Tokenisation allows customers to securely save their debit or credit card details with an organisation, making future payments a lot quicker and more convenient. The sensitive information is replaced with unique identification symbols, referred to as a ‘token’, which has no exploitable value and can be stored with little risk by an organisation. This takes them “out of scope” as the data is only ever stored by the card acquirer.
It increases convenience and saves valuable time for the customer as they don’t have to re-enter their card details on future or repeated payments. For organisations, the purchasing time and number of abandoned sales can be drastically reduced as the customer doesn’t need to have the card ready-at-hand at the checkout stage.
The option to tokenise can be offered to customers a number of ways, including on the phone, online or over SMS. When a customer is completing a payment with their debit or credit card they can be given the option to “save” their card details for future use.
Rather than saving the card details the sensitive data is substituted with a non-sensitive equivalent which is referred to as a ‘token’ and would be considered completely useless to a fraudster. This token is used as a reference that will map back to the sensitive data through a tokenisation system, unlocking the use of the debit or credit card and allowing payment there and then. The customer will usually need to verify their identity with a selection of personal information to unlock it’s use, including references such as date of birth, address, contact number, etc.
The tokens are very secure as they are managed by the major card companies who issue the debit or credit cards. However, the storage of tokens and payment card data must comply with the Payment Card Industry Data Security Standards (PCI-DSS), including the use of strong point-to-point encryption. By working with a third-party payment solutions provider such as Key IVR, our diverse integration capabilities allows for the tokenisation process to be done safely and securely and across a range of payment methods.
Tokenisation has several benefits for both the organisation and their customers. For the organisation, it can drastically improve the speed and efficiency when taking payments. The card payment is out of scope and not actually stored within the business’s systems, there is much less impact of a data breach or loss of data. The key goal is to reduce any risks involved around taking payments, especially after the increased fines and penalties incurred in a data breach following the introduction of GDPR. Instead of encrypted data and decryption keys being stored in the businesses’ systems, hackers only have access to harvest tokens with no exploitable value.
Benefits for Customers:
- They’re not spending unnecessary time typing in all their card data for every purchase.
- They don’t necessarily need the card at hand when making a purchase.
- There is less chance for mistakes when providing card details again and again.
- They can at ease knowing their sensitive card data is never directly interacting with the business they are making the payment to.
Benefits for Organisations:
- A much quicker payment process for repeated purchases.
- Less chance of abandoned sales or failed payments.
- The option to provide Payment Plans to help spread the cost of high value purchases.
- Removes valuable data from the corporate network, reducing the impact if a data breach was to occur.
Encryption and tokenisation are both considered cryptographic data security methods. Encryption is used when an organisation is storing card details within their internal networks and systems. It is very effective at disguising the sensitive data, requiring a separate key to ‘unlock’ and decrypt the information for it to be used. Although the risk is reduced, the information is still stored within an organisation’s internal system and when it is transmitted the decryption key sometimes has to be embedded.
Encryption offers very little protection if hackers were to gain access to the network and steal both the encrypted sensitive details along with the encryption keys. Alternatively, tools can be used in an attempt to decrypt the data without needing a key. Encryption methods have had to continuously evolve over the years to combat this.
Tokenisation is much safer than encryption and is recommended for PCI-DSS compliance. As the data is not stored, disguised or otherwise, the organisation can be confident that if a data breach was to occur, there is nothing sensitive that can be stolen.
The concept of tokenisation was created in 2001 by a company called TrustCommerce for their client, Classmates.com, which needed to significantly reduce the risks involved with storing card holder data. From this, TC Citadel was developed, allowing customers to reference a token in place of their sensitive card data. TrustCommerce then processed the payment on the merchant’s behalf. Instead of storing data, tokenisation replaces the primary account number (PAN) with randomly generated symbols that would be useless if intercepted by hackers.
The feature has since been adopted by major debit and credit card issuers, making it a common feature in the online shopping experience.
With a payment service from Key IVR, an organisation can tokenise a customer’s card so that they will only have to provide card details once, saving them time on regular payments and purchases. This can be done over the phone with an agent, online or over SMS. Card details are tokenised securely in a PCI-DSS Level 1 environment and not stored anywhere outside the issuing card company. All tokens have a dedicated reference for every individual customer. E.g. Policy number, customer number, customer name, phone number, etc.
This method of tokenisation also allows for an organisation to offer a Recurring Payment Plan, a perfect way for customers to spread the cost of a purchase over time. A range of payment frequencies are available, such as weekly, fortnightly, monthly and more.
If required, a Recurring Plan/Continuous Payment Authority (CPA) can be created by processing £1 that will not be taken from the customer’s account. This ‘Promise to Pay’ method uses a Recurring Payment Plan instead of a Direct Debit and allows organisations to re-take failed payments, restarting the plan and avoiding customers incurring expensive Failed Direct Debit charges. This method is recommended by the Financial Conduct Authority (FCA), as debt isn’t added onto the outstanding amount the customer is paying off.
Contact Key IVR and we can discuss how tokenisation can save your customers valuable time and improve your payment methods across a wide range of services.