What are tokens?
Before discussing tokenisation, it is helpful to understand the business need they aim to solve. In essence, customers use their payment cards online and offline more and more every day and from a security perspective, the more places customers use their card, the harder it is to ensure that all customer transactions are safe. However, there is a trend toward making payments more convenient, and with the growth of the Internet of Things, there are a number of devices that could be used as substitutes for plastic cards.
With this in mind, how can we make payments convenient and secure? Well short answer is, if card details are sensitive, let’s not store that data. If we don’t have something, it cannot be stolen, right? (or in IT language, it can’t be compromised or granted access to). But, then, how do we know that it is really the customer making the transaction and not somebody else? The answer is tokenisation. Tokenisation is a process of replacing sensitive data with non-sensitive data. In the payments industry, it is usually used to safeguard a card's PAN and other sensitive data by replacing it with a unique string of numbers.
In essence, tokenisation not a new idea. An example in the physical world is a casino chip. When you go to most of casinos, you first have to exchange your “real” cash for casino chips. Casino chips are, of course, more convenient as each card dealer does not have to validate your banknotes to reduce the risk of counterfeiting and chips are more fun for you –you can consider one particular chip lucky, and so on. However, one of the fundamental security properties of casino chips is that they have an accepted value within casino, but no value at all outside of the walls of the casino.
Similarly, with tokens, we can limit number of cases where your money has value, protecting your interests. So how do tokens work with payment cards? Put simply, card issuing institutions provide tokens for each device or smart gadget you would like to use as a payment card. In our metaphor, the issuing institution acts as a casino cashier and each of your smart gadgets receives the ability to contain funds, similar to the plastic trays in casinos. Once you make a transaction with your device (chip holder), it goes to the payment provider to ask for funds to be approved or not. In this kind of setup, if your one device gets compromised, all other devices are still safe. And this setup is arguably even safer than encryption, as encryption might be susceptible to brute force attacks where hackers try all possible combinations of passwords. In this case, token value has no meaning as only the payment provider can map which token belongs to which card.
So, you might ask how exactly tokens work. First of all, let’s review how tokens are created in the payments business. Creating tokens is quite a simple process. Payment card details are entered in the token-enabled device (for example, a smartphone). This device requests tokens from token service provider (TSP), which, for sake of this example, could be our known payment providers, VISA or MasterCard. Later, the TSP responds with token details for the smart phone. In this case, it is important to mention that the smartphone only holds non-sensitive token details and not the original card details. The TSP, on the other hand, will store both — the non-sensitive token data and the sensitive payment card details, as well as the credentials necessary to identify which device has this token.
To review how authorisations are made in this setup, Look at the schema below. The authorisation flow begins exactly the same way as for a plastic card. A tokenised devices initiates authorisation in a POS terminal. The POS terminal forwards this transaction to the acquiring bank, which, in turn, forwards the transaction to the TSP. Here, we diverge slightly from the usual authorisation process. As the token contains only non-sensitive, or in other words, meaningless data, payment providers cannot just forward the transaction to the issuing bank. Thus, they must take one more additional step, they match the token to the original card. After this, they can find the issuer and forward this transaction. After that, the issuer goes through the usual payment card process and approves or declines the transaction and sends a response back to the payment provider, which, in turn, forwards the response for the token (which, again, does not have sensitive data) to the acquiring bank and POS terminal.
Therefore, as you can see from this description, tokens are really useful as they can be used just like any other payment card. However, if data is leaked from the tokenised device (smartphone), it wouldn’t be useful to potential intruders as the TSP will not provide token-payment card matching for another device. Therefore, the data is completely useless for anyone else except the person with the smartphone where the token was created.