How Tokenisation is Transforming Payment Security in the Digital Age

In an era where digital transactions are ubiquitous, the security of sensitive payment information has become paramount. With phishing schemes, compromised Wi-Fi networks, and various data breaches exposing millions of payment card numbers, cybercriminals can acquire stolen card data at minimal costs and exploit it for significant financial gains. Such breaches result in substantial losses for merchants and financial institutions and considerable inconvenience for cardholders. Tokenization represents a pivotal advancement in safeguarding against these threats by obscuring sensitive payment details.

The Mechanism of Tokenization

Tokenization involves substituting a payment card’s 16-digit number with a unique “token”—a non-sensitive, random number stored securely on a consumer’s device or within a merchant’s system. This token replaces the actual card number during transactions, ensuring that the true card information remains confidential and is not visible to merchants or potentially exposed during data breaches.

Historical Context and Evolution

A decade ago, digital payments constituted a mere 6% of retail transactions. The landscape has dramatically shifted with tokenization emerging as a critical standard in payment security. In 2013, major payment networks like Mastercard pioneered tokenization standards to bolster security and foster trust in digital payments. By 2014, Mastercard introduced the Mastercard Digital Enablement Service (MDES), a significant development that has since facilitated the secure processing of billions of transactions annually.

Advantages of Tokenization

Tokenization offers several benefits, primarily enhancing security and improving user experience. The primary advantage is the mitigation of fraud risk. Since the actual card number is never transmitted during transactions, the likelihood of card data theft is significantly reduced. This reduction in fraud risk leads to higher transaction approval rates, minimizing the chances of legitimate transactions being declined by banks. Furthermore, tokenization provides continuity in case of a lost or stolen card, allowing users to continue transactions with their tokenized card while awaiting a replacement.

Complementary Security Measures

Tokenization is part of a broader security framework that includes multiple layers of protection:

  1. On-Device Authentication: This process verifies a user’s identity directly through their device, typically via biometric methods such as fingerprint recognition or facial scanning, or by entering a secure code.
  2. Cryptograms: Each transaction involves generating a unique, one-time cryptographic code or cryptogram. This ensures that each transaction is authenticated and originates from a legitimate device or merchant account.

Applications of Tokenization

Tokenization is versatile and can be utilized across various transaction contexts:

  1. In-Store Payments: Digital wallets, such as Apple Pay, Samsung Pay, and Google Pay, leverage tokenization to facilitate secure contactless payments. These wallets use the same tap-and-go technology as contactless cards but offer enhanced security by requiring user authentication on the device before completing high-value transactions.
  2. Online and In-App Payments: Digital wallets can also streamline online and in-app transactions by providing tokenized payment information along with cryptograms and, in some cases, automated shipping details. This process ensures a secure payment experience while reducing the need for manual entry of card details.
  3. Card-On-File Transactions: For merchants where card details are stored, such as e-commerce sites or subscription services, tokenization replaces stored card information with a token. Merchants then obtain a cryptogram from the payment network for each transaction, maintaining security and privacy.
  4. Guest Checkout: Tokenization also facilitates secure guest checkout processes through digital wallets, such as Click to Pay, which do not require users to input card details or be redirected to complete the purchase.

Token Service Providers

Tokens are issued, managed, and stored by token service providers. These entities, which include payment networks like Mastercard, card issuers, and other specialized companies, adhere to industry standards and specifications to ensure the effective management of tokens.

Operational Insights

Tokenization operates seamlessly in the background of digital transactions. For device-based contactless payments, the process begins when a user enters card details into a digital wallet. The wallet then communicates with the payment network to tokenize the card. Upon approval, the token service provider securely transmits the token and cryptographic key to the wallet, making the digital card ready for transactions.

For online card-on-file payments, tokenization involves similar steps. When a card is saved with a merchant, a tokenization request is sent to the token service provider, which then issues a token for future use. This tokenization process ensures that card data remains secure, even if card details change.

