What is Tokenisation?
Tokenisation is a process through which sensitive information or data is replaced with a unique set of characters that retain all the essential information without compromising the security of the sensitive information.
In the payments domain, tokenisation is the process of replacing the 16-digit payment card account number with a unique digital identifier known as a ‘token’ in mobile and online transactions. This token then allows payments to be processed without exposing sensitive account details that could breach security and privacy.
Substitution methods like tokenisation have been around for a while as a way to separate data in ecosystems, and databases. Before tokenisation was introduced, encryption with reversible cryptographic algorithms was the preferred method of protecting sensitive data.
Unlike encryption, a process that encrypts cardholder data at the origin, and then decrypts it at the end destination, tokenization replaces sensitive cardholder detail with a stand-in token. Because of the random assignment of tokens, it’s almost impossible to reverse-engineer or compromise a token.
Let’s take a look at what happens from the time a customer uses his credit card to the time where the payment is processed, to understand the process of tokenisation better.
- A credit card is swiped at a POS machine or is used for an online transaction
- The credit card number is passed to the tokenization system
- The tokenisation system generates a string of 16 random characters to replace the original credit card number.
- The tokenisation system returns the newly generated 16 digit random characters to the POS machine or e-commerce site to replace the customer’s credit card number in the system.
Curious about what a token looks like?
There are two types of tokens, format-preserving tokens, and non-format preserving tokens.
Format preserving tokens maintain the appearance of the 16-digit credit card number.
Card number: 5945 8612 5953 6391
Format preserving token: 4111 8765 2345 1111
Non-format preserving tokens do not resemble the original credit card number and can include both alpha and numeric characters.
There are specific format-preserving tokenisation schemes that maintain the IIN (first 6 digits) as well as the last 4 digits of the card number.
Card number: 5945 8612 5953 6391
Non-format preserving token: 25c92e17-80f6-415f-9d65-7395a32u0223
At Razorpay we use non-format preserving tokens in the form of a 14 digit alphanumeric series of characters.
What is the impact of Tokenisation on Online Businesses?
Credit card tokenisation helps online businesses improve their data security, from the point of data capture to storage as it eliminates the actual storage of credit card numbers in the POS machines and internal systems. But the greatest benefit of tokenization is that it minimizes the impact of security breaches for merchants.
Since merchants are storing tokens instead of credit card numbers in their systems, hackers will acquire tokens that are of no use to them. Breaches are expensive, and many retailers and banks have experienced huge losses as a result of data theft. Tokenisation helps minimize this.
What is the impact of Tokenisation on Customers?
Apart from the comfort that comes with knowing that your credit card is less likely to get hacked, there’s also the fact that tokenisation is very convenient for customers in the case of fraud or theft. This works because of the fact that multiple tokens are issued for the same card payment on different platforms that use tokenisation.
So even if a website you use gets breached and the tokens are acquired by the hacker/miscreant, it’s difficult to reverse engineer the actual card number from it as access to the tokenisation logic will also be needed.
Does using Tokenisation make you PCI DSS Compliant?
Storing tokens instead of credit card numbers is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS (Payment Card Industry Data Security Standard) requirements.
The following key principles relating to the use of tokenisation and its relationship to PCI DSS:
- Tokenisation solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.
- Verifying the effectiveness of a tokenisation implementation is necessary and includes confirming that a financial card number is not retrievable from any system component removed from the scope of PCI DSS.
- Tokenisation systems and processes must be protected with strong security controls and monitoring to ensure the continued effectiveness of those controls.
- Tokenisation solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes.
Both tokenisation and encryption are widely used today to protect sensitive data stored in cloud services or internal applications. An organization can decide to use encryption, tokenisation or a mix of both depending on their use case. This also depends on the different types of data that the organization wants to secure.
Razorpay TokenHQ: Enabling seamless card tokenisation
Razorpay TokenHQ, India’s first RBI compliant card tokenisation solution, allows businesses to continue offering their customers a saved card experience with the help of a unified platform that connects with various networks such as VISA, Mastercard, Rupay, etc., as well as the issuing banks.