What is tokenisation? Types, benefits, examples

Benefits of tokenisation

Tokenisation offers significant advantages for various types of businesses that handle sensitive payment data, including:

E-commerce retailers: Tokenisation helps to safeguard customer payment data and reduce the risk of breaches or fraud in online transactions.

Subscription-based services: Companies offering recurring billing can securely use tokenisation to handle customer payment data for ongoing transactions.

Brick-and-mortar retailers: Although more common in online transactions, tokenisation can benefit physical shops using point-of-sale (POS) systems or mobile payment solutions by providing an extra layer of security.

Platforms and marketplaces: Payment tokenisation enhances security and streamlines the management of sensitive payment data when multiple parties are involved in complex transactions, fostering trust and scalability in platform businesses' operations.

Types of tokens

There are several distinct types of payment tokens that merchants can use:

Acquirer tokens

Acquirer tokens are generated by acquirers when they process cardholder transaction requests on behalf of merchants. Acquirers typically return these tokens to merchants in their transaction response. Acquirer tokens are specific to acquirers, meaning they generate, own and are the only ones who can use them.

Issuer tokens

Card issuers generate issuer tokens for specific use cases, including card-based applications such as Apple Pay, Google Pay and Samsung Pay. These tokens are usually provided to a cardholder’s mobile app, card chip or wallet application. Issuer tokens belong to the issuer instead of the merchant and may not be as helpful in facilitating customer journeys within a merchant’s environment.

Network or scheme tokens

Visa, Mastercard, American Express, Discover, JCB and China UnionPay credit card networks generate these tokens. Each card network operates its scheme token service. As a result, network or scheme tokens are like issuer tokens, with the card networks generating them, not issuing banks.

Payment tokens

Payment tokens are a relatively new variant of issuer tokens, generated on behalf of at least one card issuer in a framework known as a token program. Merchants and cardholders can request these tokens for specific use cases. For example, a cardholder may request a device-specific token if they initiate a transaction through a mobile application.

Merchant tokens

Merchant tokens are generated specifically for a merchant by a provider of its choosing. The provider generates a merchant token after cardholders tender their card for transaction processing.

Additionally, there are three main formats that tokens can take:

Non-format preserving tokens

With non-format preserving tokens, the token takes a different format than the sensitive information it’s replacing. For example, the token replacing a nine-digit Social Security Number (SSN) could be six digits long and use a random combination of numerical and non-numerical characters, such as ‘T\@%3N5’.

Format preserving tokens

Here, the token maintains the same format as the original bit of sensitive information, but the values are randomly changed. For example, a ‘1234 5678 9012 3456’ credit card number could have a token value of ‘9687 4595 3211 7312’.

Partial replacement tokens

Partial replacement tokens, or selective masking, preserve tokens in which some values are left unchanged. For example, a credit card number of ‘1234 5678 9012 3456’ might become '1234 5698 3211 3456’ or '1234 XYZ# ABC& 3456.

How does tokenisation work?

When a customer makes a transaction, they provide their payment information to the business. Depending on how the business's payment system is set up, it may send the sensitive data to a secure tokenisation service, typically provided by a payment processor or third-party tokenisation vendor.

The tokenisation process uses algorithms, encryption methods and secure storage to generate a unique token representing the original payment data. This token is typically a random string of characters or numbers with no inherent value or meaning outside the specific payment system.

The token is stored in the business's system, replacing the sensitive payment data. The original payment data is stored securely in the tokenisation service's secure vault, which is designed to protect against unauthorised access and data breaches.

When the business needs to process the transaction, it can send the token to the payment processor or tokenisation service. The service then maps the token back to the original payment data securely, allowing the transaction to be completed without exposing the sensitive information to the business or other intermediaries.

For recurring transactions, such as subscriptions or stored customer profiles, the same token can be used multiple times without collecting sensitive payment data again. This simplifies the payment process while maintaining security.

Encryption vs tokenisation

Encryption and tokenisation are both data protection methods used to secure sensitive information, but they differ in how they work and the use cases for which they are best suited. Tokenisation replaces sensitive data with unique tokens with no intrinsic value, while encryption transforms data into an unreadable format that can be reversed with a decryption key. In other words, tokenisation focuses on data substitution, while encryption focuses on data transformation.

Data masking vs tokenisation

Data masking and tokenisation are both methods used to protect sensitive data, but they differ in their purposes, how they work and the level of security they provide. Data masking hides parts of data to create realistic but de-identified versions, primarily for non-production uses. On the other hand, tokenisation replaces sensitive data with a token, securing it in live production environments. It can only be reversed through access to a secure vault.

Benefits of tokens

Payment tokenisation offers a range of benefits that extend across various industries and business models, including:

Enhanced security: Tokenisation reduces the risk of data breaches and fraud by replacing sensitive payment data with non-sensitive tokens. This ensures that actual payment data is not exposed during transactions, minimising the likelihood of unauthorised access or misuse.

PCI DSS compliance: Tokenisation helps businesses adhere to industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) by minimising the storage and processing of sensitive payment data.

Simplified data management: Tokens can be reused for future transactions, streamlining the payment process and reducing the need to repeatedly collect and store sensitive data.

Improved customer experience: A simple payment experience, including reusing tokens for returning customers, can increase customer loyalty and drive repeat purchases.

Reduced scope of data breaches: Tokenisation limits the potential damage by ensuring that any compromised data is non-sensitive and cannot be used for fraudulent transactions. This mitigates the negative impact on your business and customers while preserving the integrity of a brand's reputation.

Unified commerce: Tokenisation allows businesses to manage payment data securely across multiple channels, such as online and offline shops or customer loyalty programmes.

Support for emerging payment technologies: As payment methods evolve, tokenisation can be applied to new technologies, such as digital wallets and contactless payments. This enables businesses to adopt innovative payment solutions while maintaining high security.

Payment tokenisation offers a robust payment technology solution for securing sensitive payment data in an increasingly digital world. By replacing valuable information like credit card numbers with non-sensitive tokens, businesses can reduce their exposure to fraud, ensure regulatory compliance and build trust with their customers.

Tokenisation