top of page
Search

What is Card Tokenisation?

So I am currently working managing tokenisation for a card network and it's fair to say that most of the general public have no idea about how it works. Everyone I meet I have to explain tokenisation to so I thought I would try and capture a simple overview of the topic to try and get it right in my mind a good explanation of what it is and how it works. Enjoy.

Have you ever wondered how your card payments stay secure, especially when you use your card online or with your phone? This is where tokenisation plays a vital role. It's a powerful security measure that protects your sensitive card details by transforming them into a unique, meaningless code, called a "token." This token can then be used for transactions without exposing your actual card information.


Why Your Card Number Needs Special Protection

To understand why card numbers require such strong security, it helps to know how different account details function:

  • When you open a bank account, your bank assigns you an internal account number for its own records. This number works within the bank's system, but it's not widely recognised by other financial institutions.

  • To allow money to be sent to your account, banks provide identifiers like your BSB and Account Number (in Australia) or a PayID. These are like an address that lets people securely deposit funds into your account. If someone knows these details, they can generally only put money in, not take it out without further authorisation.

  • Your Card Number (the 16 digits on your credit or debit card) is fundamentally different. This number is designed to let authorised businesses and payment systems take money out of your account when you make a purchase. Because your card number grants the ability to initiate debits, its exposure carries a much higher risk of immediate financial loss compared to your BSB, account number, or PayID. This inherent power to 'pull' funds is precisely why card numbers must be secured much more diligently.


What Tokenisation Is: Safeguarding Your Digital Assets

Consider your 16-digit card number (known as the Primary Account Number, or PAN) as a valuable, untraceable diamond or gemstone. If this diamond were lost or stolen, it would be gone forever, and anyone who found it could use or sell it without being easily traced back to you. Naturally, you wouldn't carry such a precious item openly everywhere.

Tokenisation works by creating a secure substitute:

  1. When you initiate a payment, your actual card number is sent directly to a highly secure, digital storage system operated by a Token Service Provider (TSP). Think of this TSP as a highly fortified digital vault.

  2. Inside this vault, the TSP generates a token. This token is a unique, randomly generated string of characters that has no mathematical connection to your original card number. It's like a secure, numbered certificate of authenticity for your diamond, which remains safely locked away in the vault.

  3. You then use this token to complete your purchase. If this token is ever intercepted, it's useless to a thief because it's merely a placeholder; your actual card number (the diamond) remains protected within the TSP's secure vault, only to be retrieved for valid, authorised transactions.

Essentially, a token is a worthless, random code that stands in for your real, valuable card details, making them unusable to fraudsters if exposed.

A digital padlock hovers over a blue eftpos card with binary code in the background, symbolizing secure transactions and data protection.

How Tokenisation Works

The process of tokenisation in card payments involves several key participants working together:

  1. The Cardholder: You, making a purchase.

  2. The Merchant: The business where you're buying something (online or in a physical store).

  3. The Token Service Provider (TSP): The secure entity (often a payment processor or a card scheme like eftpos, Visa, or Mastercard, or a specialised tokenisation vendor) responsible for creating and managing tokens in its "token vault."

  4. The Acquirer: The merchant's bank.

  5. The Card Networks (eftpos, Visa, Mastercard, etc.): The global systems that process card transactions.

  6. The Issuer: Your bank, which issued your credit or debit card.

Here’s how it works for different payment types:


What about Mobile Phone Payments (like Apple Pay or Google Pay)?

The underlying tokenisation process is the same for mobile payments. When you add your card to a digital wallet app on your phone:

  • Your phone or the digital wallet app securely sends your card details to the Token Service Provider (TSP).

  • The TSP generates a unique token that's specifically linked to your card and that particular mobile device.

  • Your phone then stores this token (not your actual card number).

  • When you make a payment using your phone, it transmits this device-specific token to the payment terminal or online merchant. The merchant never receives your real card number, only the secure token. The rest of the payment process proceeds with this token, as described in the steps below.


And for Online Transactions:

Here’s a simplified breakdown of an online purchase:

  • Step 1: Payment Initiation: You enter your card details (number, expiry, CVV) on the merchant's website.

  • Step 2: Tokenisation Request: Your sensitive card data is immediately sent to the Token Service Provider (TSP). The merchant's system typically doesn't directly store your real card number.

  • Step 3: Token Generation: The TSP, within its secure "token vault," generates a unique token specifically for your card and that particular transaction or merchant. It securely records the link between your real card number and this new token. The token is then sent back to the merchant's system.

  • Step 4: Transaction with Token: From this point forward, the merchant's system and the payment processing systems handle and transmit only the token, not your actual card number, to complete the payment.

  • Step 5: Authorisation Request: The token travels through the payment network (via the acquirer) to the card network (e.g., eftpos, Visa or Mastercard).

  • Step 6: Detokenisation (Securely): If and when your actual card number is absolutely necessary for authorisation (usually by the card network or your bank), the token is sent back to the original TSP/token vault. The vault securely retrieves your real card number and provides it to the authorised party within a tightly controlled, protected environment.

  • Step 7: Transaction Approval: Your bank then authorises or declines the transaction based on the real card data, and the response is sent back through the network, usually still referencing the token, to the merchant.


Why Tokenisation Is So Important for Card Payments

Tokenisation offers significant advantages, making card payments more secure and convenient for everyone involved:

  • Greater Protection from Data Breaches: If a merchant's system that uses tokens is ever compromised, hackers will only obtain worthless tokens. They cannot be reverse-engineered to reveal your actual card numbers, drastically limiting the damage and financial impact of a data breach.

  • Simplified Security Compliance: Organisations that handle card data must comply with strict rules (like the PCI DSS). By utilising tokenisation, businesses reduce the amount of sensitive card data they directly handle and store, making it significantly easier and less costly for them to meet these important security standards.

  • Stronger Fraud Prevention: Even if a token is somehow compromised, its use is often restricted to specific merchants or transaction types, making it much harder for fraudsters to use it for unauthorised purchases. Advanced tokens even change dynamically for each transaction, adding another layer of security.

  • Improved Customer Experience:

    • Convenient "Card on File" and One-Click Payments: Tokenisation enables businesses to securely store your card details (as tokens) for recurring payments, subscriptions, or faster checkouts, without ever holding your actual card number.

    • Seamless Card Updates: For some token types, if your card expires or is replaced, the token can be automatically updated, reducing frustrating declines and the need for you to manually update your saved details across multiple services.

    • Powers Digital Wallets: Tokenisation is the foundation for the security and ease-of-use of mobile payment apps like Apple Pay, Google Pay, and Samsung Pay, ensuring your real card number is never shared when you pay with your phone.


In essence, tokenisation acts as a crucial digital shield in the card payment world. It protects your sensitive card data by keeping it safely locked away, allowing you to make purchases securely and conveniently, while significantly reducing risks for both consumers and businesses.

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page