Tokenization is a critical technology in the evolution of payment security, addressing the growing need to protect sensitive payment information amidst increasing digital transactions. By converting card details into non-sensitive tokens and integrating multiple layers of security, tokenization enhances the protection of both cardholders and merchants, fostering a more secure and trustworthy digital payment ecosystem.

london, willis building, reflection-3529954.jpg

This Article is brought to you by

Loopline Media

Catch up with the Author

Facebook-f Twitter Linkedin

Subscribe Now to Get Regular Updates

Search

Post-Brexit: data protection
Card processor sends sensitive data to wrong address
24 August 2022

Worldline SA subsidiary Payone GmbH has been accused of breaching data protection rules after it sent sensitive employee payroll information to the wrong address by accident. The Worldline Group holdS a 60% stake in the Frankfurt based company who have a small UK market presence.

In June 2021, one of Payone GmbH’s ex UK employees (the data subject) received a “potential data breach notification” from the firm advising him that his salary, National Insurance data, nationality (Special Category Data) was amongst various bits of information sent to an incorrect home address.

This included personal information such as the former employees name, age and address.  It also included details such as the date of birth and the amount of annual work bonus he received in his bank account amongst other identifiable data.

Payone GmbH confirmed that this document was sent out in error following an employee making a mistake when re-entering data processed by their third-party payroll provider.  The error arose when the employee was fulfilling an Article 15 GDPR request. The error was spotted by the data subject when he noticed in an email version of the document that the postal address was incorrect. An attempt to notify Payone GmbH of the error went in vain as the document was already irretrievably despatched.

The data subject was alarmed with the incident which exposed him to the possibility of fraudulent activity, amidst reasonable fears his data could end up on the dark web and used by criminals.  Habitually resident in the UK he complained to the Information Commissioner’s Office (ICO) in June 2021. He similarly raised the concern in Germany via The Hessian Commissioner for Data Protection and Freedom of Information (HBDI).

The ICO reprimanded Payone GmbH for the error in their final decision letter.
Similarly, the HBDI cited a violation of Article 5(f) of the General Data Protection Regulation (GDPR) relating to integrity and confidentiality.

The ICO stated in their July 2021 findings that Payone GmbH, “should take steps to ensure that all personal data records are accurate and up to date. Holding inaccurate information, such as addresses, does increase the risk of personal data breaches and poses risks to the security of information”.

The HBDI confirmed in their October 2021 findings that Payone GmbH had taken remedial action. They concluded that a monetary fine would not be imposed on Payone GmbH as they had taken technical and organisational steps in response to the data breach. Data subjects could now request their data in an autonomous portal.

The GDPR, which came into effect in 2018, gave the Information Commissioner’s Office greater powers to tackle data breaches. The new ‘UK GDPR’ charts its own course after Brexit whilst seeking to maintain EU GDPR adequacy.  In extreme scenarios, organisations face penalties of up to £20m or 4 per cent of their global worldwide turnover, whichever is more.

In the years prior to GDPR, the ICO fines were capped at £500,000.

The data subject said: “I am just glad I spotted it; they were going to resend the document again to another wrong address. Prior to Brexit the process would have been commenced via the ICO who in turn would liaise with the HBDI on the data subjects’ behalf; but I found myself communicating with both authorities separately which was an additional step but in the end was surprisingly
effective. Unfortunately, Payone GmbH again sent my incorrect address to the
Workers Pension Trust in January 2022, and documents yet again went to the wrong address. In my opinion they have not learned from the first time and my complaint is sitting with the ICO yet again”.

The former employee is pursuing a remedy under Article 82 UK GDPR via
the Court’s of England & Wales.

Extraordinary Experiences

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Our Core Values

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
  • Locavit liberioris possedit
  • Diremit mundi mare undae
  • Spectent tonitrua mutastis

We use cookies to improve user experience and analyse website traffic. By clicking ‘Accept’, you agree to our website’s cookie use as described in our Privacy Policy.

Accept
Decline
Accept
Decline