In online payments, what does tokenization mean?
Payments
Asked by Question Bot09/Aug/20151 answer
1 Answer
F
Faisal Khan
Answered 09/Aug/2015
In the simplest of words... its mapping of your credit card data to something (again data) that if it falls in to the wrong hands, it would make no sense or cannot be used again.
Let's look at your credit card data:
Now lets us assume, we generate a token for it.
For this, we need to go to our Token Master:
The Token Master would take our cardholder data and issue us a token.
It would be something like (and we are just making this up): 4743987559865367
All these tokens and their mapping to the card numbers are kept in this super-super secure vault, to which only the Token Master has access to.
Now this is a unique one-time only number. (We'll come to the one-time only later on).
So you go to a store, to pay, instead of passing your credit card data, you provide this token. The store takes this token and passes to the Token Master who approves it - i.e. it is genuine and not been used and in conjunction with the issuing bank will provide the payment gateway an approval for the transaction.
The Merchant does not get to see the detokenized data. If someone were somehow to get a hold of the detokenized data it would mean gibberish - this is gibberish: 4743987559865367
If someone tried to re-use the token again, when you take it to the Token Master, they will check in the safe and it will be shown as already being used and invalid, so it is useless.
By having a secure mechanism to map the cardholder data and make it a one-time use token only, the entire payments ecosystem can benefit greatly from it as it eliminates fraud.
Here is the Mobile NFS at POS Flow Diagram:
Source: Page 67 of the EMVCo Standards: EMVCo
Let's look at your credit card data:
- Card Number: 1234-4444-5555-6666
- Expiration Date: 12/2018
- Name on Card: JOHN DOE
- CVV Code: 573
Now lets us assume, we generate a token for it.
For this, we need to go to our Token Master:
The Token Master would take our cardholder data and issue us a token.
It would be something like (and we are just making this up): 4743987559865367
All these tokens and their mapping to the card numbers are kept in this super-super secure vault, to which only the Token Master has access to.
Now this is a unique one-time only number. (We'll come to the one-time only later on).
So you go to a store, to pay, instead of passing your credit card data, you provide this token. The store takes this token and passes to the Token Master who approves it - i.e. it is genuine and not been used and in conjunction with the issuing bank will provide the payment gateway an approval for the transaction.
The Merchant does not get to see the detokenized data. If someone were somehow to get a hold of the detokenized data it would mean gibberish - this is gibberish: 4743987559865367
If someone tried to re-use the token again, when you take it to the Token Master, they will check in the safe and it will be shown as already being used and invalid, so it is useless.
By having a secure mechanism to map the cardholder data and make it a one-time use token only, the entire payments ecosystem can benefit greatly from it as it eliminates fraud.
Here is the Mobile NFS at POS Flow Diagram:
Source: Page 67 of the EMVCo Standards: EMVCo