Tokenisation aims to make online and mobile-based shopping a lot safer, but how does it work? Here’s what you need to know.
Credit card picture from Shutterstock
If you’ve purchased anything online you’re probably familiar with the pain point of punching in your credit card number. Those 16 digits take time to enter, but they’re also your gateway to shopping online.
The issue there is that while there’s that utility, there’s also a very present security issue with a fixed number that accesses your bank accounts rather directly, which is why any credible online merchant usually asks for other factors of authentication, such as the CCV number printed on the back of the card. Then again, if both numbers are entered and there’s a security breach at the merchant end, you’re back to square one, especially if the merchant doesn’t alert you to the breach in a prompt manner.
Tokenisation aims to do away with that particular security flaw by instead using specifically generated merchant tokens that don’t reveal the underlying credit card account details to outside parties. There isn’t an absolute single standard for tokenisation just yet, because it’s an evolving payments field, based around a 2013 framework developed by Visa, Mastercard and American Express.
The Token replaces the entire sixteen digit card number, and associated information relating to expiry dates and CCV fields, and can be linked to a specific merchant or specific mobile device, or both. The idea is that a transaction is more secure because even if a token is exposed, it’s only good within the specific sales environment where it was issued, and possibly only if it involves a specific mobile device that it’s been provisioned to.
To put it in simpler terms, if you used a token to buy groceries online and the supermarket’s IT infrastructure is hacked, criminal types couldn’t then use that token to buy a Lamborghini in Estonia, unless your supermarket is Estonia-based and sells Lamborghinis, which seems unlikely.
More specifically, a token is built by taking your existing account’s primary access number (PAN) and linking it to a token. That token is then provisioned to either a device or a digital wallet, and it’s from that base that you actually engage in whatever transaction you have in mind. This gives tokenisation some flexibility, as it could be provisioned for a purely digital wallet for online purchases, or tied to a mobile device for contactless payment verification, similar to the existing payment schemes that use your mobile phone or even local examples such as Optus’ Smart Device-based Cash By Optus.
The token is what the merchant has access to, with the issuing authority and your financial institution being the only companies that actually have the information relating to the account it’s tied back to to. They’re the ones who’ll verify the token, but its that same token that gets passed back to the merchant as the verification step. This also means that if your token is compromised, it’s just the token itself that needs replacing, not your actual credit card.