.
  • For customers, this means added security and convenience. It eliminates the need to enter and re-enter the account number when shopping on a smartphone, tablet or computer. Enabling one-click (or even “0-click”) payments for shoppers
  • It is safer than magnetic strips because tokens don’t carry the consumer’s primary account number, there is less risk in storing tokens on mobile devices online by e-commerce merchants, and in cloud-based mobile platforms and applications.
  • Even if it is hacked, there wouldn’t be anything of use as it devalues the entire data.
  • Eliminates the need for your cards to physically leave your hands
  • Enhances transaction efficiency
  • Provides a secure method for third-party enablement (for example, wallet, near-field communication (NFC) and quick response (QR) Codes
  • It potentially reduces the merchant’s effort to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.

Leave a Reply