Tokenisation is a hot topic in the payment world. It can protect businesses and customers from fraud. And make transactions more seamless.
But finding a clear tokenisation definition isn’t always easy. And the word may sound complex or even scary if you’ve not come across it before.
With all that in mind, we’ve put together a complete guide to payment tokenisation. Read on to discover what it involves and how the tokenising process typically works. We also cover the potential benefits to both business owners and customers.
Tokenisation is simply a way of making customer payments more secure. It starts by taking a sensitive piece of payment data, like a credit card number. It then swaps this with a ‘token’. This random set of characters bears no relation to the original payment data.
By switching sensitive digits for non-sensitive data, a tokenised payment can prevent fraud. Even if a token falls into the wrong hands, criminals won’t be able to make sense of it.
Data tokenisation can’t be reversed or deciphered. So, that makes it a solid way to shield people’s payment details from harm.
Tokenisation now has a large role to play in modern payment technologies. Businesses can tokenise people’s card details through specialist hardware or secure providers. And digital wallets rely on it too.
What is a token?
You can think of a token as a stand-in or substitute. When buying from a business with tokenising capabilities, a customer’s sensitive card details are replaced with a token. This unique set of characters represents their valuable data. But it’s not of any value on its own.
As a result, each tokenised payment offers a way to conceal important data from cyber-criminals. Without a token, they might be able to intercept and profit from a customer’s card information.
Ultimately, tokens are a vital part of modern payment security. They prevent the exposure of valuable data each time a customer makes a purchase. The original payment details are locked away in a ‘vault’, with the token taking their place.
How does tokenisation work?
The tokenisation process can work slightly differently depending on the payment method:
Payment tokenisation steps for digital wallets
Digital wallet tokenisation normally involves:
- Cardholder. This is the customer paying for goods or services. They’ll need to add their card to a digital wallet.
- Digital wallet provider. For example, Apple Pay or Google Pay. They’ll request that the user’s card details are tokenised.
- Card issuer. The original issuer of the card approves the tokenisation request. They’ll then integrate with a wider card network.
- Card network. This generates, stores and updates each token.
Tokenisation process for other payments
Here’s how tokenisation often works for online, bricks-and-mortar and subscription businesses.
1. Customer starts a transaction. The retailer confirms the customer’s payment method and details. This could involve a debit or credit card, for example.
2. Tokenisation request sent. The retailer then asks for the original payment details to be tokenised. This may happen automatically if they have specialist payment hardware or software in place. Alternatively, they might pass the original payment details on to a secure tokenisation provider. This could be a third-party firm or payment processor.
3. Creation of a token. A unique token is generated in place of the original data. This usually contains random letters or figures, which would appear meaningless in the outside world.
4. Original payment data locked away. The new token replaces the original payment data in the retailer’s systems. Meanwhile, the tokenisation service provider safely stores the original details in a vault.
5. Secure transaction completed. When ready to complete the transaction, the retailer sends the token to the tokenisation service provider. This links the token back to the original payment data, completing the transaction.
Benefits of tokenisation
Tokenisation of data offers a range of potential benefits. These include:
- Stronger security. By tokenising card details, valuable payment data is effectively locked away. Fraudsters can’t access this data, even if they get their hands on a token.
- Less damaging data breaches. Tokenisation means businesses don’t have to keep large databases of customer payment information. If a data breach strikes, only non-sensitive information will leak out.
- Smoother customer journeys. It’s possible to reuse tokens, saving you and your customers time when they next visit. This could reduce friction and boost your overall brand reputation.
- Simpler regulatory compliance. You might face fewer steps when meeting legal commitments. For example, when complying with the Payment Card Industry Data Security Standard (PCI DSS).
- Adaptation to new technologies. Tokenisation can support new types of payments. For example, contactless transactions and digital wallets. This could help you to combine hi-tech innovation and tight security.
Encryption vs tokenisation
Tokenisation is often confused with encryption. And they’re sometimes thought to be the same thing. But there are a few differences to bear in mind.
The main one is the way they protect data. Encryption encodes or scrambles data, potentially changing both its type and length. It can only be converted back to its original form with a specific key.
In contrast, tokenisation replaces one set of sensitive data with another string of non-sensitive data. It doesn’t require a key and can’t be decrypted.
Here’s how they compare with one another:
Encryption | Tokenisation |
Converts readable data into a scrambled code | Replaces valuable data with a substitute token |
Requires a key to decrypt the data back into its original format | No decryption key required. Instead, sensitive data is stored in a vault |
Data could prove hard to retrieve if access keys are lost | Original data can be stored by a third party, easing the demands on retailers |
Often used for bigger files and datasets | Well suited to credit card details and similar data fields |
Tried and tested data protection method, with a long track record | Adapts well to emerging payment technologies, e.g. digital wallets |
Tokenisation FAQs
What is an example of tokenisation?
Digital wallets are an increasingly common example of payment tokenisation. These wallets replace your original card data with a token. It’s the token that is then processed when you make a payment, rather than the sensitive card details themselves.
It’s a safer way of doing things, since hackers shouldn’t be able to understand any tokens that they intercept.
Are tokens single-use or multi-use?
It all depends on how the token is structured and set up. Some tokens are designed for use in a single transaction. However, others may be created with the long term in mind. These can apply to the same customer across more than one transaction .
How is each token created?
Tokens are automatically generated using cryptographic algorithms. These create a random set of characters or numbers to replace the original data. The new data has no obvious connection with the customer’s payment details. It shouldn’t have any meaning either.
Tokenisation is a highly effective – but often overlooked – data protection method. It could keep people’s card details secure and reduce the strain on your business.
New to taking payments? Learn more with our wide range of Tyl Talks guides.
Disclaimer
This has been prepared by Tyl by NatWest for informational purposes only and should not be treated as advice or a recommendation. There may be other considerations relevant to you and your business so you should undertake your own independent research.
Tyl by NatWest makes no representation, warranty, undertaking or assurance (express or implied) with respect to the adequacy, accuracy, completeness, or reasonableness of the information provided.
Tyl by NatWest accepts no liability for any direct, indirect, or consequential losses (in contract, tort or otherwise) arising from the use of the information contained herein. However, this shall not restrict, exclude, or limit any duty or liability to any person under any applicable laws or regulations of any jurisdiction which may not be lawfully disclaimed.